2025-06-21 (Saturday): #KoiLoader / #KoiStealer infection.

A #pcap of the infection traffic, associated malware/files, and some of the indicators are available at https://www.malware-traffic-analysis.net/2025/06/21/index.html

025-06-20 (Friday): From a post I wrote for my employer on other social media about distribution of #malware disguised as cracked software.

The malware is contained in password-protected 7-Zip archives to avoid detection.

A #pcap from running the malware, and the associated malware files are available at https://www.malware-traffic-analysis.net/2025/06/20/index.html

I don't know what this malware is, so if anyone knows, feel free to reply. I'm just here for the memes.

2025-06-18 (Wednesday): #SmartApeSG --> #ClickFix lure --> #NetSupportRAT --> #StealCv2

A #pcap of the traffic, the malware/artifacts, and some IOCs are available at https://www.malware-traffic-analysis.net/2025/06/18/index.html.

Today's the 12th anniversary of my first blog post on malware-traffic-analysis.net, so I made this post a bit more old school.

2025-06-13 (Friday): Traffic analysis exercise: It's a trap!

https://www.malware-traffic-analysis.net/2025/06/13/index.html

2025-06-10 (Tuesday): Ten days of scans and probes and web traffic to a web server I run (not my blog web server, but another one).

After helping a coworker review an Apache Tomcat vulnerability, I opened TCP port 8080 to accept web traffic requests.

A #pcap of the traffic is available at: https://www.malware-traffic-analysis.net/2025/06/10/index.html

Been on vacation for the first 9 days of June, and I've been doing a lot at work, so I haven't had a chance to update the blog in the last 3 to 4 weeks.

I'm back now, and I was able to post some stuff that had backed up in my queue for the blog.

New entries for May 22nd, May 27th, and May 31st at https://www.malware-traffic-analysis.net/2025/index.html

2025-05-22 (Thursday): After the recent #LummaStealer disruption, I found an active sample today, so how effective was the disruption, really?

SHA256 hash for the installer EXE for Lumma Stealer:

8619bea9571a4dcc4b7f4ba494d444b8078d06dea385dc0caa2378e215636a65

Analysis:

- https://tria.ge/250523-afpxxsfm5t
- https://app.any.run/tasks/add82eaa-bdb8-43b9-885b-c0a58cc2530c

To be fair, I investigated a campaign that was pushing Lumma Stealer earlier this week, and it had switched to #StealC v2 malware earlier today (2025-05-22):

- https://github.com/PaloAltoNetworks/Unit42-timely-threat-intel/blob/main/2025-05-22-campaign-switches-from-Lumma-to-StealC-v2.txt

So the disruption was at least somewhat effective based on what I'm seeing. I don't have eyes on the criminal underground, though, so I don't know what's happening with Lumma Stealer's customers.

2025-05-09 (Friday): #KoiLoader / #KoiStealer activity still happens. It's the same type of distribution chain and infection characteristics as always.

Example of downloaded zip archive available at:

- https://bazaar.abuse.ch/sample/3523653959c0083b7e106a71dd99acc03ccf09cb3452b9b65dcf17005917e389/
- https://tria.ge/250510-a2fw5sek3y
- https://app.any.run/tasks/3adefb51-8ab1-417e-9725-1848c0a071ee

Just finished restoring the last of the blog posts for 2017 on my malware-traffic-analysis.net site.

As a bit of background, Google had flagged my site as malicious, because I've been hosting malware samples, even though they're plainly marked as malware and presented in password-protected zip archives.

To keep from being blacklisted as an unsafe site, I had to take the majority of my blog entries off-line and switch to a new password scheme for the zip archives. I also found many of those old posts listed domains and URLs that I hadn't de-fanged.

That's what I've been fixing, and now the site has been fully restored for everything since 2017 on the regular blog posts.

In 2017, I made 379 posts for the entire year, not counting the traffic analysis exercises. I've fixed things about those blog posts that I now find annoying.

For example, the Hancitor entries were titled "Hancitor malspam, Subj: [subject of email]." I've always had the infection traffic and malware, but I always like to include the infection vector. Unfortunately, that makes a misleading title, and people might think those posts are -only- about the malspam.

So I re-titled those to "Hancitor infection with ZLoader" or "Hancitor infection with SendSafe spambot activity" or whatever it was based on the traffic.

I started 2017 focusing on exploit kit (EK) activity, mostly Rig EK. But by the end of 2017, the majority of my Windows-based infections came from email as the initial infection vector.

EK traffic had already been on a downward trend before 2017 due to people moving away from Internet Explorer and using other web browsers.

Overall, it's been quite the trip reviewing those blog entries from 8 years ago.

Up next? Guess I'll start digging into the 2016 blog posts to restore.