Error on the link in the original post. It's actually at malware-traffic-analysis.net/2026/04/13/i...

Screenshot of and email distributing XLoader (Formbook)

Attachment for XLoader (Formbook) from the email showing the malicious script file contained in the archive.

PowerShell script file dropped and deleted during the XLoader (Formbook) infection.

Traffic from the XLoader (Formbook) infection filtered in Wireshark.

2026-04-13 (Monday): #XLoader ( #Formbook ) infection. A #pcap of the traffic, along with the associated email and malware samples are available at malware-traffic-analysis.net/2026/index.h...

SmartApeSG script injected into page from compromised website.

SmartApeSG fake CAPTCHA page with ClickFix instructions.

Malware delivered through SmartApeSG persistent on an infected Windows host.

2026-04-06 (Monday): #ClickFix activity from the #SmartApeSG campaign. Not sure what malware was sent through the fake CAPTCHA page is this time, but it's not the usual.

Indicators, a #pcap of the traffic, malware samples and other info available at malware-traffic-analysis.net/2026/04/06/i...

ISC Logo

ISC Diary: #SmartApeSG campaign pushes #Remcos #RAT, #NetSupportRAT, #StealC and #SectopRAT (#ArechC https://isc.sans.edu/diary/32826

Screenshot of the initial email with the malicious attachment.

Traffic from the infection filtered in Wireshark.

he Phantom Stealer infection.

2026-03-23: #PhantomStealer malware sent as an email attachment.

.js file sample from the attachment: bazaar.abuse.ch/sample/8606c...

PowerShell script retrieved by the above .js file: bazaar.abuse.ch/sample/a0d72...

Screenshot of the email

Traffic from an infection, filtered in Wireshark

Snake, who would do keylogging, if we wasn't illiterate.

#CVE_2017_11882 in this day and age? Saw this or some similar very old exploit from an Excel file attached to a message sent to my blog email address. Sample available at bazaar.abuse.ch/sample/263b3...

It's for a #Snake KeyLogger infection. Thanks to @jamesinthebox.bsky.social for identifying it!

ISC Logo

ISC diary: #SmartApeSG campaign uses #ClickFix page to push #Remcos #RAT (#RemcosRAT) https://isc.sans.edu/diary/32796

"Where is she!??!!??" Wait a minute, that's Batman. This is Liam Neeson.

February 2026 #TrafficAnalysisExercise

You get a pcap, you find your kidnapped daughter--I mean, you find the infected Windows host!

Join the fun at www.malware-traffic-analysis.net/2026/02/28/i...

Screenshot of my blog post with the files and information from this infection.

Screenshot of the email with an attached RAR archive.

The malware, extracted from the attached RAR archive.

Traffic from the infection filtered in Wireshark.

2026-02-03 (Tuesday): #GuLoader for #AgentTesla style malware with FTP data exfiltration. A #pcap of the infection traffic, associated files, and a list of indicators are available at www.malware-traffic-analysis.net/2026/02/03/i...

Fake "Verify You Are Human" CAPTCHA page that can appear when viewing a page from a legitimate but compromised website.

Text from KongTuke's fake CAPTCHA page injected into the viewer's clipboard, and the CAPTCHA page contains instructions to run the text as a command in Window's Run window.

Traffic from the KongTuke activity and resulting infection filtered in Wireshark.

Reposted with correct malware names:

2026-02-02 (Monday) #KongTuke #ClickFix activity leads to #MintsLoader and #GhostWeaver RAT

Today's ClickFix uses the "finger" command, a tactic seen in previous ClickFix activity.

Further details available at www.malware-traffic-analysis.net/2026/02/02/i...

Screenshot showing Google search results for a cracked version of ArcGIS where I specify site:drive.google.com. The results shown here all lead to PDF files hosted on Google Drive, and these PDF files contains links that lead to malware.

Here's an example of one of these PDF files hosted on Google Drive with a link that leads to malware.

Here's the page that pushes a password-protected 7-zip archive that contains an inflated EXE padded with null bytes. This EXE is for Lumma Stealer malware.

Lumma Stealer traffic generated by the extracted malware. This is filtered in Wireshark to focus on the Lumma Stealer C2 traffic.

2026-02-01 (Sunday): It's easy enough to find #LummaStealer malware samples.

Just do a Google search for cracked versions of popular software and specify site:drive.google.com.

Details on today's haul at github.com/malware-traf...

2026-01-31 (Friday): I've posted a new traffic analysis exercise. It's Lumma in the room-ah! Join the fun at www.malware-traffic-analysis.net/2026/01/31/i...

I mean, this guy looks like he's having fun.

Screenshot from an infected Windows host showing Remcos RAT and how it is persistent.

2026-01-22 (Thursday): #RemcosRAT infection persistent on an infected Windows host. This was caused by #ClickFix instructions from #SmartApeSG through a fake CAPTCHA page. Details of this #Remcos #RAT infection are available at www.malware-traffic-analysis.net/2026/01/06/i...

2026-01-19 (Monday): Catching up on two infections in my lab from last week, and I added an entry with a #pcap of scans and probes and web traffic hitting my web server. Feel free to check out my latest posts at www.malware-traffic-analysis.net/2026/index.h...

Or not. I'm not the boss of you.

ISC Logo

ISC Diary: Infection repeatedly adds scheduled tasks & increases traffic to same C2 domain https://isc.sans.edu/diary/32628

Some of the scans, probes, and web traffic from the pcap filtered in Wireshark.

HTTP stream of the last HTTP request in the pcap showing a POST request that retrieves malicious content from a server at 91.92.241[.]10.

Using the wget command to retrieve one of the malicious files from the server at 91.92.241[.]10 on Sunday, 2026-01-11.

Example of a shell script downloaded from 91.92.241[.]10 on Sunday, 2026-01-11, likely for Mirai botnet malware.

2026-01-10 (Saturday): Ten days of scans, probes, and web traffic hitting my web server. A #pcap of the traffic is available at www.malware-traffic-analysis.net/2026/01/10/i...

Screenshot of the email, its attachment, and the VBS file within the attachment for VIP Recovery malware.

Traffic from the infection filtered in Wireshark.

TCP stream of the unencrypted SMTP traffic from one of the data exfiltration emails sent by my infected lab host.

Screenshot of the start of my blog post with information on this VIP Recovery infection.

2026-01-09 (Friday): #VIPRecovery infection from an email attachment. A #pcap of the infection traffic, associated files, and more information are available at www.malware-traffic-analysis.net/2026/01/09/i...

Fake CAPTCHA window and ClickFix script after visiting legitimate, but compromised website.

Traffic from the infection filtered in Wireshark (part 1 of 2).

Traffic from the infection filtered in Wireshark (part 2 of 2).

Screenshot from the start of the page for this blog post.

2026-01-08 (Thursday): Got a full infection from #KongTuke campaign #ClickFix activity today. Traffic from the infection in two #pcap files, the associated malware, artifacts, and further information is available at www.malware-traffic-analysis.net/2026/01/08/i...

One of the emails and its associated attachment for MassLogger malware.

Traffic from the infection filtered in Wireshark.

Example of a data exfiltration email sent from an infected host in my lab.

2026-01-07 (Wednesday): #MassLogger infection from email attachment. Copies of the emails, associated malware, indicators, and a #pcap of the infection traffic are available at www.malware-traffic-analysis.net/2026/01/07/i...

Example of a legitimate but compromised site showing the SmartApeSG fake CAPTCHA page.

HTTPS URLs from the infection run.

Traffic from an infection filtered in Wireshark.

Remcos RAT infection persistent on an infected Windows host.

2026-01-06 (Tuesday): #SmartApeSG CAPTCHA page uses #ClickFix technique to push #RemcosRAT, with #Remcos #RAT C2 server at 192.144.56[.]80. A #pcap of the traffic, the Remcos RAT #malware, and a list of indicators are available at www.malware-traffic-analysis.net/2026/01/06/i...

Injected KongTuke script in page from compromised website.

Fake CAPTCHA page from KongTuke domain, scrroeder[.]com.

KongTuke's "ClickFix" command injected into the viewer's clipboard.

Traffic from the activity filtered in Wireshark. I did not get the malware from this.

2026-01-05 (Monday): #KongTuke domain scrroeder[.]com generated #ClickFix script for 144.31.221[.]71, but I didn't get a malware infection when I tried it today.

ISC Logo

ISC Diary: Cryptocurrency Scam Emails and Web Pages As We Enter 2026 https://isc.sans.edu/diary/32594

A screenshot of my blog post for the Lumma Stealer infection

Traffic from the Lumma Stealer infection filtered in Wireshark.

2026-01-01 (Thursday): #LummaStealer infection with follow-up malware. A #pcap of the infection traffic, the #Lumma #Stealer files, and a list of IOCs are available at www.malware-traffic-analysis.net/2026/01/01/i...

Screenshot of my blog post to share information on this Lumma Stealer infection with follow-up malware.

2025-12-30 (Tuesday): #LummaStealer infection with follow-up malware. A #pcap of the infection traffic, the associated #Lumma with follow-up #malware samples, and some IOCs are available at www.malware-traffic-analysis.net/2025/12/30/i...

Example of initial URL from sites.google[.]com.

Example of a fake CAPTCHA page with ClickFix-style instructions and the ClickFix script.

Traffic from the infection filtered in Wireshark.

NetSupport RAT persistent on an infected Windows host.

2025-12-29 (Monday): #ClickFix page leads to #NetSupportRAT infection.

Details at www.malware-traffic-analysis.net/2025/12/29/i...

Lol, I originally meant to say "defang." Several hundred pages without any [.] in the IP addresses and domains or hxxp/hxxps in the URLs. Looking back on it, I marvel that Google didn't flag my site earlier.

Just realized this came out as "deindex" which should've been "fix years of" old web pages on my blog and fix the sitemap, which was cleared a few years back, so it was missing a good amount of pages.

Downloading the initial file, a DMG image.

Screenshot showing the malicious downloaded DMG image and the associated malicious Mach-O file within the installer.app content.

Traffic generated by the MacSync Stealer malware, filtered in Wireshark.

Example of the data exfiltrated through the MacSync Stealer C2 traffic.

2025-12-23 (Tuesday): Based on yesterday's Jamf article, I ran the fake installer for #MacSyncStealer in my lab on a macOS host. A #pcap of the #MacSync #Stealer traffic, the associated IOCs, the #malware sample, and a link to the Jamf article are at www.malware-traffic-analysis.net/2025/12/23/i...

Screenshot of the post with the pcaps, files, and other info from the Kongtuke ClickFix activity using the finger command on 2025-12-11.

I finished compiling the information for #Kongtuke #ClickFix activity using the finger command on 2025-12-11, and it's now live at www.malware-traffic-analysis.net/2025/12/11/i...

I'd already posted the #SmartApeSG ClickFix activity using finger that same day, so now both are available.

Screenshot showing links for the three December 2025 blog posts I have so far.

I recently completed a long-term project to deindex old web pages on my blog, and I can now turn my attention back to sharing pcaps and malware samples.

I've posted 3 for December 2025, and I hope to get some more posted before the end of the year.

www.malware-traffic-analysis.net/2025/index.h...