2026-04-13 (Monday): #XLoader (#Formbook) infection.

A #pcap of the traffic, the associated email and #malware samples are available at https://malware-traffic-analysis.net/2026/04/13/index.html

2026-04-09 (Thursday): Finally got the #KongTuke CAPTCHA page and associated #ClickFix instructions today!

KongTuke CAPTCHA page traffic:

- hxxps[:]//windlrr[.]com/file.js
- hxxps[:]//windlrr[.]com/t
- hxxps[:]//windlrr[.]com/g
- hxxps[:]//windlrr[.]com/g
- hxxps[:]//windlrr[.]com/c?tk=a19806998b1234b63f73ef741e1b749d

URL from clipboard-injected script:

- hxxps[:]//oeannon[.]com/t2?tk=5f7edb3752dd5b85eda86711724abd44

Last URL I got on a VM (nothing returned):

- hxxps[:]//plein-soleil[.]top/o

2026-04-09 (Thursday): I found a site with inject script for both the #KongTuke and #SmartApeSG campaigns. Only got #SmartApeSG

Zip archive payload: c0d91df99b279ebfd952dadf0d1b94e436defa6bb59752cfad13777187f88553

Saw the same possible data exfiltration traffic to the same server at 89.110.110[.]119:443 that I saw from the previous payload from SmartApeSG campaign I reported on Monday 2026-04-06.

2026-04-06 (Monday): #ClickFix activity from the #SmartApeSG campaign. Not sure what malware was sent through the fake CAPTCHA page is this time, but it's not the usual.

A list of indicators, a #pcap of the traffic, malware samples and other files/info are available at https://malware-traffic-analysis.net/2026/04/06/index.html

2026-03-23 (Monday): #PhantomStealer version 3.5.0 sent as an email attachment.

.js file sample from the attachment: https://bazaar.abuse.ch/sample/8606c084446472d6e383d2ec2279858474fa807bcfc3380b7e5a939da23dd5a8/

PowerShell script retrieved by the above .js file: https://bazaar.abuse.ch/sample/a0d7249a0df608c9cee5924acc55ad7f39cff3df7cf0702be47469c094fc23dd/

#CVE_2017_11882 or some similar BS from an Excel file attached to a message sent to my blog email address. Final malware seems to be an AgentTesla/SnakeKeyLogger/VIP Recovery variant. Sample at:

https://bazaar.abuse.ch/sample/263b3f3c5e91c8fe858803ceae4b268af40536487828cf980e8d6e4d793648c0/

Calls for follow-up files at:

- hxxp[:]//91.92.242[.]3:7777/noesisllc.online/wealt1818/wealtt/nerdfwiqtwqhdgfrwt6fntdwrgonht.js

- hxxp[:]//91.92.242[.]3:7777/noesisllc.online/wealt1818/ENCRYPT.Ps1

Samples of these follow-up files at:

- https://bazaar.abuse.ch/sample/c47d92db7ed3cc5fdbb3296f3f4ab328cd8b66ac079f5bf658d4f2fa5f8a6af7/

- https://bazaar.abuse.ch/sample/dd737dea20792860147b53679f68e964778a2b47e98d7187ccd4ead0127aec76/

February 2026 #TrafficAnalysisExercise

You get a pcap, you find your kidnapped daughter--I mean, you find the infected Windows host!

Join the fun at https://www.malware-traffic-analysis.net/2026/02/28/index.html

2026-02-03 (Tuesday): #GuLoader for #AgentTesla style malware with FTP data exfiltration.

A #pcap of the infection traffic, associated files, and a list of indicators are available at https://www.malware-traffic-analysis.net/2026/02/03/index.html

Two online sandboxes tag this sample as AgentTesla, but I'm not sure what the actual name of this malware is.

- https://tria.ge/260203-tvhlyahx7c
- https://app.any.run/tasks/0840196f-2b8f-415c-8ca7-af0c8f394b0d

NOTE: This has been updated to correct the malware names. Thanks, @netresec!

2026-02-02 (Monday) #KongTuke #ClickFix activity leads to #MintsLoader and #GhostWeaver #RAT

Today, the ClickFix text uses the "finger" command, which is a tactic used by KongTuke and other ClickFix campaigns in previous weeks/months.

A #pcap of the infection traffic, some artifacts, and further details are available at https://www.malware-traffic-analysis.net/2026/02/02/index.html