BradJun 14

2025-06-13 (Friday): Traffic analysis exercise: It's a trap!

https://www.malware-traffic-analysis.net/2025/06/13/index.html

Show thread𝙽𝙴𝚃𝚁𝙴𝚂𝙴𝙲5d ago

@malware_traffic There's some unknown but interesting C2 traffic going on to net 104.16.0.0/13 (on CloudFlare). An HTTP POST is sent every 30 seconds (see Gantt chart) with gz compressed data.

The C2 servers use domain names like:
🔥 event-time-microsoft[.]org
🔥 windows-msgas[.]com
🔥 event-datamicrosoft[.]live
🔥 eventdata-microsoft[.]live

They also use this trycloudflare.com domain:
🔥 varying-rentals-calgary-predict.trycloudflare[.]com

Anyone knows what malware this is?

Show threadIan Campbell

@netresec trying to sneak a bite in between meetings, but merry giftmas, here's domain and DNS data on the four initial domains in case ya need it

https://drive.proton.me/urls/1GB774P93R#OJLIttebaHqD

Proton Drive

Securely store, share, and access your important files and photos. Anytime, anywhere.

Jun 24 at 5:45pmWeb
Show thread𝙽𝙴𝚃𝚁𝙴𝚂𝙴𝙲5d ago
@neurovagrant Thanks for sharing Ian!!