#CapLoader
LightNews LightNews
netresec.infosec.exchange.ap.brid.gy
@Ichinin It's probably time to record some malware hunting videos with CapLoader.
June 3, 2025 at 7:42 AM
netresec.infosec.exchange.ap.brid.gy
Video: Detecting #purelogs traffic with #CapLoader
https://netresec.com/?b=256a8c4
@netresec
netresec.com
June 9, 2025 at 2:32 PM
netresec.infosec.exchange.ap.brid.gy
CapLoader 2.0 released today!
🔎 Identifies over 250 protocols in #pcap
🎨 Define protocols from example traffic
🇶 Extracts JA3, JA4 and SNI from QUIC
💻 10x faster user interface
https://netresec.com/?b=256dbbc
@netresec
netresec.com
June 2, 2025 at 3:56 PM
netresec.infosec.exchange.ap.brid.gy
The use of TLS is pretty much mandatory for HTTP/2, yet this #nezha backoor POSTS HTTP/2 data over TCP port 80 without encryption!
🔥 172.245.52[.]169:80
🔥 c.mid[.]al:80
https://tria.ge/251009-j26bgacj7s
https://app.any.run/tasks/952bf595-caf6-4445-b302-513295214e76
CapLoader transcript of unencrypted HTTP/2 traffic from Nehza PRI * HTTP/2.0 SM ......... ....................?.....@............ ...................... ...........?......??E?b?.?????.????+.KY?N?HIi?T?.A?"??E?E??_?.u?b &=LMedz??????`+?%?@.te?M?5.?.@?????MIOj.?h.????@?%.-I??M'?????Z?f??V?D?f?+?8?o?0.WH?@?%.-I?.%?O??n7???p???J?W7<2?.?4?????? ..?..........? .Microsoft Windows 10 Pro..22H2.1AMD Ryzen 5 3500 6-Core Processor 6 Physical Core ????.(?????.0????.:.x86_64H????.R.1.13.0Z.Microsoft Basic Display Adapter
October 9, 2025 at 8:48 AM
netresec.com
Downloaded a fresh pcap from any.​run to verify that #CapLoader identifies this traffic as ​Socks5Systemz backconnect ✅
app.any.run/tasks/c1b2dc...
CapLoader alerts on Socks5Systemz backconnect traffic: Malicious protocol Socks5Systemz backconnect 31.214.157.206 2024
December 5, 2024 at 3:35 PM
netresec.com
Video: Detecting #PureLogs C2 traffic with #CapLoader
netresec.com?b=256a8c4
Detecting PureLogs traffic with CapLoader
CapLoader includes a feature for Port Independent Protocol Identification (PIPI), which can detect which protocol is being used inside of TCP and UDP sessions without relying on the port number. In th...
netresec.com
June 9, 2025 at 2:33 PM
netresec.infosec.exchange.ap.brid.gy
C2 servers of newly discovered Aurotun Stealer:
👾 45.227.252.199:7712
👾 46.4.119.125:7712
👾 62.60.226.101:40101
👾 62.60.226.101:40105
👾 62.60.226.114:40101
👾 146.190.108.105:7712
👾 155.138.150.12:7712
👾 198.251.84.107:7712
#aurotunstealer #threatintel
Aurotun Stealer C2 traffic loaded into CapLoader. CapLoader currently classifies the traffic as "LimeRAT" because it doesn't yet have a protocol model for Aurotun Stealer. This misclassification implies that those two C2 protocols share similar traits.
April 16, 2025 at 7:36 AM
netresec.infosec.exchange.ap.brid.gy
CapLoader 2.0.1 Released
⚠️ IP lookup alert
🔎 Better protocol identification
🐛 Bug fixes
https://netresec.com/?b=2571527
@netresec
netresec.com
July 1, 2025 at 1:58 PM
netresec.com
CapLoader 2.0.1 Released
⚠️ IP lookup alert
🔎 Better protocol identification
🐛 Bug fixes
netresec.com?b=2571527
CapLoader 2.0.1 Released
This update resolves several minor bugs, but also brings better protocol identification and a new IP lookup alert to CapLoader. Alert for IP lookup using ip-api.com in PCAP from tria.ge Transcript of ...
netresec.com
July 1, 2025 at 1:58 PM
netresec.com
CapLoader 2.0 released today!
🔎 Identifies over 250 protocols in #PCAP
🎨 Define protocols from example traffic
🇶 Extracts JA3, JA4 and SNI from QUIC
💻 10x faster user interface
netresec.com?b=256dbbc
CapLoader 2.0 Released
I am thrilled to announce the release of CapLoader 2.0 today! This major update includes a lot of new features, such as a QUIC parser, alerts for threat hunting and a feature that allow users to defin...
netresec.com
June 2, 2025 at 3:56 PM