{
	"id": "fd1b6a9a-4d6b-4662-b8fb-ae99ad1780d8",
	"created_at": "2026-04-06T00:06:11.394781Z",
	"updated_at": "2026-04-10T03:22:00.802279Z",
	"deleted_at": null,
	"sha1_hash": "44c87b106adbb35b61cebf4c6ac8015a4691a493",
	"title": "Snake Infostealer: How Attackers Exfiltrate Data Via SMTP | Aryaka Threat Research",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1122316,
	"plain_text": "Snake Infostealer: How Attackers Exfiltrate Data Via SMTP |\r\nAryaka Threat Research\r\nBy Aditya K Sood\r\nArchived: 2026-04-05 21:18:18 UTC\r\nData exfiltration via Simple Mail Transfer Protocol (SMTP) is a robust method attackers use to transfer sensitive\r\nor confidential information from a compromised system to an external location. SMTP, the standard email\r\ncommunication protocol, is opted by attackers for exfiltration because it operates over commonly allowed ports\r\n(e.g., ports 25, 465, or 587). However, despite these dangers it is rarely blocked within corporate environments.\r\nIT security professionals and network administrators must monitor SMTP traffic, as attackers can abuse the\r\nprotocol by encoding sensitive data into email attachments or body content and sending it to external email\r\naccounts under their control. Since SMTP traffic is typically encrypted using protocols like STARTTLS or\r\nSMTPS, it can bypass many traditional network monitoring tools that are not configured to inspect encrypted\r\ntraffic. Furthermore, the legitimate use of email in corporate workflows makes exfiltration via SMTP less\r\nsuspicious to intrusion detection systems, especially if attackers blend exfiltrated data with legitimate email\r\nactivity.\r\nThe Snake loader and keylogger code analysis was performed earlier, highlighting its techniques and tactics.\r\nToday the Aryaka Threat Research Lab is analyzing the SMTP-based data exfiltration mechanism snake keylogger\r\nuses ata before exfiltration.\r\nAttackers often exploit compromised email accounts (via phishing or credential theft) to send emails, making the\r\nactivity appear legitimate to increase the likelihood of success. Another tactic involves using specially crafted\r\nmalware to automate data collection, encoding, and exfiltration, often configured to interact directly with an\r\nSMTP server. This malware may include mechanisms to periodically check for connectivity or dynamically\r\nupdate email recipient addresses to evade blocklists.\r\nhttps://www.aryaka.com/blog/snake-infostealer-smtp-data-exfiltration/\r\nPage 1 of 6\n\nFigure 1: SMTP communication triggered from the compromised system running snake infostealer\r\nLet’s dissect it by analyzing the TCP session stream to understand the complete workflow.\r\nThe compromised system running snake infostealer sends the EHLO (Extended HELO) command to\r\nidentify the client to the server and indicate support for the Extended SMTP (ESMTP) features.\r\nThe AUTH command initiates the authentication process between an SMTP client running on the\r\ncompromised system and the SMTP server. It supports various authentication mechanisms to provide\r\nauthentication credentials to the SMTP server. It ensures that only authorized systems running snake\r\ninfostealer can relay emails through the server. The “c2VuZGVyQGluaG91c2VwaWNrLmNvbQ==”\r\ndecodes to “sender@inhousepick.com.” The password string “IyhQJWVPXiNKMA==” decodes to “#\r\n(P%eO^#J0”. Once the authentication is completed, the remote server successfully validates the connection\r\ninitiated from the compromised system running snake infostealer. It waits for the next steps. Figure 2\r\nvalidates this mechanism.\r\nhttps://www.aryaka.com/blog/snake-infostealer-smtp-data-exfiltration/\r\nPage 2 of 6\n\nFigure 2: SMTP authentication commands exchange\r\nAfter authentication, the compromised systems send the “MAIL FROM” command, highlighting the email’s\r\nsender, “sender@inhousepick.com.” Similarly, the “RCPT TO” command highlights the receiver of the email,\r\nwhich in this case is “inlogs@inhousepick.com.” The “250 OK” response shows the server has accepted the\r\ncommands. Figure 3 shows how the compromised system uses the “DATA” command to exfiltrate stolen\r\ninformation from the compromised system as shown in figure 3.\r\nhttps://www.aryaka.com/blog/snake-infostealer-smtp-data-exfiltration/\r\nPage 3 of 6\n\nFigure 3: SMTP: Data exfiltration using DATA command\r\nThe DATA command signals to the SMTP server that the client can transmit the email content. Once the command\r\nis issued and the server responds positively, the client sends the email’s headers and body, ending the transmission\r\nwith a specific delimiter. The SMTP client running on the compromised system installed with snake infostealer\r\nsends a “DATA” command, and the remote server responds with a 354 code, indicating that it is ready to receive\r\nthe message content. Once the data is exfiltrated, the client issues the “QUIT” (See Figure 4) command to truncate\r\nthe SMTP session. One can notice that sensitive data stolen by the snake infostealer is exfiltrated via the SMTP\r\nchannel.\r\nhttps://www.aryaka.com/blog/snake-infostealer-smtp-data-exfiltration/\r\nPage 4 of 6\n\nFigure 4: SMTP connection closes after successful exfiltration\r\nAs you may have noticed, the compromised snake infostealer system did not use STARTTLS to send all\r\ncommands and message content in unencrypted format over the network, including potentially sensitive email\r\nheaders, body content, and authentication credentials. The system uses SMTP AUTH to log in to the mail server\r\nwithout STARTTLS, so the username and password are transmitted in plain text.\r\nSince SMTP is widely allowed in corporate environments, this activity might go unnoticed unless monitored\r\nclosely. By sending data in small chunks or disguising it as legitimate emails, attackers can evade detection by\r\nintrusion detection systems (IDS) or data loss prevention (DLP) tools.\r\nHow does Unified SASE as a Service help mitigate SMTP breaches?\r\nA Unified Secure Access Service Edge (SASE) framework integrates network security and zero-trust access\r\ncontrols to protect organizations against data exfiltration, including threats that target SMTP traffic. SASE\r\nprovides centralized visibility and monitoring, allowing security teams to detect anomalies, such as sudden spikes\r\nin email activity or connections to untrusted external mail servers.\r\nBy applying consistent security policies across all traffic—including email communications—Unified SASE\r\nensures that unauthorized SMTP traffic, malicious attachments, and outbound data leaks are detected and blocked\r\nin real time, providing immediate security. SASE’s content inspection capabilities prevent sensitive data from\r\nhttps://www.aryaka.com/blog/snake-infostealer-smtp-data-exfiltration/\r\nPage 5 of 6\n\nbeing exfiltrated via SMTP. It can inspect outbound emails, detect patterns of sensitive information (e.g., credit\r\ncard numbers, intellectual property, or personal identifiers), and automatically block unauthorized transmissions.\r\nSource: https://www.aryaka.com/blog/snake-infostealer-smtp-data-exfiltration/\r\nhttps://www.aryaka.com/blog/snake-infostealer-smtp-data-exfiltration/\r\nPage 6 of 6\n\n  https://www.aryaka.com/blog/snake-infostealer-smtp-data-exfiltration/    \nbeing exfiltrated via SMTP. It can inspect outbound emails, detect patterns of sensitive information (e.g., credit\ncard numbers, intellectual property, or personal identifiers), and automatically block unauthorized transmissions.\nSource: https://www.aryaka.com/blog/snake-infostealer-smtp-data-exfiltration/      \n   Page 6 of 6",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://www.aryaka.com/blog/snake-infostealer-smtp-data-exfiltration/"
	],
	"report_names": [
		"snake-infostealer-smtp-data-exfiltration"
	],
	"threat_actors": [],
	"ts_created_at": 1775433971,
	"ts_updated_at": 1775791320,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/44c87b106adbb35b61cebf4c6ac8015a4691a493.pdf",
		"text": "https://archive.orkl.eu/44c87b106adbb35b61cebf4c6ac8015a4691a493.txt",
		"img": "https://archive.orkl.eu/44c87b106adbb35b61cebf4c6ac8015a4691a493.jpg"
	}
}