Showing blog posts from 2026

rss Google News
Erik Hjelmvik
Thursday, 26 February 2026 09:35:00 (UTC/GMT)

CISA mixup of IOC domains

Google's Threat Intelligence Group (GTIG) and Mandiant's recent Disrupting the GRIDTIDE Global Cyber Espionage Campaign report is great and it has lots of good Indicators of Compromise (IOC). Many of these IOCs had already been shared by CISA last year as part of their Alert AA25-141A titled "Russian GRU Targeting Western Logistics Entities and Technology Companies". The IOC overlap between these two reports is surprisingly big, provided that the GTIG report covers a Chinese espionage group while the CISA report covers the Russian GRU unit 26165 (aka APT28 / Fancy Bear).

But some of the domain names in CISA's report from last year are strange. For example, the domain name "accesscan[.]org" doesn't seem to ever have been registered. The GTIG report, however, contains the very similar domain "accesscam[.]org". This accesscam domain is registered to the dynamic DNS provider Dynu Systems, whose services are often abused by malicious actors. Is it possible that there are typos in the IOCs published by CISA? I think so.

accesscan glize spelling mistakes

Another odd domain in CISA's AA25-141A is "glize[.]com", which I suspect is a typo from either "giize[.]com" or "gleeze[.]com". The two latter domains are listed in the GTIG report and both of them also belong to the dynamic DNS provider Dynu Systems. The domain listed in CISA's alert, on the other hand, appears to be a legit website (archived page from 2024) from the marketing company Glize in Malta.

Screenshot of Glize's website from 2024

Glize's website seems to have disappeared sometime in 2025.

Update 2026-02-27

The IOC list published by CISA originates from cybersecurity advisory 157019-25 / PP-25-2107, which was created as a joint effort by the following 21 organizations:

authors of joint cybersecurity advisory Russian GRU Targeting Western Logistics Entities and Technology Companies
  • United States National Security Agency (NSA)
  • United States Federal Bureau of Investigation (FBI)
  • United Kingdom National Cyber Security Centre (NCSC-UK)
  • Germany Federal Intelligence Service (BND)
  • Germany Federal Office for Information Security (BSI)
  • Germany Federal Office for the Protection of the Constitution (BfV)
  • Czech Republic Military Intelligence (VZ)
  • Czech Republic National Cyber and Information Security Agency (NÚKIB)
  • Czech Republic Security Information Service (BIS)
  • Poland Internal Security Agency (ABW)
  • Poland Military Counterintelligence Service (SKW)
  • United States Cybersecurity and Infrastructure Security Agency (CISA)
  • United States Department of Defense Cyber Crime Center (DC3)
  • United States Cyber Command (USCYBERCOM)
  • Australian Signals Directorate’s Australian Cyber Security Centre (ASD’s ACSC)
  • Canadian Centre for Cyber Security (CCCS)
  • Danish Defence Intelligence Service (DDIS)
  • Estonian Foreign Intelligence Service (EFIS)
  • Estonian National Cyber Security Centre (NCSC-EE)
  • French Cybersecurity Agency (ANSSI)
  • Netherlands Defence Intelligence and Security Service (MIVD)

It is therefore unclear which organization(s) reported the erroneous IOCs as well as who were responsible for verifying them before publication.

In summary, these are the incorrect and correct IOC domains:

  • Incorrect IOC: *.accesscan[.]org (not registered)
  • Correct IOC: *.accesscam[.]org (registered by Dynu Systems)
  • Incorrect IOC: *.glize[.]com (legitimate website, now closed)
  • Correct IOC: *.giize[.]com (registered by Dynu Systems)
  • Correct IOC: *.gleeze[.]com (registered by Dynu Systems)

Posted by Erik Hjelmvik on Thursday, 26 February 2026 09:35:00 (UTC/GMT)

Tags: #IOC

Short URL: https://netresec.com/?b=26233f4

Erik Hjelmvik
Monday, 02 February 2026 19:39:00 (UTC/GMT)

njRAT runs MassLogger

njRAT

njRAT is a remote access trojan that has been around for more than 10 years and still remains one of the most popular RATs among criminal threat actors. This blog post demonstrates how NetworkMiner Professional can be used to decode the njRAT C2 traffic to extract artifacts like screenshots, commands and transferred files.

A PCAP file with njRAT traffic was published on malware-traffic-analysis.net last week. After loading this PCAP file, NetworkMiner Professional reveals that the attacker downloaded full resolution screenshots of the victim’s screen.

Overview of screenshots sent to C2 server

Image: Overview of screenshots sent to C2 server

Screenshot extracted from njRAT traffic by NetworkMiner

Image: Screenshot extracted from njRAT traffic by NetworkMiner

The file “New Purchase Order and Specifications.exe” in this screenshot is the njRAT binary that was used to infect the PC.

A list of njRAT commands sent from the C2 server to the victim can be viewed on NetworkMiner’s Parameters tab by filtering for ”njRAT server command”.

njRAT commands

The following njRAT commands are present here:

  • CAP = take screenshot
  • inv = invoke (run) a plugin (dll)
  • rn = run a tool (executable)

Additional njRAT commands can be found in our writeup for the Decoding njRAT traffic with NetworkMiner video, which we published last year.

njRAT File Transfers

The “inv” and “rn” commands both transfer and execute additional code on the victim machine. The “inv” command typically transfers a DLL file that is used as a plugin, while the “rn” commands sends an executable file. These DLL and EXE files are transferred in gzip compressed format, which is why NetworkMiner extracts them as .gz files.

njRAT files extracted from PCAP

Image: Gzip compressed files extracted from njRAT traffic

This oneliner command lists the internal/original file names and corresponding MD5 hashes of the gzip compressed executables sent to the victim PC:

  • for f in njRAT-rn*.gz; do echo $f; gunzip -c $f | exiftool - | grep Original; gunzip -c $f | md5sum; done
  • njRAT-rn-260129030403.gz
  • Original File Name : Stub.exe
  • ca819e936f6b913e2b80e9e4766b8e79 -
  • njRAT-rn-260129030433.gz
  • Original File Name : Stub.exe
  • e422a4ce321be1ed989008d74ddb6351 -
  • njRAT-rn-260129030451.gz
  • Original File Name : CloudServices.exe
  • fcbb7c0c68afa04139caa55efe580ff5 -
  • njRAT-rn-260129031041.gz
  • Original File Name : Stub.exe
  • 0ae3798c16075a9042c5dbb18bd10a5c -

The MD5 hashes of the files inside the gzip compressed streams can also be seen on the Parameters tab in NetworkMiner.

njRAT file MD5 hashes

MassLogger

The “CloudServices.exe” executable is a known credential stealer called MassLogger. This particular MassLogger sample is hard coded to exfiltrate data in an email to kingsnakeresult@mcnzxz[.]com. The email is sent through the SMTP server cphost14.qhoster[.]net. See the execution of this sample on Triage for additional details regarding the MassLogger payload in CloudServices.exe.

IOC List

njRAT (splitter = "|Ghost|")

  • 58f1a46dba84d31257f1e0f8c92c59ec = njRAT sample
  • 104.248.130.195:7492 = njRAT C2 server
  • burhanalassad.duckdns[.]org:7492 = njRAT C2 server
  • 801a5d1e272399ca14ff7d6da60315ef = sc2.dll
  • ca819e936f6b913e2b80e9e4766b8e79 = Stub.exe
  • e422a4ce321be1ed989008d74ddb6351 = Stub.exe
  • fcbb7c0c68afa04139caa55efe580ff5 = CloudServices.exe
  • 0ae3798c16075a9042c5dbb18bd10a5c = Stub.exe

MassLogger

  • fcbb7c0c68afa04139caa55efe580ff5
  • kingsnakeresult@mcnzxz[.]com
  • cphost14.qhoster.net:587
  • 78.110.166.82:587

Posted by Erik Hjelmvik on Monday, 02 February 2026 19:39:00 (UTC/GMT)

Tags: #njRAT #NetworkMiner Professional #malware-traffic-analysis.net

Short URL: https://netresec.com/?b=262adb9

Erik Hjelmvik
Tuesday, 20 January 2026 12:10:00 (UTC/GMT)

Decoding malware C2 with CyberChef

This video tutorial demonstrates how malware XOR encrypted and obfuscated C2 traffic can be decoded with CyberChef.

The analyzed PCAP files can be downloaded from malware-traffic-analysis.net.

CyberChef recipe to decode the reverse shell traffic to 103.27.157.146:4444:

From_Hex('Auto')
XOR({'option':'Hex','string':'62'},'Standard',false)
Find_/_Replace({'option':'Regex','string':'\\r'},'',true,false,true,false)
From_HTML_Entity()

Decoded data from first "key007" reverse shell session to 103.27.157.146:4444:

key007
Authentication successful
furtheringthemagic.com
net group "domain computers" /domain
The request will be processed at a domain controller for domain furtheringthemagic.com.

Group name Domain Computers
Comment All workstations and servers joined to the domain

Members

-------​--------​-------​--------​-------​---------​-------​----------​--------​--------
DESKTOP-G71S4PF$
The command completed successfully.

CyberChef recipe to decode obfuscated PowerShell payload from malicious finger service on 64.190.113.206:79:

Fork(',','',false)
Pad_lines('End',5,',6044')
Subtract('Comma')
From_Charcode('Space',10)

Update 2026-01-21

Our classification of the final payload has been updated from AsyncRAT to GhostWeaver thanks to feedback from Don Pasci. Don referenced a writeup by Recorded Future's Insikt Group, called Uncovering MintsLoader With Recorded Future Malware Intelligence Hunting, which states the following:

GhostWeaver has periodically been misclassified as AsyncRAT. [...] GhostWeaver and AsyncRAT share certain characteristics within their self-signed X.509 certificates, such as identical expiration dates and serial number lengths; however, these similarities may simply reflect common certificate-generation methods rather than meaningful operational overlap.

We also believe that some of the PowerShell related traffic was caused by MintsLoader.

IOC List

  • 103.27.157.146:4444 (unknown "key007" reverse shell)
  • 64.190.113.206:79 (finger)
  • checkifhuman[.]top (finger)
  • ey267te[.]top (MintsLoader)
  • 64.52.80.153:80 (MintsLoader)
  • 173.232.146.62:25658 (AsyncRAT GhostWeaver)
  • 08kcbghk807qtl9[.]fun:25658 (AsyncRAT GhostWeaver)

Network Forensics Training

Check out our network forensic trainings if you want to learn more about decoding malware C2 traffic. I'm teaching a live online Network Forensics for Incident Response class on February 23-26.

Posted by Erik Hjelmvik on Tuesday, 20 January 2026 12:10:00 (UTC/GMT)

Tags: #Netresec #CyberChef #XOR #PCAP #CapLoader #PowerShell #Video #videotutorial

Short URL: https://netresec.com/?b=261f535

X / twitter

𝕏: @netresec

Bluesky

Bluesky: @netresec.com

Mastodon

Mastodon: @netresec@infosec.exchange