2025-06-27 (Friday): #SmartApeSG infection chain leading to #ClickFix lure leading to #NetSupportRAT

URL sequence leading to ClickFix:

- palcomp3[.]top/sss/buf.js
- palcomp3[.]top/sss/index.php?GQX1KqUM
- palcomp3[.]top/sss/bof.js?19ec2a189848bc0bfa

URL sequence after running ClickFix script:

- camplively[.]com/all.php
- camplively[.]com/smks.zip?lap=3928

SHA256 hash for smks.zip archive containing NetSupport RAT package:

3be246afee53241eaa9c1f74d6720cc5d1004846ded378bd4b1040064b5631c5

NetSupportRAT C2: 185.163.45[.]30:443

cc: @monitorsg

2025-06-26 (Thursday): #LummaStealer infection leads to follow-up loader that retrieves a pen test tool hosted on Github and configures it as #malware.

A #pcap of the infection traffic, the associated malware, and IOCs are available at: https://www.malware-traffic-analysis.net/2025/06/26/index.html

#Lumma

2025-06-21 (Saturday): #KoiLoader / #KoiStealer infection.

A #pcap of the infection traffic, associated malware/files, and some of the indicators are available at https://www.malware-traffic-analysis.net/2025/06/21/index.html

025-06-20 (Friday): From a post I wrote for my employer on other social media about distribution of #malware disguised as cracked software.

The malware is contained in password-protected 7-Zip archives to avoid detection.

A #pcap from running the malware, and the associated malware files are available at https://www.malware-traffic-analysis.net/2025/06/20/index.html

I don't know what this malware is, so if anyone knows, feel free to reply. I'm just here for the memes.

2025-06-18 (Wednesday): #SmartApeSG --> #ClickFix lure --> #NetSupportRAT --> #StealCv2

A #pcap of the traffic, the malware/artifacts, and some IOCs are available at https://www.malware-traffic-analysis.net/2025/06/18/index.html.

Today's the 12th anniversary of my first blog post on malware-traffic-analysis.net, so I made this post a bit more old school.

2025-06-13 (Friday): Traffic analysis exercise: It's a trap!

https://www.malware-traffic-analysis.net/2025/06/13/index.html

2025-06-10 (Tuesday): Ten days of scans and probes and web traffic to a web server I run (not my blog web server, but another one).

After helping a coworker review an Apache Tomcat vulnerability, I opened TCP port 8080 to accept web traffic requests.

A #pcap of the traffic is available at: https://www.malware-traffic-analysis.net/2025/06/10/index.html

Been on vacation for the first 9 days of June, and I've been doing a lot at work, so I haven't had a chance to update the blog in the last 3 to 4 weeks.

I'm back now, and I was able to post some stuff that had backed up in my queue for the blog.

New entries for May 22nd, May 27th, and May 31st at https://www.malware-traffic-analysis.net/2025/index.html

2025-05-22 (Thursday): After the recent #LummaStealer disruption, I found an active sample today, so how effective was the disruption, really?

SHA256 hash for the installer EXE for Lumma Stealer:

8619bea9571a4dcc4b7f4ba494d444b8078d06dea385dc0caa2378e215636a65

Analysis:

- https://tria.ge/250523-afpxxsfm5t
- https://app.any.run/tasks/add82eaa-bdb8-43b9-885b-c0a58cc2530c

To be fair, I investigated a campaign that was pushing Lumma Stealer earlier this week, and it had switched to #StealC v2 malware earlier today (2025-05-22):

- https://github.com/PaloAltoNetworks/Unit42-timely-threat-intel/blob/main/2025-05-22-campaign-switches-from-Lumma-to-StealC-v2.txt

So the disruption was at least somewhat effective based on what I'm seeing. I don't have eyes on the criminal underground, though, so I don't know what's happening with Lumma Stealer's customers.