14367
The largest collection of malware source, samples, and papers on the internet. Password: infected Website: https://www.vx-underground.org/ vx-underground Telegram chatroom link: https://t.me/+njfLzUrqos01ZWNh
Today Mark Zuckerberg announced the introduction of some fairly large changes to Facebook, Instagram, and Threads.
First and foremost, Mr. Zuckerberg is dressing strange and it is confusing.
Secondly, and most importantly: Mr. Zuckerberg said Meta (Facebook, Instagram, and Threads) will now make free speech a priority. They're "dialing back" content moderation systems for a majority of posts and media. They'll be removing "fact checkers" from their platform. Moving forward the websites owned under Meta will have Community Notes — acting the same as X currently does. Mr. Zuckerberg also expressed concern with bias (internally or externally) and announced employees will be relocating to Texas. Mr. Zuckerberg states he believes Texas to be non-biased and more open to free speech.
We believe this poses a significant problem because X in of itself runs rampant with misinformation and/or disinformation campaigns from not only conspiracy theorists, but state-sponsored Threat Actors. We cannot comment on the validity and/or bias of the fact-checking system under the Meta brand (we don't use any of their social media platforms), but we believe relying on community notes and user feedback reports can be difficult to work with and are often insufficient.
Or maybe it doesn't matter and we should let people do whatever they want and let them think critically for themselves
Hello,
We're now experimenting with the vx-underground talk show.
The show format is anyone can hop in and ask questions, make comments, or just say "Hello". Additionally, we have have featured guests that we will be speaking with.
In the following weeks we will have the following guests:
- TorGuard - Tor(rent)Guard, massive VPN provider that is competitors with vendors like NordVPN and Mullvad. They have massive infrastructure all across the globe. Their CEO will be there to speak about VPN technologies, VPN companies, potential Threat Actor-like behavior from VPNs, and more.
- HackingDave - CEO of TrustedSec, world famous hacker dude man person who appears on media outlets, has been involved in cybersecurity longer than most of you have been alive. He is a bit of lunatic for lifting up heavy stuff. He also owns, or co-founded, BinaryDefense and also a gym somewhere on Ohio.
- Gootloader - World leading expert on Gootloader botnet and initial access group. Gootloader has been following Gootloader for years, tracking, documenting, and reverse engineering their malware. He has established ties with them to several large scale ransomware groups.
- _MG_ - The one and only MG, the creator of the (in)famous OMG cable, a physical hacking tool developed for pentesters which, interestingly, is banned in several countries. His tools are sold on Hak5. He is a hardcore hardware hacker person guy thing
- RachelTobac - CEO of SocialProofSecurity, massive company which provides security training and security awareness to companies across the globe. Rachel has been on CNN, and other large media outlets, in the past for demonstrating how basic social engineering techniques can compromise large vendors. She also works closely with CISA on stuff, somewhere.
Shoutout to the homies at "IObit Malware Fighter".
Their IMFForceDelete driver is so wildly vulnerable, and poorly written, you can have their driver arbitrarily delete any file on the machine with 0 privileges and literally 1 line of code
Thanks _mmpte_software for sharing
In 2025 thus far we have lost 2 sponsors — potentially 3 sponsors.
Chat, we are cooked
> go to computer store
> computer store guy recommends norton antivirus
> tell him no thank you
> says viruses and malware is dangerous
> tell him i want the malware
his reaction
New papers added:
- 2024-11-21 - New AMSI Bypss Technique Modifying CLRDLL in Memory
- 2024-11-22 - How To Use MSSQL CLR Assembly To Bypass EDR
- 2008-08-06 - Branchless Equivalents of Simple Functions
- 2024-06-28 - An unexpected journey into Microsoft Defender's signature world
- 2024-11-14 - ETW Forensics - Why use Event Tracing for Windows over EventLog
- 2024-12-19 - The Windows Registry Adventure 5 - The regf file format
- 2024-12-24 - Constructing a Win32 Control Handler in MASM
- 2024-12-19 - Process Injection Mapped Sections
- 2024-12-13 - Disabling EDRs by File Rename Junctions
- 2024-12-20 - Weaponizing WDAC Killing the Dreams of EDR
We've had a few people contact us with something along the lines of, "CISA uses your website! They did a training course and the password to the malware was infected!"
We did not set the standard of the 'infected' password. We made it more mainstream due to our follower base, but we didn't set that standard or have anything to do with it's creation.
It's been the standard for malware related stuff for over 100 years (made up number, no idea). We don't even remember how we learned the password. It's just been like that for as long as we remember.
per 404media — most of the southern part of the United States has been banned by PornHub (and associated companies e.g. Brazzers, RedTube, YouPorn, Reality Kings, etc) due to new legislation which requires age verification.
PornHub and associates assert it will be difficult to comply with new legislation and, to avoid legal liability, have opted to simply ban and/or block some portions of the United States from their websites.
As a result of these new age verification laws, what will happen?
A. People say, "wow, pornography is not cool anyway" and stop watching pornography
B. People begin purchasing VPNs (if they can afford it) to bypass geographical bans OR if unable to afford a VPN, people begin going to more shady and less-safe websites to watch pornography
C. Law makers in the southern part of the United States have a sudden change of heart and reverse recent legislation
D. Pornography vendors have a change of heart and decide to review thousands, possibly hundreds of thousands, of United States citizens PII (and pinky promise to not sell it), and put a target on their back from Threat Actors
This year we're starting off strong.
First and foremost, we've got some new sponsors. Our friends over at Binary_Defense and TrustedSec have helped us out tremendously lately. We'd especially like to thank HackingDave for helping the little nerds out and keeping malware cool and badass (and free) forever and ever. We'll be listing them on the website later.
Next up: we're working with our friends at TorGuard VPN to expand our infrastructure. They have a lot (and quite honestly, a disturbing) amount of computational resources. We will be working with them for 2 things.
1. Wide spread cat picture aggregation.
2. Wide spread malware ingestion
Next, next, on the other side of the autism spectrum: our in-house software engineer guessthepw is working on constructing a kitty cat photo database. All cats ingested will be available to browse, download, whatever.
People have asked: "smelly smellington, what's your end game with these cats?". The answer is very shrimple: no idea, thought of it while using the restroom.
Let's see where this whacky adventure takes us. Maybe in a few years it'll be bigger than vx-underground and we can use it to fuel our malware addiction. Or, alternatively, nothing will happen and the project will be dead in a year. Let's see what happens! Sometimes in life you gotta do just a thing, see if it fails, or succeeds, or what happens.
We've got lots of work to do in 2025.
Finally, as is tradition, we've got more malware to add, more malware papers to add, lots and lots of stuff. Very cool.
Thanks,
- smelly smellington
We've never personally encountered an active United States military personnel doing something like this.
It is difficult to assess if they'll go to trial as a civilian or as a soldier (United States military court) or both (which is possible, a rare double whammy)
Threat Actor using advanced evasion techniques (if he can't see you, you can't see him).
Читать полностью…
Every single time a Threat Actor compromises a large Twitter account they drop the ball.
Best usage we've seen thus far has been "North Korea is Best Korea" (a silly message), followed by goofy crypto-drainers.
tl;dr 1 shot, 1 opportunity, doesn't seize the moment, slips
We've updated the malware family collection.
Updates:
- Xworm
- AkiraRansomware
- Android.AndroRAT
- Android.Joker
- Azorult
- BruteRatel
- BumbleBeeLoader
- CrytoxRansomware
- Prometei
- PureStealer
- Rekoobe
- Remcos
- RhadamanthysLoader
- StampadoRansomware
- StealC
- SunSpinner
- DarkComet
- DCRat
- Emotet
- Furtim
- GhostPulse
- LummaStealer
- MacOS.Keydnap
- Mirai
- Multigrain
- Orcus
- PetyaRansomware
- PLAYRansomware
- PoisonIvy
"why are you guys collecting cats?"
The truth is: from discussing, reviewing, reversing, and writing about malware every single day for 6 years, we are deep fried.
It is either we collect cats, alongside malware, or alternatively we fall into a malware induced psychosis
Hello,
1. Kitty cat archive is scheduled to go live soon-ish. Several million kitty cats are good to go
2. We have 241 malware reverse engineering papers in queue to be pushed to vx-underground prod.
We're so back 🙏
But in all seriousness, this is cooked. Also, driver is signed. Throw in the pile of crappy poo poo pee pee drivers
https://gist.github.com/alfarom256/f1342f14dc6a742de7ea4004a1b6d7ed
That equates to roughly $3,900 of monthly revenue.
Chat, we are absolutely cooked
New paper additions:
- 2024-07-31 - LayeredSyscall - Abusing VEH to Bypass EDRs
- 2024-03-31 - Syscalls via Vectored Exception Handling
- 2022-02-03 - RecycledGate - Indirect Syscalls
- 2016-11-04 - Windows 10 Hooking Nirvana explained
Mikko Hyppönen, Chief Research Officer of FSecure, confirms his first known siting of the password being 'infected' was March 1st, 2001.
Please note the other password was 'hot4u'. In an alternate universe the password to malware is hot4u.
Uploading 23,023 malwares.
Unfortunately, the malware was supposed to go live yesterday but someone pushed the malware to the wrong place in prod. The issue is being corrected.
New papers going live once this issue is resolved.
The malware oopsie-doopsie paradox
The more evasive techniques introduced into your payload, the more likely it be detected
The less evasive techniques introduced into your payload, the more likely it be detected
One thing noobie scoobies don't seem to understand is that malware is literally just software. Understandably, that seems kind of obvious, it's in the name — 'malicious software'. But it seems less obvious to some that, in order to write malware, you apply the exact same principles, techniques, and structures that legitimate software uses.
Malware is regular ol' programming with some sprinkles of weird stuff. These weird things are documented and shared. Some try to find new weird things.
When people ask what language is best for malware... it's kind of like asking 'what's the best ice cream flavor?'. It's entirely subjective. Everyone will tell you something different. You'll notice a lot of people will prefer Chocolate or Vanilla, you may encounter some who like Raspberry Banana Sprinkle Jam-Blam Blast, or Minty Schminty SpongeBob Sticks Bombs, but at the end of the day it's all still ice cream.
In it's most simple form, all malware techniques are things legitimate software may do.
Ransomware?
- Step 1. Enumerate files in a directory
- Step 2. Lock and encrypt files
Information Stealers?
- Step 1. Enumerate files in a directory
- Step 2. Upload files somewhere
RATs?
- Step 1. Make program run at start
- Step 2. Execute commands (cmd, powershell, other programs)
- Step 3. Upload files somewhere
Loaders?
- Step 1. Download file from somewhere
- Step 2. Run file
Everything the malware does is just an expansion of what is explained above.
Want to find new malware techniques? Find new ways to execute a process, find new ways to enumerate files in a directory, file new ways to upload files somewhere, find new ways to download files from somewhere, find new ways to write to files or delete files, etc.
How do you do this? Read. Read everything. Blogs, Windows documentation, StackOverflow, Wikipedia, our website. Look at every DLL you find on your computer in Ida or Ghidra, just open stuff and look around. Look at other peoples work and see if you can expand on it and find something new.
tl;dr learn to code, then learn weird stuff
Congratulations to everyone who survived 2024.
2025 is double elimination round.
Happy New Year
In celebration of the 2025, you will all be given one (1) limited edition kitty cat.
Cheers,
A 20 year old United States soldier worked with Threat Actors and, following the arrest of his associates, threatened to leak telephone logs from Kamala Harris and Donald Trump.
This was a very, very, very bad decision.
https://krebsonsecurity.com/2024/12/u-s-army-soldier-arrested-in-att-verizon-extortions/
We are in the process of deploying 150,000 new malware samples.
This should have occurred earlier. However, a Threat Actor conducted a sophisticated cyberattack and compromised our infrastructure (my puppy decided to chew on the cables connecting to my local backup NAS).
Hi
We've updated the VirusSign collection.
- VirusSign.2024.12.04
- VirusSign.2024.12.05
- VirusSign.2024.12.06
- VirusSign.2024.12.07
- VirusSign.2024.12.08
- VirusSign.2024.12.09
- VirusSign.2024.12.10
- VirusSign.2024.12.11
- VirusSign.2024.12.12
- VirusSign.2024.12.13
- VirusSign.2024.12.14
- VirusSign.2024.12.15
- VirusSign.2024.12.16
- VirusSign.2024.12.17
- VirusSign.2024.12.18
- VirusSign.2024.12.19
- VirusSign.2024.12.20
- VirusSign.2024.12.21
- VirusSign.2024.12.22
- VirusSign.2024.12.23
- VirusSign.2024.12.24
- VirusSign.2024.12.25
- VirusSign.2024.12.26
- VirusSign.2024.12.27
Approx. 70,000 malicious binaries
Good morning, afternoon, or evening,
We have completed our re-organization of the Windows malware papers (per the request of many). We have introduced more precise sections.
In the future these sections may expand or contract — papers may move. ¯\_(ツ)_/¯
Our Telegram userbase missed the message earlier.
We have historically enjoyed posting photos of cats. They're pretty cool. We came up with this idea of doing mass aggregation of cat photos. We are aiming to make a cat photo exchange (???). No idea why. There is no objective with it. It is quite literally mass-scale cat photo aggregation and displaying it on social media.
Each cat will be hashed to remove duplicates.
tl;dr largest collection of cat photos on the internet