Lightnews — Scholar-powered news

Brad @malware-traffic-analysis.net · 9h

2025-10-08 (Wednesday): #Kongtuke campaign fake CAPTCHA page with #ClickFix instructions. Got a full infection chain, this time. A 205MB zip download makes the #pcap take a while to load in Wireshark. Some IOCs and associated malware/artifacts at www.malware-traffic-analysis.net/2025/10/08/i...

Traffic from the infection filtered in Wireshark.

Page from a compromised site with injected Kongtuke script.

Fake CAPTCHA page, courtesy of the Kongtuke campaign.

Following instructions from the Kongtuke campaign's fake CAPTCHA page.

1 3

Brad @malware-traffic-analysis.net · 2d

2025-10-06 (Monday): A collection of 200+ phishing emails in Japanese that were sent to my blog email addresses. Available at www.malware-traffic-analysis.net/2025/10/06/i...

1 3

Brad @malware-traffic-analysis.net · 2d

2025-10-02 (Thursday): #pcap and some images from an Android malware infection at www.malware-traffic-analysis.net/2025/10/02/i...

Screenshot of icon for the malicious app on a cell phone.

Screenshot of the login screen for the malicious app on a cell phone.

It's asking me to place a credit card on the phone.

Traffic from an infection filtered in Wireshark.

2 2

Brad @malware-traffic-analysis.net · 2d

2025-10-01 (Wed) I've posted #malware samples and a #pcap of the post-infection traffic from an infection by possible #Rhadamanthys malware at www.malware-traffic-analysis.net/2025/10/01/i...

This is from a file disguised as a cracked version of software, and I usually see #LummaStealer from this.

Screenshot of the page from my website with the post for this information.

Example of path to download the initial 7-zip archive for the malware.

Page with the download for the initial 7-zip archive.

Traffic from the possible Rhadamanthys malware, filtered in Wireshark.

1 3 2

Brad @malware-traffic-analysis.net · 2d

I can't spell #Rhadamanthys

Brad @malware-traffic-analysis.net · 6d

Time to update this movie for Halloween.

2

Brad @malware-traffic-analysis.net · 8d

2025-09-29 (Monday): Follow-up to my post last week. I've been seeing one or two of these emails almost every day. Details on the latest example at github.com/malware-traf...

Screenshot of webpage for the malware download.

Downloaded installer EXE showing digital signature and metadata.

Scheduled task to keep the infection persistent.

3 5

Brad @malware-traffic-analysis.net · 10d

2025-09-25 (Thursday): Received an email distributing a malicious installer for an #RMM tool. Details at github.com/malware-traf...

Downloaded malware EXE showing digital signature and metadata.

2 7

Brad @malware-traffic-analysis.net · 11d

2025-09-24 (Wednesday): #LummaStealer infection with follow-up malware, possibly #Ghostsocks or #GoBackdoor. A #pcap of the infection traffic, malware samples, and list of indicators available at www.malware-traffic-analysis.net/2025/09/24/i...

Screesnhot of the page from my blog with the traffic, malware files, and indicators of compromise for this Lumma Stealer infection.

Downloading the initial zip archive for this malware.

Extracting the malware EXE from the nested archive files.

1 5

Brad @malware-traffic-analysis.net · 16d

2025-09-22 (Monday) #SmartApeSG campaign using #FileFix style #ClickFix technique on its fake CAPTCHA page for #NetSupportRAT. Script sent to victim through #clipboardhijacking downloads MSI from founderevo[.]com/res/velvet when pasted into a File Manager window (www.virustotal.com/gui/file/958...)

1 1 3

Brad @malware-traffic-analysis.net · Sep 3

2025-09-03 (Wednesday): #Kongtuke fake CAPTCHA page leads to #ClickFix style script for #LummaStealer

A #pcap of the infection traffic, the associated malware, and IOCs are at www.malware-traffic-analysis.net/2025/09/03/i...

Kongtuke style injected script in page from compromised website

Fake CAPTCHA page that performs clipboard hijacking (pastejacking) showing the ClickFix style instructions and malicious script a victim would paste into a Run window or command line terminal.

$Location of the downloaded zip archive for Lumma Stealer, and the content of that zip archive in the user's AppData\Roaming directory.$ Traffic from an infection filtered in Wireshark.

4 6

Brad @malware-traffic-analysis.net · Aug 20

2025-08-20 (Wed): #SmartApeSG for fake #CAPTCHA page with #ClickFix instructions that led to an MSI file for #NetSupport #RAT and the #NetSupportRAT infection led to #StealCv2. Malware samples, a #pcap, and indicators at www.malware-traffic-analysis.net/2025/08/20/i...

Fake CAPTHA page generated by SmartApeSG script injected into compromised website.

ClickFix instructions from the fake CAPTCHA page.

Script and traffic to download and run MSI file to install NetSupport RAT

3 5

Brad @malware-traffic-analysis.net · Aug 20

2025-08-20 (Wed): #Kongtuke still using #FileFix style #ClickFix instructions on its fake CAPTCHA pages. I never got any further than the HTTP POST request that sends information about the infected system host. Details at: github.com/malware-traf...

Page from compromised site displaying fake CAPTCHA page.

Traffic/URLs from the Kongtuke activity.

Example of HTTP POST request sending a victim's host information.

In this example of HTTP POST request sending a victim's host information, I never got more than a 200 OK response and no further content.

1 1

Brad @malware-traffic-analysis.net · Aug 15

2025-08-15 (Friday): Information from a social media post I wrote for my employer about a #LummaStealer infection leading to #SectopRAT (#ArechClient2). A #pcap of the infection traffc, along with the associated #malware and artifacts are available at www.malware-traffic-analysis.net/2025/08/15/i...

An image displaying the URL chain followed to get the initial zip archive downloaded for this infection.

An image displaying the extractioin chain to get the malicious setup files that installed Lumma Stealer.

SectopRAT persistent on an infected Windows host.

3 4

Brad @malware-traffic-analysis.net · Aug 14

2025-08-13 (Wednesday): #LummaStealer infection. The associated #malware, artifacts, a #pcap of the #Lumma Stealer traffic, and indicators of compromise are available at www.malware-traffic-analysis.net/2025/08/13/i...

Screenshot of a Facebook post that linked to a page providing the password-protected 7-zip archive for Lumma Stealer. The archive is named "NCH Debut Video Capture Software Pro 11.2 Beta Crack full version.7z" in an attempt to disguise it as a software crack.

Extracting a malicious Windows executable file that will install Lumma Stealer from the password-protected 7-zip archive. The extracted file is named "NCH Debut Video Capture Software Pro 11.2 Beta Crack full version.exe" in an attempt to disguise it as a software crack.

Traffic from the Lumma Stealer infection after running "NCH Debut Video Capture Software Pro 11.2 Beta Crack full version.exe" on a vulnerable Windows host. Note the unusual DNS query for iUlWkftUnbTjqPSDLGsNPpSG.iUlWkftUnbTjqPSDLGsNPpSG that happened before the HTTPS Lumma Stealer C2 traffic to secrequ[.]top.

$Files seen from the Lumma Stealer infection in the user's AppData\Local\Temp directory. The .a3x file for Lumma Stealer wasn't on the disk when I conducted forensic analysis on the infected host. Note that the file names and file extension (.midi) will be different if I try the same type of infection run again tomorrow.$

2 5

Brad @malware-traffic-analysis.net · Aug 12

2025-08-11 (Monday): Quick post of an #XLoader ( #Formbook ) infection, with a #pcap, email, and #malware sample available at www.malware-traffic-analysis.net/2025/08/11/i...

2 1

Brad @malware-traffic-analysis.net · Aug 2

2025-08-01 (Friday): Some info on a #LummaStealer example I found today:

github.com/malware-traf...

#Lumma

github.com

1 2 1

Brad @malware-traffic-analysis.net · Jul 24

2025-07-23 (Wednesday): Ten days of scans and probes and web traffic hitting my web server. A #pcap of the traffic is available at www.malware-traffic-analysis.net/2025/07/23/i...

Screenshot of the page from my web site to download a password-protected zip archive containing the pcap.

5 7

Brad @malware-traffic-analysis.net · Jul 22

2025-07-22 (Tuesday): Tracking the #SmartApeSG campaign using #ClickFix to push #NetSupportRAT. Details at: github.com/malware-traf...

1

Brad @malware-traffic-analysis.net · Jul 22

I'm surprised that "your RaaS" jokes haven't really been a thing yet.

1 1

Brad @malware-traffic-analysis.net · Jul 21

Verbally, that is...

1

Brad @malware-traffic-analysis.net · Jul 21

With all the recent law enforcement actions in recent years, are Ransomware-as-a-Service operators are telling everyone to "protect your RaaS" ??

3 4

Brad @malware-traffic-analysis.net · Jul 17

2025-07-17 (Thursday): Tracking the #SmartApeSG campaign for #ClickFix pages pushing #NetSupportRAT. Details at github.com/malware-traf...

3

Brad @malware-traffic-analysis.net · Jul 16

2025-07-15 (Tuesday): #LummaStealer infection with #SecTopRAT. A #pcap of the #Lumma traffic and #SecTop #RAT activity, the #malware / artifacts from an infection, and the associated IOCs are available at www.malware-traffic-analysis.net/2025/07/15/i...

3 7

Brad @malware-traffic-analysis.net · Jul 15

2025-07-15 (Tuesday): Some different IOCs from the #SmartApeSG #ClickFix page today.

warpdrive[.]top <-- domain used for SmartAgeSG injected script and to display ClickFix page.

sos-atlanta[.]com <-- domain from script injected into clipboard and to retrieve #NetSupportRAT malware package

3 5