SHub Stealer PCAP Analysis: Finding C2 in Encrypted Traffic
Published: July 7, 2026
On 22 June 2026, malware-traffic-analysis.net published a capture of a Mac infected with SHub Stealer. Two weeks earlier I walked through the AMOS infection, which was an analyst’s gift: the whole C2 protocol ran over plain HTTP and we simply read it. This capture is the exact opposite. Every payload byte is wrapped in TLS 1.3, PcapAI’s encryption audit rates the traffic “Excellent — no plaintext detected” — and the same report scores Security Risk 100/100 with posture CRITICAL. Both verdicts are correct, and that is the whole point of this SHub Stealer PCAP analysis: when you cannot read a single payload byte, the infection is still written in the metadata — the names a host resolves, the direction its bytes travel, and the clock its connections keep. This is 2026-06-22-SHub-Stealer-infection-traffic.pcap read the way I would in an incident, entirely without decryption.
The capture at a glance: 100% encrypted, 100/100 risk
One victim: 10.6.22.216, an Apple endpoint (MAC fc:fc:48:59:43:87) sitting behind a Cisco gateway at 10.6.22.1, which also serves as its only DNS resolver. Across 14,874 packets and 9.2 minutes, the host moves about 15 MB — and 97% of the external bytes terminate behind Cloudflare (AS13335). Not one HTTP request in the clear, not one readable payload. The adversary rented the same CDN your legitimate SaaS uses, and the entire attack hides inside it.
Capture
9.2 minutes · 14,874 packets · 15.2 MB, 100% TLS. SHA-256 7c260b42…55d4dc8c.
The victim
10.6.22.216 (Apple) · gateway/resolver 10.6.22.1 (Cisco) · seven malicious FQDNs, all on Cloudflare.
PcapAI’s dashboard calls the incident before any human look at the packets: Security Risk 100/100 (Action Required), Network Issues 60/100 (Degraded), posture CRITICAL, with spearphishing-TLD hits mapped to MITRE T1566.002 and four encrypted-channel detections mapped to T1573.001:
The report’s risk dashboard: a CRITICAL posture built entirely from encrypted traffic — TLD reputation, payload entropy, and flow correlation, no decryption involved.
Before walking the packets, here is the whole incident on one clock — every timestamp below comes straight from the capture:
t+0.0s DNS just4software.pro the lure site (.pro, France)
t+36.1s DNS newcdn5.host06q.cfd payload host on a .cfd domain
t+39.1s TLS generatee4026c.host06q.cfd stealer backend, 3 sessions
t+43.1s TLS sharee4026c.host06q.cfd stealer backend, 1 session
t+43.9s DNS beta6.fastlinkpulse.click one-shot redirect hop
t+44.9s DNS lan31.swiftlinktap.click one-shot redirect hop
t+45.8s TLS i2seperefiles.com 12 MB arrives (yes, arrives)
t+138.1s DNS 8790tn5c190y51v7n2.com new C2, paired with api.ipify.org
t+236.4s TLS 8790tn5c190y51v7n2.com 2.2 MB leaves in 10.8 seconds
t+250s.. -- beacon every ~61 seconds until the capture ends
t+0s — the lure is a software blog with a .pro domain
The very first frame of the capture is the story in miniature: a DNS query for just4software.pro. The name answers to 82.25.113.147, a French-hosted server 149 ms away, and over the next 73 seconds the Mac pulls about 104 kB from it over TLS 1.3. The supporting cast gives the page away as an ordinary-looking freeware blog: stats.wp.com and s.w.org (a WordPress build), even a l.facebook.com widget. Someone went looking for “free software” and found a page dressed for the part.
Packet #1 of the capture is already the lure: the just4software.pro lookup, then a TLS session whose SNI names the site in cleartext — encryption hides the page, not the destination.
This is the delivery stage — T1566.002, Phishing: Spearphishing Link in MITRE terms: a link that leads a human to a page that hands them malware. PcapAI scores the TLD itself: .pro rates a medium, and the .cfd domain about to appear rates critical — cheap, disposable TLDs are themselves an indicator, because legitimate software vendors almost never live there. For 36 seconds nothing else happens. That gap is a person: reading the page, finding the download button.
t+36s — the .cfd chain: encrypted C2 behind Cloudflare
At t+36.1s the Mac asks for newcdn5.host06q.cfd — and macOS asks twice, an A query and an HTTPS (type 65) query in the same microsecond, a detail that will matter later when the report grades DNS health. The first usable A record takes 3.1 seconds and several retries to arrive; the answer is a Cloudflare pair, 104.21.79.198 and 172.67.147.208. Then the subdomains start narrating the operation the way the AMOS stage beacons did, just in the names instead of the URLs: generatee4026c.host06q.cfd and sharee4026c.host06q.cfd — generate and share, two API verbs wearing hostnames, both carrying the same 4026c token that reads like a campaign ID.
Four TLS sessions go up to that pair of IPs between t+39s and t+43s; one of them stays open for 245 seconds. This is what PcapAI’s four T1573.001 (Encrypted Channel: Symmetric Cryptography) detections point at — post-handshake payloads measuring entropy 7.66–7.73, effectively random bytes, which is exactly what an encrypted C2 channel looks like from the outside. Two more domains flash by and are never touched again — beta6.fastlinkpulse.click and lan31.swiftlinktap.click, single-visit redirect hops with names generated by the pound. Every one of these hosts resolves to Cloudflare edge space. The infrastructure has no face: no hosting provider to complain to that is not also fronting a million legitimate sites.
t+46s — twelve megabytes, and the direction test
At t+45.8s the biggest flow of the capture opens: i2seperefiles.com — a name cosplaying as a file-sharing service — on yet another Cloudflare IP, 104.21.5.95. The connection lives 479 seconds and carries 12 MB, and the report’s executive summary calls it “unauthorized transfer of 12 MB of data to 104.21.5.95… active exfiltration.” The report also — to its credit — files an explicit indicator telling you to verify what actually moved. So verify: open Statistics → Conversations, look at the per-direction columns.
Wireshark → Statistics → Conversations (TCP)
endpoint A endpoint B A→B B→A duration
10.6.22.216:64061 ↔ 104.21.5.95:443 232 kB 12 MB 479.3 s
10.6.22.216:49162 ↔ 104.21.35.23:443 2,246 kB 70 kB 10.8 s
The 12 MB moved toward the Mac — 12 MB down, 232 kB up. That flow is not loot leaving; it is delivery — the disk image, a second stage, whatever the download button was serving. The capture cannot name the file, but it can prove which way the bytes went, and direction is the difference between “we lost 12 MB of data” and “12 MB of malware arrived.” The row below it is the real theft, and we will get there at t+236s.
The download itself is violent. The report’s burst analysis puts 12.8 MB inside one window around t+40s — roughly 30× the capture’s average rate — and 3,140 of the flow’s 3,141 retransmissions land inside a single second and a half (t+46.8 to t+48.3), a 31.13% retransmission rate overall with 666 duplicate ACKs. While that firehose ran, the Mac started zero-windowing its other connections — stats.wp.com, itunes.apple.com, Apple’s safe-browsing token service — eight zero-window events of a host too busy being infected to answer its own OS telemetry. That is the entire Network Issues 60/100 score: one malicious flow, seen from the performance side.
t+138s — a domain only a machine could love
Ninety seconds of quiet, then the second act. At t+138.1s the host resolves 8790tn5c190y51v7n2.com — eighteen characters of keyboard noise, the kind of name no marketing department ever approved. Two frames later it asks api.ipify.org “what is my public IP?” — a legitimate free service, beloved of stealers, and a textbook T1016.001 (Internet Connection Discovery): the implant geolocating its new victim. A 77 kB pull from the new domain follows, sized like a config or a small module.
There is a quieter tell in the port numbers. The browsing session — lure site, WordPress assets, Apple services — walks the ephemeral range from 64043 upward all capture long. The connections to 8790tn….com and api.ipify.org start fresh at exactly 49152 — the bottom of the IANA ephemeral range — and count up on their own. Two port sequences, interleaved in time: what it reads as is two different programs on one machine, the browser that started this and the implant it installed.
t+236s — the actual exfiltration takes eleven seconds
Between t+228s and t+250s the implant opens seven quick sessions to 8790tn5c190y51v7n2.com. Six are small. The seventh, at t+236.4s, pushes 2,246 kB from the Mac to the server in 10.8 seconds — the direction column leaves no doubt this time. That is the harvest leaving: on a stealer infection, an upload this size is the browser-credential store, cookies, session tokens, wallet files, whatever the collection modules bagged. TLS hides the manifest — unlike the AMOS capture, we cannot read the file names — but a corporate endpoint pushing two megabytes to an eighteen-character domain minted behind Cloudflare is not a software update.
In ATT&CK terms this is T1041, Exfiltration Over C2 Channel: the loot rides the same encrypted pipe the tasking uses. Note the economics of the whole exchange — 12 MB in, 2.2 MB out, eleven seconds of theft inside a nine-minute capture. If your detection strategy waits for gigabytes to move before it cares, this incident never trips it.
The 61-second heartbeat that outlives the capture
From t+250s to the last frame, the implant settles into a rhythm: an api.ipify.org check, then a call home, every 60.7–60.9 seconds — set the Wireshark time column to deltas and the grid is impossible to miss:
t+310.6s api.ipify.org t+310.8s 8790tn5c190y51v7n2.com
t+371.3s api.ipify.org t+371.5s 8790tn5c190y51v7n2.com +60.7s
t+432.0s api.ipify.org t+432.2s 8790tn5c190y51v7n2.com +60.7s
t+492.8s api.ipify.org t+493.0s 8790tn5c190y51v7n2.com +60.8s
t+553.6s api.ipify.org t+553.9s 8790tn5c190y51v7n2.com +60.9s
capture ends at t+554.3s
Machine-regular, unattended, still checking its own IP before every call — C2 over web protocols (T1071.001) with a one-minute leash. The final beacon fires 0.4 seconds before the capture stops. The pcap ends; the infection does not. Whatever host this was, at t+555 it was still owned.
Where the report is right — and where the packets sharpen it
Automated analysis earns trust on the ambiguous calls, so here is the honest ledger. The big things PcapAI gets right with no human help: the kill chain (confirmed correlation from T1566.002 phishing delivery to T1573.001 encrypted C2 — exactly what the wire shows), the TLD detections, the entropy channels, and the only advice that matters in the first hour: isolate 10.6.22.216 now. Three findings deserve an analyst’s pencil:
The 12 MB “exfiltration” is a delivery. The summary labels the i2seperefiles.com elephant flow as data leaving; the conversation table says 12 MB came in and the true exfil is the 2.2 MB burst at t+236s. The report half-knows this — it files an explicit “verify what moved” indicator, and that check takes one click. The verdict does not change; your incident paperwork does. What left the building is ~2.2 MB of credentials, not 12 MB of files.
“Custom C2 protocol” overstates the weirdness. The structural-anomaly note describes the tunnels as lacking standard TLS handshakes; in Wireshark they parse as well-formed TLS 1.3 — Client Hello, Server Hello, the works. The entropy detection is doing its real job (post-handshake bytes are opaque and random), but what convicts these flows is everything around them: throwaway TLDs, API-verb subdomains, the cadence, the direction. Encrypted C2 mostly looks like correct TLS to the wrong people.
Do not firewall the C2 IPs and call it done. Blocking 104.21.79.198 or 172.67.147.208 means blocking Cloudflare anycast edges shared with legitimate sites — collateral today, useless tomorrow when the domain re-resolves elsewhere. The durable control is the report’s own long-term recommendation: enforce at the DNS layer — sinkhole the five domains, and policy-block the .cfd/.click TLDs if your business does not need them. (Same pencil for the DNS health “Critical” grade: the 0.72 query/response ratio is mostly macOS sending A + HTTPS type-65 query pairs that the resolver half-answers, plus a .cfd authoritative that took 3.1 seconds to cough up an A record. Real signal, wrong villain.)
The report’s security verdict and mitigation list — including the “investigate the 12 MB flow” indicator that, once followed, flips exfiltration into delivery.
The verdict and the runbook
Assembled in order: a fake-software lure on a disposable TLD, a payload delivered from a file-host lookalike, encrypted C2 with API-verb hostnames, an IP check, a 2.2 MB upload, and a one-minute heartbeat still alive at the last frame — a complete stealer kill chain reconstructed without decrypting one byte. PcapAI’s executive summary compresses it into the paragraph you paste into the ticket:
The executive summary: confirmed phishing-to-C2 chain, quarantine and TLD-blocking recommendations, credential reset. One line in it — the 12 MB direction — is the line this post sharpened.
As a runbook: isolate 10.6.22.216 first. Sinkhole all five domains — host06q.cfd (with subdomains), fastlinkpulse.click, swiftlinktap.click, i2seperefiles.com, 8790tn5c190y51v7n2.com — and add TLD policy for .cfd/.click. Then assume the 2.2 MB that left at t+247s was everything a stealer reaches: rotate browser-saved passwords, kill active web sessions (the cookies are gone), move crypto wallets, revoke local API tokens. Image the host before wiping it. Finally, hunt the fleet for the same shape — the SNI list and the 61-second cadence — because lures are rarely visited by exactly one person.
Indicators of compromise
From this public sample — treat as historical, the Cloudflare IPs especially will rotate and are shared infrastructure:
| Indicator | Type | Notes |
|---|---|---|
| 10.6.22.216 | Victim host | Apple, MAC fc:fc:48:59:43:87 · resolver/gateway 10.6.22.1 (Cisco) |
| just4software.pro | Lure site | 82.25.113.147 (FR) · WordPress-built · first packet of the capture |
| newcdn5 / generatee4026c / sharee4026c .host06q.cfd | Payload + C2 | 104.21.79.198, 172.67.147.208 (Cloudflare) · entropy 7.66–7.73 · T1573.001 |
| beta6.fastlinkpulse.click · lan31.swiftlinktap.click | Redirect hops | 104.21.3.153 / 104.21.4.123 · one visit each · T1566.002 |
| i2seperefiles.com | Payload delivery | 104.21.5.95 · 12 MB inbound at t+46s · 31.13% retransmission |
| 8790tn5c190y51v7n2.com | C2 / exfil server | 104.21.35.23, 172.67.211.159 · 2.2 MB upload at t+236s · 61s beacon · T1041 |
| api.ipify.org | Abused service | Legitimate IP-echo API · 8 calls, one before each beacon · T1016.001 |
| 7c260b42…55d4dc8c | SHA-256 | Source PCAP |
Hunt the same shape in your own PCAPs
None of these exact domains will appear in your traffic. The shape will. Everything in this post came from four questions you can ask any capture, encrypted or not — and the first one is a single tshark line:
tshark -r capture.pcap -Y 'tls.handshake.type == 1' \
-T fields -e frame.time_relative -e ip.dst -e tls.handshake.extensions_server_name
39.167 104.21.79.198 generatee4026c.host06q.cfd
43.197 104.21.79.198 sharee4026c.host06q.cfd
45.796 104.21.5.95 i2seperefiles.com
138.137 104.21.35.23 8790tn5c190y51v7n2.com
- Read every SNI in the capture. TLS encrypts pages, not destinations. Sort the list and eyeball TLDs (
.cfd,.click,.top…) and label shapes — an 18-character alphanumeric domain is its own confession. - Check direction before you say “exfiltration.” Statistics → Conversations, per-direction byte columns. Big inbound = delivery; sustained or bursty outbound to a young domain = theft.
- Treat IP-echo services as a tripwire.
api.ipify.organd friends from a corporate endpoint, on a timer, is malware asking where it woke up. - Look for a metronome. Fixed-interval connections to one destination — here 60.7–60.9s for five straight cycles — do not happen by accident. Humans are never that punctual.
Manual (Wireshark + tshark)
Extract and triage every SNI, cross-check DNS, sort conversations by direction, measure beacon deltas by hand, then map findings to ATT&CK. Doing this honestly took the better part of 1–2 hours.
PcapAI
The same capture returns a scored, MITRE-mapped report — TLD hits, entropy channels, burst correlation, kill chain — in under 2 minutes, leaving the analyst the two judgment calls above.
*Based on this 16 MB, 14,874-packet capture.
Frequently Asked Questions
What is SHub Stealer?
An infostealer distributed through fake-software lure pages, captured in the 22 June 2026 malware-traffic-analysis.net exercise infecting a macOS host. On the wire it behaves like the current stealer generation: TLS-only C2 behind Cloudflare, staged payload delivery, a single loot upload, and a fixed-interval beacon. The family name comes from the exercise artifacts; the network behavior is what this post documents.
Can you detect malware C2 in encrypted traffic without decrypting it?
Yes. TLS hides payloads, not behavior. DNS queries, the SNI in every Client Hello, per-direction byte counts, session timing, and payload entropy are all visible in a PCAP. In this capture those five signals alone reconstruct the full kill chain — lure, delivery, C2, exfiltration, beaconing — with zero decryption.
How do you tell a download from data exfiltration in a PCAP?
Open Statistics → Conversations in Wireshark and read the per-direction byte columns. Here the “12 MB exfiltration” flow was 12 MB inbound (payload delivery) against 232 kB out, while the real theft was 2.2 MB outbound in 10.8 seconds to a different host. Direction is one click and changes the entire incident narrative.
Why not just block the C2 IP addresses?
Because every malicious host in this capture resolves to Cloudflare anycast space — addresses shared with countless legitimate sites and reassigned constantly. An IP block causes collateral damage today and does nothing tomorrow. Enforce at the DNS layer instead: sinkhole the domains, alert on the subdomain patterns, and policy-block disposable TLDs like .cfd and .click if the business does not use them.
What does C2 beaconing look like in Wireshark?
A destination that receives connections at machine-regular intervals. Filter to outbound SYNs, set the time column to “seconds since previous displayed packet,” and look for a repeating delta — this implant called home every 60.7–60.9 seconds for five straight cycles, each call preceded by an api.ipify.org lookup. An IO graph of connections per minute shows the same picture as evenly spaced spikes.
Real-world detections
Is Your Encrypted Traffic Actually Clean?
Upload a PCAP and get a MITRE-mapped forensic PDF in minutes — suspicious SNI and TLDs, encrypted-channel entropy, beacon cadence, and exfiltration flows flagged without decrypting a byte.