2026-04-13 (Monday): #XLoader (#Formbook) infection.
A #pcap of the traffic, the associated email and #malware samples are available at https://malware-traffic-analysis.net/2026/04/13/index.html
| Website | https://www.malware-traffic-analysis.net/ |
Brad
- 3.5K Followers
- 46 Following
- 145 Posts
Sharing information on malicious network traffic and malware samples.
2026-04-09 (Thursday): Finally got the #KongTuke CAPTCHA page and associated #ClickFix instructions today!
KongTuke CAPTCHA page traffic:
- hxxps[:]//windlrr[.]com/file.js
- hxxps[:]//windlrr[.]com/t
- hxxps[:]//windlrr[.]com/g
- hxxps[:]//windlrr[.]com/g
- hxxps[:]//windlrr[.]com/c?tk=a19806998b1234b63f73ef741e1b749d
URL from clipboard-injected script:
- hxxps[:]//oeannon[.]com/t2?tk=5f7edb3752dd5b85eda86711724abd44
Last URL I got on a VM (nothing returned):
- hxxps[:]//plein-soleil[.]top/o
2026-04-09 (Thursday): I found a site with inject script for both the #KongTuke and #SmartApeSG campaigns. Only got #SmartApeSG
Zip archive payload: c0d91df99b279ebfd952dadf0d1b94e436defa6bb59752cfad13777187f88553
Saw the same possible data exfiltration traffic to the same server at 89.110.110[.]119:443 that I saw from the previous payload from SmartApeSG campaign I reported on Monday 2026-04-06.
2026-04-06 (Monday): #ClickFix activity from the #SmartApeSG campaign. Not sure what malware was sent through the fake CAPTCHA page is this time, but it's not the usual.
A list of indicators, a #pcap of the traffic, malware samples and other files/info are available at https://malware-traffic-analysis.net/2026/04/06/index.html
2026-04-06 (Monday): Every once in a while, I feel the need for validation. But not this way.
SANS Internet Storm Center - SANS.edu - Go Sentinels!ISC Diary: #SmartApeSG campaign pushes #Remcos #RAT, #NetSupportRAT, #StealC and #SectopRAT (#ArechC https://isc.sans.edu/diary/32826
2026-03-23 (Monday): #PhantomStealer version 3.5.0 sent as an email attachment.
.js file sample from the attachment: https://bazaar.abuse.ch/sample/8606c084446472d6e383d2ec2279858474fa807bcfc3380b7e5a939da23dd5a8/
PowerShell script retrieved by the above .js file: https://bazaar.abuse.ch/sample/a0d7249a0df608c9cee5924acc55ad7f39cff3df7cf0702be47469c094fc23dd/
#CVE_2017_11882 or some similar BS from an Excel file attached to a message sent to my blog email address. Final malware seems to be an AgentTesla/SnakeKeyLogger/VIP Recovery variant. Sample at:
https://bazaar.abuse.ch/sample/263b3f3c5e91c8fe858803ceae4b268af40536487828cf980e8d6e4d793648c0/
Calls for follow-up files at:
- hxxp[:]//91.92.242[.]3:7777/noesisllc.online/wealt1818/wealtt/nerdfwiqtwqhdgfrwt6fntdwrgonht.js
- hxxp[:]//91.92.242[.]3:7777/noesisllc.online/wealt1818/ENCRYPT.Ps1
Samples of these follow-up files at:
- https://bazaar.abuse.ch/sample/c47d92db7ed3cc5fdbb3296f3f4ab328cd8b66ac079f5bf658d4f2fa5f8a6af7/
- https://bazaar.abuse.ch/sample/dd737dea20792860147b53679f68e964778a2b47e98d7187ccd4ead0127aec76/
ISC diary: #SmartApeSG campaign uses #ClickFix page to push #Remcos #RAT (#RemcosRAT) https://isc.sans.edu/diary/32796
February 2026 #TrafficAnalysisExercise
You get a pcap, you find your kidnapped daughter--I mean, you find the infected Windows host!
Join the fun at https://www.malware-traffic-analysis.net/2026/02/28/index.html
