Detecting PureLogs traffic with CapLoader

June 10, 2025, 11:13 a.m.

Description

CapLoader's Port Independent Protocol Identification feature can now detect the C2 protocol used by PureLogs Stealer malware without relying on port numbers. This capability was added in the recent 2.0 release. The blog post demonstrates this functionality using a PCAP file from malware-traffic-analysis.net. It highlights CapLoader's ability to identify protocols in TCP and UDP sessions, enhancing network security monitoring and forensics. The post also provides indicators of compromise, including a domain and IP address associated with PureLogs traffic.

External References

https://www.netresec.com/?page=Blog&month=2025-06&post=Detecting-PureLogs-traffic-with-CapLoader
https://otx.alienvault.com/pulse/6847f86832c3af4f5793bcbe
Tags
purelogs
purelogs stealer
c2 traffic
2025-06-10
caploader
pipi
stealer malware
protocol identification
network forensics

Date

  • Created: June 10, 2025, 9:18 a.m.
  • Published: June 10, 2025, 9:18 a.m.
  • Modified: June 10, 2025, 11:13 a.m.

Indicators

  • 176.65.144.169
  • http://mxcnss.dns04.com:7702
  • mxcnss.dns04.com
Download all indicators here!

Attack Patterns

  • PureLogs Stealer