2026-01-22 (Thursday): #RemcosRAT infection persistent on an infected Windows host. This was caused by #ClickFix instructions from #SmartApeSG through a fake CAPTCHA page. Details of this #Remcos #RAT infection are available at https://www.malware-traffic-analysis.net/2026/01/06/index.html

I've also added three other blog entries from infections I generated in my lab on Tuesday, 2026-01-20. Those can be found at https://www.malware-traffic-analysis.net/2026/index.html

Those three other entries cover #LummaStealer, #VIPRecovery, and #Xworm. The VIP Recovery and Xworm infections followed the same chain of events, which includes #steganography through base64 text embedded in an image.

2026-01-09 (Friday): #VIPRecovery infection from an email attachment that contains a VBS file.

The infection process involves retrieving an image from Firebase storage. The image contains embedded base64 text that translates to a Windows EXE file.

There's another HTTPS URL that returns reversed base64 text, which translates to another EXE file that appears to be corrupt.

Those EXE files don't do anything interesting individually, and I wasn't able to figure out how everything pulls together for the VIP Recovery infection, but it does somehow.

A #pcap of the infection traffic, associated files, and more information are available at https://www.malware-traffic-analysis.net/2026/01/09/index.html