home.social

#viprecovery — Public Fediverse posts

Live and recent posts from across the Fediverse tagged #viprecovery, aggregated by home.social.

  1. Brad @[email protected] ·

    2026-01-22 (Thursday): #RemcosRAT infection persistent on an infected Windows host. This was caused by #ClickFix instructions from #SmartApeSG through a fake CAPTCHA page. Details of this #Remcos #RAT infection are available at malware-traffic-analysis.net/2

    I've also added three other blog entries from infections I generated in my lab on Tuesday, 2026-01-20. Those can be found at malware-traffic-analysis.net/2

    Those three other entries cover #LummaStealer, #VIPRecovery, and #Xworm. The VIP Recovery and Xworm infections followed the same chain of events, which includes #steganography through base64 text embedded in an image.

    #remcosrat #clickfix #smartapesg #remcos #rat #lummastealer
  2. Brad @[email protected] ·

    2026-01-22 (Thursday): #RemcosRAT infection persistent on an infected Windows host. This was caused by #ClickFix instructions from #SmartApeSG through a fake CAPTCHA page. Details of this #Remcos #RAT infection are available at malware-traffic-analysis.net/2

    I've also added three other blog entries from infections I generated in my lab on Tuesday, 2026-01-20. Those can be found at malware-traffic-analysis.net/2

    Those three other entries cover #LummaStealer, #VIPRecovery, and #Xworm. The VIP Recovery and Xworm infections followed the same chain of events, which includes #steganography through base64 text embedded in an image.

    #remcosrat #clickfix #smartapesg #remcos #rat #lummastealer
  3. Brad @[email protected] ·

    2026-01-22 (Thursday): #RemcosRAT infection persistent on an infected Windows host. This was caused by #ClickFix instructions from #SmartApeSG through a fake CAPTCHA page. Details of this #Remcos #RAT infection are available at malware-traffic-analysis.net/2

    I've also added three other blog entries from infections I generated in my lab on Tuesday, 2026-01-20. Those can be found at malware-traffic-analysis.net/2

    Those three other entries cover #LummaStealer, #VIPRecovery, and #Xworm. The VIP Recovery and Xworm infections followed the same chain of events, which includes #steganography through base64 text embedded in an image.

    #remcosrat #clickfix #smartapesg #remcos #rat #lummastealer
  4. Brad @[email protected] ·

    2026-01-22 (Thursday): #RemcosRAT infection persistent on an infected Windows host. This was caused by #ClickFix instructions from #SmartApeSG through a fake CAPTCHA page. Details of this #Remcos #RAT infection are available at malware-traffic-analysis.net/2

    I've also added three other blog entries from infections I generated in my lab on Tuesday, 2026-01-20. Those can be found at malware-traffic-analysis.net/2

    Those three other entries cover #LummaStealer, #VIPRecovery, and #Xworm. The VIP Recovery and Xworm infections followed the same chain of events, which includes #steganography through base64 text embedded in an image.

    #remcosrat #clickfix #smartapesg #remcos #rat #lummastealer
  5. Brad @[email protected] ·

    2026-01-22 (Thursday): #RemcosRAT infection persistent on an infected Windows host. This was caused by #ClickFix instructions from #SmartApeSG through a fake CAPTCHA page. Details of this #Remcos #RAT infection are available at malware-traffic-analysis.net/2

    I've also added three other blog entries from infections I generated in my lab on Tuesday, 2026-01-20. Those can be found at malware-traffic-analysis.net/2

    Those three other entries cover #LummaStealer, #VIPRecovery, and #Xworm. The VIP Recovery and Xworm infections followed the same chain of events, which includes #steganography through base64 text embedded in an image.

    #steganography #xworm #viprecovery #lummastealer #rat #remcos
  6. Brad @[email protected] ·

    2026-01-09 (Friday): #VIPRecovery infection from an email attachment that contains a VBS file.

    The infection process involves retrieving an image from Firebase storage. The image contains embedded base64 text that translates to a Windows EXE file.

    There's another HTTPS URL that returns reversed base64 text, which translates to another EXE file that appears to be corrupt.

    Those EXE files don't do anything interesting individually, and I wasn't able to figure out how everything pulls together for the VIP Recovery infection, but it does somehow.

    A #pcap of the infection traffic, associated files, and more information are available at malware-traffic-analysis.net/2

    #viprecovery #pcap
  7. Brad @[email protected] ·

    2026-01-09 (Friday): #VIPRecovery infection from an email attachment that contains a VBS file.

    The infection process involves retrieving an image from Firebase storage. The image contains embedded base64 text that translates to a Windows EXE file.

    There's another HTTPS URL that returns reversed base64 text, which translates to another EXE file that appears to be corrupt.

    Those EXE files don't do anything interesting individually, and I wasn't able to figure out how everything pulls together for the VIP Recovery infection, but it does somehow.

    A #pcap of the infection traffic, associated files, and more information are available at malware-traffic-analysis.net/2

    #viprecovery #pcap
  8. Brad @[email protected] ·

    2026-01-09 (Friday): #VIPRecovery infection from an email attachment that contains a VBS file.

    The infection process involves retrieving an image from Firebase storage. The image contains embedded base64 text that translates to a Windows EXE file.

    There's another HTTPS URL that returns reversed base64 text, which translates to another EXE file that appears to be corrupt.

    Those EXE files don't do anything interesting individually, and I wasn't able to figure out how everything pulls together for the VIP Recovery infection, but it does somehow.

    A #pcap of the infection traffic, associated files, and more information are available at malware-traffic-analysis.net/2

    #viprecovery #pcap
  9. Brad @[email protected] ·

    2026-01-09 (Friday): #VIPRecovery infection from an email attachment that contains a VBS file.

    The infection process involves retrieving an image from Firebase storage. The image contains embedded base64 text that translates to a Windows EXE file.

    There's another HTTPS URL that returns reversed base64 text, which translates to another EXE file that appears to be corrupt.

    Those EXE files don't do anything interesting individually, and I wasn't able to figure out how everything pulls together for the VIP Recovery infection, but it does somehow.

    A #pcap of the infection traffic, associated files, and more information are available at malware-traffic-analysis.net/2

    #pcap #viprecovery
  10. Brad @[email protected] ·

    2026-01-09 (Friday): #VIPRecovery infection from an email attachment that contains a VBS file.

    The infection process involves retrieving an image from Firebase storage. The image contains embedded base64 text that translates to a Windows EXE file.

    There's another HTTPS URL that returns reversed base64 text, which translates to another EXE file that appears to be corrupt.

    Those EXE files don't do anything interesting individually, and I wasn't able to figure out how everything pulls together for the VIP Recovery infection, but it does somehow.

    A #pcap of the infection traffic, associated files, and more information are available at malware-traffic-analysis.net/2

    #viprecovery #pcap