NETRESEC Network Security Blog - Tag : CapLoader

rss Google News

Ping32 RMM and ValleyRAT

malware infected laptop

Fareed Radzi recently blogged about a malware campaign observed earlier in June by Kaspersky’s GReAT team. The malware campaign embedded malicious code in VBScripts, which were distributed through WhatsApp DMs. The VBScript then dropped the legitimate Remote Monitoring and Management (RMM) tool ManageEngine Endpoint Central.

Fareed included the IOCs for the following Endpoint Central server IP addresses:

  • 202.61.160.208
  • 202.61.160.202
  • 202.61.160.201
  • 202.61.160.160
  • 202.61.160.137
  • 38.55.151.63

He also noted a link to ValleyRAT:

Notably, 202.61.160[.]201 had previously been observed as command-and-control infrastructure associated with ValleyRAT and Gh0st RAT activity. Although the overlap raises the possibility of the VBS campaign being linked to the operator of these known malware families, the available evidence is insufficient to confidently attribute the campaign to a known threat actor.

Attribution is difficult, so it makes sense not to call out any specific threat actor just because of a single overlapping IP address. Nevertheless, the threat actor that typically comes to mind when talking about ValleyRAT is Silver Fox (银狐).

Retrohunting in Sandboxes

I searched various online sandboxes for the IP addresses and MD5 hashes that were published in Fareed's blog post. To my delight I found plenty of samples on ANY.RUN as well as Triage. But what was even more interesting was the sandbox executions on Triage for the sample with MD5 hash d43fdaa1f0ee09d7e5f0f94ee9df7b6c. One of the known filenames for this sample was "Bitte füllen Sie das Formular für Umsatzsteuer-Nullsatz-Verkäufe aus..vbs".

Sample executions on Recorded Future Triage Sandbox:

I can’t determine how this sample was originally connected to the ManageEngine Endpoint Central campaign, but it shared several traits with what was described in Fareed’s Securelist write-up. However, this particular VBScript didn’t install the ManageEngine RMM. Instead it reached out to f004.backblazeb2[.]com and downloaded a dropper.

Traffic to f004.backblazeb2[.]com on Triage Sandbox

The dropper then deployed NSecRTS.exe, which turned out to be another RMM tool called “Ping32” from the Chinese company Shandong Anzai Information Technology, aka NSecsoft. This RMM tool has a history of being abused as a Remote Access Trojan (RAT) by hackers.

The Ping32 RMM used HTTP over multiple TCP ports on 143.92.37.168, and it also communicated via UDP port 18987 on the same server.

CapLoader transcript of Ping32 RMM UDP traffic
Image: UDP traffic to 143.92.37.168:18987

Pivot to ValleyRAT

I pivoted on the C2 IP 143.92.37.168, which was used by the malicious Ping32 RMM, and got a hit on Triage Sandbox. Triage classified this sample as DonutLoader and ValleyRAT, and its malware config extractor identified the following attributes:

Family valleyrat_s2
Version 1.0
C2 143.92.37.168:10086
Campaign date 2026-02-02

This is interesting, because this is another link between the campaign mentioned in Fareed’s blog post and ValleyRAT. When I examined the ValleyRAT C2 traffic from the Triage sandbox execution I noticed that CapLoader as well as FlowCarp identified it as Gh0stKCP, which is a UDP-based protocol that ValleyRAT sometimes uses to transport its C2 traffic.

Gh0stKCP flows in CapLoader

Use this oneliner to upload the PcapNG file from Triage to the free FlowCarp demo server and extract IP:port IOCs from FlowCarp alerts.

curl -fSs --data-binary @260514-agrsxacw6n-behavioral1.pcapng https://demo.flowcarp.com | jq -s -c 'map(select(.event_type=="alert")|[(.dest_ip + ":" + (.dest_port|tostring)), .alert.signature])|unique[]'

["143.92.37.168:10086","MALWARE protocol detected: Gh0stKCP"]

If you prefer Suricata, use these custom signatures to detect Gh0stKCP:
https://github.com/Netresec/Suricata/blob/main/netresec.rules

You can then use the same jq query as in the FlowCarp example to extract the alert IOCs from Suricata’s eve.json output.

cat eve.json | jq -s -c 'map(select(.event_type=="alert")|[(.dest_ip + ":" + (.dest_port|tostring)), .alert.signature])|unique[]'

["143.92.37.168:10086","Gh0stKCP / HP-Socket ARQ handshake"]
["143.92.37.168:10086","Gh0stKCP close"]

Silver Fox

It is difficult to attribute the analyzed malware samples to a specific threat actor, but it is possible that they were used by the notorious Silver Fox group, which is one of China’s largest and most active cybercrime groups.

On a positive note, China Daily recently reported that Chinese police have taken “criminal compulsory measures” against 27 suspects linked to Silver Fox. The same article also stated that “The gang allegedly sent phishing emails in bulk, stole corporate data and built fraud scenarios to carry out criminal activities totaling more than 7 million yuan ($1 million)”.

Let’s hope this puts a stop to, or at least significantly reduces, the massive flood of malware that has been coming from this threat actor.

IOC List

Unknown Downloader

  • d43fdaa1f0ee09d7e5f0f94ee9df7b6c (Bitte füllen..vbs)
  • hxxps://f004.backblazeb2[.]com/file/fadaoxiao/uamcd.pdf
  • hxxps://f004.backblazeb2[.]com/file/gaosu2/CoreShield.msi
  • hxxps://fadaoxiao.s3.us-west-004.backblazeb2[.]com/pacc.vbs
  • ac63eb8814f20ffd89ce81f51cba6916 (uamcd.pdf)
  • 9ca134a5ed592a0fb57e2ad910a71c80 (pacc.vbs)

NSecsoft Ping32 RMM C2

  • 143.92.37.168:18987 (UDP)
  • 143.92.37.168:38987 (TCP)
  • 143.92.37.168:48988 (TCP)
  • 143.92.37.168:48991 (TCP)
  • 143.92.37.168:48992 (TCP)

DonutLoader/ValleyRAT

  • 8266b00c4e45d728cef78b3f5a865f68 (ManagementTool.exe)
  • 143.92.37.168:10086 (UDP)

Posted by Erik Hjelmvik on Thursday, 25 June 2026 09:27:00 (UTC/GMT)

Tags: #Gh0stKCP #ValleyRAT #Suricata #FlowCarp #CapLoader

Short URL: https://netresec.com/?b=2666e31


CapLoader 2.1.0 Released

CapLoader 2.1.0

CapLoader has been updated to version 2.1.0. The new release comes with better JA3/JA4 extraction and integration of additional threat-intel and OSINT services. We have also added support for more encapsulation protocols.

TLS Client Hello Reassembly

TLS handshakes no longer reliably fit in a single packet. Modern TLS features, like post-quantum key exchanges and Encrypted Client Hello (ECH), often expand handshake sizes across multiple TCP segments. The same trend appears in QUIC traffic, where TLS handshakes now often are too large to fit in a single UDP packet.

As a result, packet‑analysis tools that parse live traffic or PCAP files (like CapLoader) must cache partial TLS handshakes and reassemble them to recover the complete TLS ClientHello messages. NetworkMiner and FlowCarp already perform TLS handshake reassembly; CapLoader now supports it as well. This enables CapLoader to extract metadata from large TLS handshakes, including SNI hostnames, JA3 hashes and JA4 fingerprints.

TLS and QUIC sessions in CapLoader 2.1.0.0

The screenshot above shows CapLoader displaying information extracted from PCAP files that contain TLS and QUIC traffic with multi‑segment TLS 1.3 handshakes. The visible JA4 fingerprints for the client handshakes are:

  • q13d0311h3_55b375c5d22e_5a1f323ef56d − HTTP/3 w/ ECH
  • t13d1516h2_8daaf6152771_02713d6af862 − HTTP/2 w/ ECH
  • t13d1517h2_8daaf6152771_b0da82dd1658 − HTTP/2 w/ ECH
  • t13d1515h2_8daaf6152771_f37e75b10bcc − HTTP/2
  • t13d1516h2_8daaf6152771_9b887d9acb53 − HTTP/2

All these handshakes support post-quantum key agreements with a 1216 byte X25519MLKEM768 key. The first three listed JA4 fingerprints also use ECH.

JA4 fingerprint t13i010400_0f2cb44170f4_5c4c70b73fa0_518x136

Threat Intel and OSINT

CapLoader now matches network traffic against indicators of compromise (IOCs) from Johannes Bader's open source threat intelligence platform Rösti. An alert is raised whenever the analysed traffic matches any of the following IOC types on Rösti:

  • domain
  • domain:port
  • IP
  • IP:port

When a match occurs, CapLoader raises an alert on the flow/service and includes the matching IOC type and value. Rösti aggregates IOCs from public feeds, researchers, and threat‑intel providers (including IOCs published on this blog).

We have also extended the OSINT lookup shortcuts in CapLoader to include the following websites:

Right-click a flow/service/host/alert in CapLoader and select "Lookup [domain/IP/ASN] at...", which opens the chosen OSINT site in a browser tab with info about the domain/IP/ASN.

Encapsulated Protocols

CapLoader already decapsulates GRE, VXLAN, CapWap, Teredo, GTP-U, TZSP as well as IP-in-IP.

Decapsulate all the things

With this release we add support for extracting traffic from the following encapsulation protocols:

  • Aruba GRE encapsulated WiFi
  • Geneve (RFC 8926)
  • GRE in UDP (RFC 8086) to ports 4754 and 4755

Improved Protocol Detection

The precision of CapLoader's built-in port independent protocol identification has been improved and several additional protocols can now be detected, including GSocket, Hioles, Mirai, Pulsar RAT, PureRAT, SVCStealer and XenoRAT.

Posted by Erik Hjelmvik on Wednesday, 27 May 2026 09:15:00 (UTC/GMT)

Tags: #CapLoader #JA3 #JA4 #TLS #QUIC #OSINT #encapsulation #decapsulation #GRE

Short URL: https://netresec.com/?b=265c041


Decoding malware C2 with CyberChef

This video tutorial demonstrates how malware XOR encrypted and obfuscated C2 traffic can be decoded with CyberChef.

The analyzed PCAP files can be downloaded from malware-traffic-analysis.net.

CyberChef recipe to decode the reverse shell traffic to 103.27.157.146:4444:

From_Hex('Auto')
XOR({'option':'Hex','string':'62'},'Standard',false)
Find_/_Replace({'option':'Regex','string':'\\r'},'',true,false,true,false)
From_HTML_Entity()

Decoded data from first "key007" reverse shell session to 103.27.157.146:4444:

key007
Authentication successful
furtheringthemagic.com
net group "domain computers" /domain
The request will be processed at a domain controller for domain furtheringthemagic.com.

Group name Domain Computers
Comment All workstations and servers joined to the domain

Members

-------​--------​-------​--------​-------​---------​-------​----------​--------​--------
DESKTOP-G71S4PF$
The command completed successfully.

CyberChef recipe to decode obfuscated PowerShell payload from malicious finger service on 64.190.113.206:79:

Fork(',','',false)
Pad_lines('End',5,',6044')
Subtract('Comma')
From_Charcode('Space',10)

Update 2026-01-21

Our classification of the final payload has been updated from AsyncRAT to GhostWeaver thanks to feedback from Don Pasci. Don referenced a writeup by Recorded Future's Insikt Group, called Uncovering MintsLoader With Recorded Future Malware Intelligence Hunting, which states the following:

GhostWeaver has periodically been misclassified as AsyncRAT. [...] GhostWeaver and AsyncRAT share certain characteristics within their self-signed X.509 certificates, such as identical expiration dates and serial number lengths; however, these similarities may simply reflect common certificate-generation methods rather than meaningful operational overlap.

We also believe that some of the PowerShell related traffic was caused by MintsLoader.

IOC List

  • 103.27.157.146:4444 (unknown "key007" reverse shell)
  • 64.190.113.206:79 (finger)
  • checkifhuman[.]top (finger)
  • ey267te[.]top (MintsLoader)
  • 64.52.80.153:80 (MintsLoader)
  • 173.232.146.62:25658 (AsyncRAT GhostWeaver)
  • 08kcbghk807qtl9[.]fun:25658 (AsyncRAT GhostWeaver)

Network Forensics Training

Check out our network forensic trainings if you want to learn more about decoding malware C2 traffic. I'm teaching a live online Network Forensics for Incident Response class on February 23-26.

Posted by Erik Hjelmvik on Tuesday, 20 January 2026 12:10:00 (UTC/GMT)

Tags: #Netresec #CyberChef #XOR #PCAP #CapLoader #PowerShell #Video #videotutorial

Short URL: https://netresec.com/?b=261f535


Gh0stKCP Protocol

Gh0stKCP is a transport protocol based on KCP, which runs on top of UDP. Gh0stKCP has been used to carry command-and-control (C2) traffic by malware families such as PseudoManuscrypt and ValleyRAT/Winos4.0.

Gh0stKCP ghost

@Jane_0sint recently tweeted about ValleyRAT using a new UDP based C2 protocol. I wanted to take a closer look at the protocol, so I downloaded the PCAP from any.run and opened it with CapLoader. To my surprise CapLoader claimed that the C2 traffic was using a known protocol called “KCP”.

ValleyRAT UDP traffic identified as KCP by CapLoader

The protocol detection feature in CapLoader compares traffic in TCP and UDP sessions to statistical models of known protocols. This means that no protocol specification or RFC is required to identify a protocol. All that is needed is some example traffic to build a protocol model from (see this XenoRAT detection video for a demonstration of this feature). In this case CapLoader’s KCP protocol model was built from UDP based C2 traffic from PseudoManuscrypt, which was reported to have been using KCP.

What is KCP?

KCP is a UDP based protocol designed as a low-latency alternative to TCP. The protocol was created by Lin Wei in the early 2010s, primarily to transport p2p voice chat audio in games. The protocol is, however, very generic and can be used to transport basically any type of data. The KCP protocol specification includes the following packet structure:

KCP packet structure

The first field “conv” is a 32 bit (4 byte) unique ID for a KCP session. This conversation ID is used to uniquely identify a connection and will remain constant throughout the connection. KCP doesn’t include any handshake mechanism for establishing new sessions, which means that KCP endpoints typically start transmitting payload data already in the first KCP packet.

The Gh0stKcp Protocol

The UDP based KCP C2 protocol used by PseudoManuscrypt as well as the ValleyRAT C2 traffic that CapLoader reported being “KCP” both deviated from the original KCP specification in several ways. For instance, KCP packets have a 24 byte header, which means that packets shorter than 24 bytes can’t be KCP. In fact, the KCP source code actually ignores UDP packets that carry less than 24 bytes of payload. Yet, both the PseudoManuscrypt and ValleyRAT UDP C2 traffic initially transmit several 12-byte packets.

CapLoader transcript of Gh0stKCP session

Image:Flow transcript of Gh0stKCP traffic in CapLoader

These 12-byte Gh0stKCP handshake packets are generated by an open source library called HP-Socket, which includes a custom Automatic Repeat reQuest (ARQ) handshake mechanism.

The following behavior can be deduced by examining UDP traffic from Valley RAT or by analyzing the UDP handshake mechanism in HP-Socket's ArqHelper.h.

The client (bot) starts by sending an empty UDP packet to the C2 server, followed by a UDP packet carrying a 12 byte payload structured like this:

4f bb 01 00 xx xx xx xx 00 00 00 00

The first four bytes can be decoded as follows:

  • 4f bb = Magic bytes
  • 01 = Handshake command
  • 00 = Handshake is not completed

The “xx” bytes represent a KCP conversation ID (conv) proposed by the bot. This initial handshake packet can easily be detected and alerted on with the following Suricata IDS signature:

alert udp $HOME_NET any -> $EXTERNAL_NET any (msg:"Gh0stKCP handshake"; dsize:12; content:"|4f bb 01 00|"; offset:0; depth:4; content:"|00 00 00 00|"; within:8; distance:4; classtype:trojan-activity; reference:url,https://netresec.com/?b=259a5af; sid:1471101; rev:1;)

The C2 server also transmits a UDP packet containing a 12 byte handshake using the exact same structure as the client. However, the C2 server proposes a 32 bit conversation ID of its own. In “normal” KCP implementations the client and server agree on a single shared conversation ID, but Gh0stKCP actually uses one separate ID for each direction. This allows the server to transmit its handshake packet without having seen the client’s handshake.

4f bb 01 00 yy yy yy yy 00 00 00 00

The “yy” bytes represent the C2 server’s 32-bit conversation ID (conv).

The communicating parties frequently re-transmit this initial handshake packet until they have received a handshake from the other end.

Upon receiving the other end’s handshake both the bot and C2 server acknowledge the other end’s conversation ID with a UDP packet carrying the following 12 byte payload:

4f bb 01 00 xx xx xx xx yy yy yy yy

Where “xx” is the sender’s conversation ID and “yy” is the other end’s conversation ID. After having received the other end’s acknowledgment packet both parties additionally transmit a final ack packet, indicating that the handshake is completed and they will start communicating using KCP. This final ack packet is identical to the previous one, except the fourth byte (handshake complete flag) has changed from 0x00 to 0x01.

4f bb 01 01 xx xx xx xx yy yy yy yy

From this point on Gh0stKCP communicates using the KCP protocol, with the exception that each end transmits packets using their own conversation ID rather than a common ID. The KCP traffic that follows can therefore be parsed and inspected in Wireshark with help of a KCP Lua parser, such as CandyMi’s kcp_dissector.lua.

Gh0stKCP traffic in Wireshark with Lua script to decode KCP

Image: KCP traffic from ValleyRAT sample any.run in Wireshark

Finally, the Gh0stKCP session is terminated by sending a UDP packet containing the following hard coded 16 bytes:

be b6 1f eb da 52 46 ba 92 33 59 db bf e6 c8 e4

This unique byte sequence is defined in HP-Socket as s_szUdpCloseNotify, which can be detected with the following Suricata IDS signature:

alert udp any any -> any any (msg:"Gh0stKCP close"; dsize:16; content:"|be b6 1f eb da 52 46 ba 92 33 59 db bf e6 c8 e4|"; offset:0; depth:16; classtype:trojan-activity; reference:url,https://netresec.com/?b=259a5af; sid:1471102; rev:1;)

Hole Punching in NAT Firewalls

The elaborate handshake procedure used by Gh0stKCP introduces a significant delay before the C2 session is established. The handshake takes up to 500ms to complete, which is much slower than a normal TCP 3-way handshake. KCP is typically used because of its low-latency properties, but the handshake routine ruins any chance for quick establishment of Gh0stKCP sessions.

The intricate ARQ handshake routine does, however, allow for hole punching in firewalls, aka “NAT traversal”, which enables the protocol to be used for peer-to-peer communication. This p2p-enabling property could potentially be used to relay C2 communication through one or several bots, even if those bots are behind separate NAT firewalls.

Detecting Gh0stKCP with Snort and YARA

CapLoader can detect when the KCP protocol is used. However, only a few security analysts have a CapLoader license. We have therefore decided to release Surucata signatures and a YARA rule that can be used to detect Gh0stKCP.

The Suricata signatures included in this blog post can also be downloaded from here:
https://github.com/Netresec/Suricata/blob/main/netresec.rules

Our Gh0stKCP YARA rule is based on Steve Miller’s “RareEquities_KCP” rule, from Mandiant’s 2020 blog post APT41 Initiates Global Intrusion Campaign Using Multiple Exploits. Steve’s original YARA rule provides generic detection of software that uses the original KCP library. We’ve extended that rule to also look for HP-Socket’s characteristic 16-byte close command.

https://github.com/Netresec/YARA/blob/main/Gh0stKCP.yar

IOC List

Many of the IOCs in the list below are old, which is why you might not want to use them for alerting. They are included here primarily for researchers and analysts who wish to perform retrohunting to discover malware samples that use GhostKCP.

2021 (PseudoManuscrypt)

  • UDP 34.64.183.91:53
  • UDP 34.97.69.225:53
  • UDP 160.16.200.77:53
  • UDP 167.179.89.78:53
  • UDP 185.116.193.219:53
  • UDP 198.13.62.186:53
  • UDP email.yg9[.]me:53
  • UDP facebook.websmails[.]com:53
  • UDP google.vrthcobj[.]com:53

2022 (PseudoManuscrypt)

  • UDP 34.142.181.181:53

2025 (ValleyRAT / Winos4.0)

  • UDP 27.124.3.234:8443
  • UDP 43.133.39.217:80
  • UDP al17[.]tk:80
  • UDP xiaoxiao.fenghua678.eu[.]cc:8443

Attribution

Use of ValleyRAT is often attributed to the APT group Silver Fox (银狐), but ValleyRAT and Gh0stKCP could be used by other threat actors as well.

Posted by Erik Hjelmvik on Wednesday, 24 September 2025 09:40:00 (UTC/GMT)

Tags: #Gh0stKCP #ValleyRAT #CapLoader #Suricata

Short URL: https://netresec.com/?b=259a5af


Define Protocol from Traffic (XenoRAT)

This video shows how to define a protocol in CapLoader just by providing examples of what the protocol looks like. CapLoader can then identify that protocol in other traffic, regardless of IP address and port number, simply by looking for traffic that behaves similar to what it was trained on. We call this Port Independent Protocol Identification (PIPI). You don’t need to define all protocols this way though since CapLoader can detect hundreds of different protocols out of the box using PIPI.

The protocol identified in the video is the XenoRAT command-and-control (C2) protocol. The identification was based on a sandbox execution of XenoRATClientScript.js on ANY.RUN. The protocol model was then tested on a PCAP file from a XenoRAT execution on Triage.

IOC List

  • Url: hxxps://raw.githubusercontent[.]com/NTCHuy/hack/refs/heads/main/Client.exe
  • MD5: e0b465d3bd1ec5e95aee016951d55640
  • MD5: 5ab23ac79ede02166d6f5013d89738f9
  • C2: Huy1612-24727.portmap[.]io:24727
  • C2: 193.161.193.99:24727
  • C2: 147.185.221.30:54661

Posted by Erik Hjelmvik on Thursday, 21 August 2025 12:50:00 (UTC/GMT)

Tags: #CapLoader #PIPI #ANY.RUN

Short URL: https://netresec.com/?b=258f641


CapLoader 2.0.1 Released

This update resolves several minor bugs, but also brings better protocol identification and a new IP lookup alert to CapLoader.

CapLoader showing Info-level alert for IP lookup using ip-api.com
Alert for IP lookup using ip-api.com in PCAP from tria.ge Transcript of ip-api.com IP lookup traffic
Transcript of ip-api.com IP lookup traffic

IP lookup services, like ip-api, checkip.amazonaws.com and ident.me, aren’t malicious, but malware often use such services to find out what the public IP address is of an infected machine. As Tony Robinson points out, in his recent External IP Lookup Rules post, malware does so to check for internet connectivity and determine the country of the infected PC. But I’ve also observed a third reason, which is when the threat actor resolves the victim’s public IP to then query a DNSBL service and check the IP’s reputation. I believe the DNSBL lookup is performed to evaluate the success rate of sending spam, such as emails with malicious attachments or links, from the victim PC.

TrickBot performing a DNSBL lookup of client’s public IP
TrickBot performing a DNSBL lookup of client’s public IP

If you want to learn more about how TrickBot used DNSBL then read GoSecure’s TrickBot […] and Spamhaus blog post or sign up for one of my network forensics training sessions.

Improved Protocol Detection

The precision of CapLoaders built-in port independent protocol identification has been improved and a few additional protocols can now be detected, including Interlock RAT.

Bug Fixes

The following bugs fixes and feature updates are included in this release:

  • Better handling of corrupt PCAP files
  • Fixed periodicity measurement inconsistency for services with more than 100 flows
  • Fixed parsing bug for duplicate QUIC packets
  • Improved speed and reliability of auto-extract PCAP from selection
  • ThreatFox API updated to use abuse.ch Auth-Key

Posted by Erik Hjelmvik on Tuesday, 01 July 2025 13:48:00 (UTC/GMT)

Tags: #CapLoader #TrickBot #DNSBL

Short URL: https://netresec.com/?b=2571527


Detecting PureLogs traffic with CapLoader

CapLoader includes a feature for Port Independent Protocol Identification (PIPI), which can detect which protocol is being used inside of TCP and UDP sessions without relying on the port number. In this video CapLoader identifies the C2 protocol used by the PureLogs Stealer malware.

The PureLogs protocol detection was added to CapLoader in the recent 2.0 release.

The PCAP file analyzed in the video is from Brad Duncan’s fantastic malware-traffic-analysis.net website.

Indicators of Compromize (IOC):

  • mxcnss.dns04.com:7702
  • 176.65.144.169:7702

Posted by Erik Hjelmvik on Monday, 09 June 2025 14:26:00 (UTC/GMT)

Tags: #CapLoader #PureLogs #malware-traffic-analysis.net #PIPI

Short URL: https://netresec.com/?b=256a8c4


CapLoader 2.0 Released

CapLoader 2.0

I am thrilled to announce the release of CapLoader 2.0 today!

This major update includes a lot of new features, such as a QUIC parser, alerts for threat hunting and a feature that allow users to define their own protocol detections based on example network traffic.

User Defined Protocols

CapLoader's Port Independent Protocol Identification feature can currently detect over 250 different protocols without having to rely on port numbers. This feature can be used to alert on rogue services like SSH, FTP, VPN and web servers that have been set up on non-standard ports to go unnoticed. But what if you want to detect traffic that isn’t using any of the 250 protocols that CapLoader identifies? CapLoader 2.0 includes a fantastic solution that solves this problem! Simply right-click a flow containing the traffic you want to identify and select “Define protocol from flow”. This creates a custom local protocol detection model based on the selected traffic.

CapLoader’s protocol identification feature may seem like magic, but it actually relies on several different statistical measurements of the traffic in order to build a model of how the protocol behaves. It's possible to define a protocol model from just a single flow, but doing so may lead to poor detection results, which is why we recommend defining protocols from at least 10 different flows. You can do this either by selecting multiple flows or services before clicking “Define protocol from” or by adding additional flows or services to a protocol model at a later point by clicking “Add flow to protocol definition”.

More Malware Protocols Detected

There are several malware C2 protocols among CapLoader’s built-in models for protocol identification. The 2.0 release has been extended to detect even more malware protocols out of the box, such as Aurotun Stealer, PrivateLoader, PureLogs, RedTail, ResolverRAT, SpyMAX, SpyNote and ValleyRAT.

These protocols can now be detected using CapLoader regardless which IP address or port number the server runs on.

QUIC Parser

CapLoader now parses the QUIC protocol, which typically runs on UDP port 443 and transports TLS encrypted HTTP/3 traffic. CapLoader doesn’t decrypt the TLS encrypted HTTP/3 traffic though, it only parses the initial QUIC packets containing the client’s TLS handshake to extract the target domain name from the SNI extension and generates JA3 hashes and JA4 fingerprints of the client’s TLS handshake.

QUIC network traffic from Active Countermeasures shown in CapLoader's services tab
Image: QUIC traffic from Active Countermeasures
  • Merlin C2 JA3: 203c2306834e5bf5ace01fb74ad1badf
  • Merlin C2 JA4: q13i0311h3_55b375c5d22e_c183556c78e2

More Alerts

There’s a fantastic service called ThreatFox, to which security researchers, incident responders and others share indicators of compromise (IOC). Many of the shared IOCs are domain names and IP addresses used by malware for payload delivery, command-and-control (C2) or data exfiltration. Various IOC lists can be downloaded from ThreatFox, so that they can be used by a DNS firewall or a TLS firewall to block malware traffic. But the IOCs can also be used for alerting and threat hunting. CapLoader downloads two IOC lists from ThreatFox when the tool is started (the data is then cached for 24 hours, so that no new download is needed until the next day). Analyzed network traffic is then matched against these downloaded offline databases to provide alerts whenever there is traffic to a domain name or IP address that has been reported to be associated with malware.

CapLoader alerts for Lumma and Remcos traffic to servers listed on ThreatFox
Image: Alerts for traffic to Lumma Stealer and Remcos servers listed on ThreatFox

We’ve also added two additional alert types in this release, one for anomalous TLS handshakes, and one for connections to suspicious domains. Both these alerts are designed primarily for threat hunting, since there’s a considerable risk that they will alert on legitimate traffic. The anomalous TLS handshake alert tries to detect odd TLS connections that are not originating from the user’s web browser or the operating system. The alert is triggered when such odd connections are made to domain names that are not well-known. This alert logic is designed to generically detect any TLS encrypted malware traffic, where the malware is using a custom TLS library instead of relying on operating system API calls for establishing encrypted connections. But this logic might also lead to false positive alerts, for example when legitimate applications use custom TLS libraries to perform tasks like checking a license or looking for software updates. The suspicious domain alert looks for connections to domain names like devtunnels.ms, ngrok.io and mocky.io, which are often used by APTs as well as crime groups.

Metrics for VPN Detection

CapLoader 2.0 displays the TCP MSS values on the Hosts tab. This value can help with determining if a host is behind a VPN. An MSS value below 1400 indicates that the host’s traffic might pass through some form of overlay network, such as a tunnel or VPN. Other indicators that can help identify VPN and tunnelled traffic is IP TTL and latency, which CapLoader also displays in the hosts tab.

Client traffic coming out of VPN concentrator with low MSS value

Improved User Experience

A lot of effort has been put into improving the user interface and general user experience for this new CapLoader release. One very important user experience factor is the responsiveness of the user interface, which has been significantly improved. Actions like sorting and filtering flows, services or alerts in CapLoader now complete around 10 times faster than before, which is very noticeable when working with multi-gigabyte capture files. Another improvement related to working with large capture files is that CapLoader now uses significantly less memory.

The transcript window in CapLoader has also received a touch-up. There is now, for example a search box that allows you to quickly find a particular keyword in a TCP or UDP transcript (thanks to Allan Christensen at SektorCERT for the idea). Actions in the transcript window, such as changing encoding or flipping up/down between flows, now also complete much faster than before.

CapLoader automatically saves the packets from selected flows or services to a pcap file in the %TEMP% directory every time the selection changes. This pcap file can be accessed from the “PCAP” icon in the top-right of the user interface. Simply drag-and-drop from CapLoader’s PCAP icon to Wireshark or NetworkMiner to open the filtered traffic. Several users have requested the ability to also perform this drag-and-drop operation directly from the selected rows. I’m happy to say that this is now possible, but you have to perform the drag-and-drop with the middle mouse button (such as the scroll wheel). Users without a middle mouse button can drag-and-drop selected rows by holding down the Ctrl key while drag-and-dropping with the right mouse button instead.

Free Trial vs Commercial Version

Many of CapLoader’s features, such as port-independent protocol identification, are only available in the commercial version of CapLoader. But the free trial version of CapLoader does include new features like the QUIC parser and alerts for suspicious domains and alerts whenever a domain name is listed on ThreatFox.

Alerts in the trial version of CapLoader
Image: Alerts on malicious and suspicious traffic in Trial version of CapLoader

Updating to CapLoader 2.0

Users who have already purchased a license for CapLoader can download a free update to version 2.0 from our customer portal or by clicking “Check for Updates” in CapLoader’s Help menu.

Posted by Erik Hjelmvik on Monday, 02 June 2025 13:47:00 (UTC/GMT)

Tags: #CapLoader #QUIC #Threat Hunting #ThreatFox

Short URL: https://netresec.com/?b=256dbbc

2024 September

CapLoader 1.9.7 Released

2024 May

Kubernetes Cryptojacking

2024 January

Hunting for Cobalt Strike in PCAP

2023 November

CapLoader 1.9.6 Released

2023 March

QakBot C2 Traffic

2023 February

How to Identify IcedID Network Traffic

CapLoader 1.9.5 Alerts on Malicious Traffic

2022 September

Hunting for C2 Traffic

2022 June

CapLoader 1.9.4 Released

2021 November

Open .ETL Files with NetworkMiner and CapLoader

2021 August

Carving Packets from Memory

2021 July

Walkthrough of DFIR Madness PCAP

2021 May

Detecting Cobalt Strike and Hancitor traffic in PCAP

CapLoader 1.9 Released

2021 April

Analysing a malware PCAP with IcedID and Cobalt Strike traffic

2020 October

Honeypot Network Forensics

2019 May

CapLoader 1.8 Released

2019 January

Video: TrickBot and ETERNALCHAMPION

2018 July

CapLoader 1.7 Released

2018 February

Analyzing Kelihos SPAM in CapLoader and NetworkMiner

2017 October

CapLoader 1.6 Released

2017 March

CapLoader 1.5 Released

2017 January

Network Forensics Training at TROOPERS 2017

2016 September

Bug Bounty PCAP T-shirts