The malware connects to a Command and Control (C2) server to upload stolen data via protocols like SMTP, FTP, or HTTP [3, 5]. Indicators of Compromise (IoCs) Filenames: Truffles.7z , Truffles.exe
Ensure your EDR (Endpoint Detection and Response) solution is configured to monitor for process hollowing and suspicious PowerShell execution [5].
Often creates entries in HKCU\Software\Microsoft\Windows\CurrentVersion\Run to ensure it restarts with the system [5]. Truffles.7z
Unusual outbound traffic to unknown IP addresses or unauthorized use of mail server ports (587, 465) [3, 6]. Mitigation and Security Recommendations
Educate staff to never open unexpected attachments that require a password provided in the body of the email [1, 4]. The malware connects to a Command and Control
Configure email security gateways to flag or quarantine password-protected .7z or .zip files from external sources [2, 4].
It is frequently associated with Agent Tesla , RedLine Stealer , or LokiBot [3, 5]. These programs aim to harvest credentials, browser history, and cryptocurrency wallet data [5, 6]. Unusual outbound traffic to unknown IP addresses or
A 7-Zip ( .7z ) compressed file, often encrypted to bypass automated security scanners and email gateways [2, 4].
