{
	"id": "98ba1c65-79bb-47e1-a3b9-f0d4c252a9d7",
	"created_at": "2026-04-06T00:20:52.85887Z",
	"updated_at": "2026-04-10T03:20:51.302333Z",
	"deleted_at": null,
	"sha1_hash": "7d8425f882d087b0ba729be99df02de02a04b623",
	"title": "Detecting PureLogs traffic with CapLoader",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 562912,
	"plain_text": "Detecting PureLogs traffic with CapLoader\r\nBy Erik Hjelmvik\r\nPublished: 2025-06-09 · Archived: 2026-04-06 00:04:00 UTC\r\n, \r\nMonday, 09 June 2025 14:26:00 (UTC/GMT)\r\nCapLoader includes a feature for Port Independent Protocol Identification (PIPI), which can detect which protocol is being\r\nused inside of TCP and UDP sessions without relying on the port number. In this video CapLoader identifies the C2 protocol\r\nused by the PureLogs Stealer malware.\r\nThe PureLogs protocol detection was added to CapLoader in the recent 2.0 release.\r\nThe PCAP file analyzed in the video is from Brad Duncan’s fantastic malware-traffic-analysis.net website.\r\nIndicators of Compromize (IOC):\r\nmxcnss.dns04.com:7702\r\n176.65.144.169:7702\r\nPosted by Erik Hjelmvik on Monday, 09 June 2025 14:26:00 (UTC/GMT)\r\nTags: #CapLoader#PureLogs#malware-traffic-analysis.net#PIPI\r\nShort URL: https://netresec.com/?b=256a8c4\r\nSource: https://www.netresec.com/?page=Blog\u0026month=2025-06\u0026post=Detecting-PureLogs-traffic-with-CapLoader\r\n0:00 / 3:01\r\nhttps://www.netresec.com/?page=Blog\u0026month=2025-06\u0026post=Detecting-PureLogs-traffic-with-CapLoader\r\nPage 1 of 1",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://www.netresec.com/?page=Blog\u0026month=2025-06\u0026post=Detecting-PureLogs-traffic-with-CapLoader"
	],
	"report_names": [
		"?page=Blog\u0026month=2025-06\u0026post=Detecting-PureLogs-traffic-with-CapLoader"
	],
	"threat_actors": [],
	"ts_created_at": 1775434852,
	"ts_updated_at": 1775791251,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/7d8425f882d087b0ba729be99df02de02a04b623.pdf",
		"text": "https://archive.orkl.eu/7d8425f882d087b0ba729be99df02de02a04b623.txt",
		"img": "https://archive.orkl.eu/7d8425f882d087b0ba729be99df02de02a04b623.jpg"
	}
}