14367
The largest collection of malware source, samples, and papers on the internet. Password: infected Website: https://www.vx-underground.org/ vx-underground Telegram chatroom link: https://t.me/+njfLzUrqos01ZWNh
a video demonstration of modern day windows security patches
Читать полностью…
BREAKING: We've just been informed this was stolen from nixcraft and given to us. Nixcraft, we're so sorry, please don't beat us up after school
Читать полностью…
malware means malicious software
it does not mean MyAnimeList software
Hello,
Just because you did 1 thing for me 1 time does not make you a core contributor, volunteer, or member. It does not mean you're my friend, it does not mean you can list me as a reference.
Wake up. Stop making this weird.
We've had like, 6 people now say they're part of vx-underground because they personally assisted me like, one time, 3 years ago.
It's called doing someone a favor. It doesn't mean you can put it on a resume.
Also, these companies do background checks, and when they contact me via e-mail, or Telegram, or Discord, and say "do you know this person?" and send me your resume and photo, it makes you look like a giant jackass when I have to say "I have no idea who that is"
-smelly
Updates to vx-underground:
*Note: Image of cat used per request. Not all requests are granted, but this is a wizard kitty.
Archive:
- The Old New Thing, July 2024
- The Old New Thing, August 2024
Papers:
- 2024-09-04 - Rundll32 and Phantom DLL lolbins, 32-bit version
- 2024-08-10 - Sneaking around with Web Assembly
- 2024-08-04 - WhenFS - Using Google Calender as a Filesystem
- 2024-08-02 - Using Windows Setup for persistence
- 2024-07-01 - Booting Linux off of Google Drive
- 2024-06-11 - Lets Go into the rabbit hole part 2 - the challenges of dynamically hooking Golang programs
- 2023-10-03 - Lets Go into the rabbit hole - the challenges of dynamically hooking Golang programs
Today the United States Department of Justice indicted Russian nationals Elena Afanasyeva and Kostiantyn Kalashnikov for violations of the Foreign Agents Registration Act (FARA), and conspiracy to commit money laundering.
Afanasyeva and Kalashnikov remain at large as of September 4th.
Afanasyeva and Kalashnikov are accused of laundering money to covertly fund as much as $10,000,000 to English-speaking social media companies (listed as U.S. Company-1) to sway content in favor of the Russian government.
Interestingly, the indictment states the company which received the funds is described as, "a network of heterodox commentators that focus on Western political and cultural issues". Journalists and researchers have tied this to Tennessee-based company Tenet Media ... because ... it has the exact same message on their homepage verbatim.
This media company employees conservative media commentators Lauren Southern, Tim Pool, Tayler Hansen, Matt Christiansen, Dave Rubin, and Benny Johnson.
The indictment is interesting, discusses the money laundering techniques, disinformation campaigns, and their chat communication medium ... on Discord.
Image 1 is U.S. Company-1 per the indictment. Image 2 is Tenet Media.
More information: https://www.justice.gov/opa/pr/two-rt-employees-indicted-covertly-funding-and-directing-us-company-published-thousands
We were made aware of the issue when AV companies contacted us regarding our VirusTotal account and the files being corrupted.
tl;dr my bad yall (its free, so fuck you, but seriously were sorry were fixing it)
RansomHub ransomware group claims to have ransomed Planned Parenthood
Читать полностью…
September 3rd, Lara Trump (daughter-in-law of former U.S. President Donald Trump) and Tiffany Trump (daughter of former U.S. President Donald Trump) had their X accounts compromised.
Their accounts briefly shilled some sort of crypto stuff. X locked the accounts within minutes.
Today reports surfaced on a cybersecurity incident impacting the London Transport Department
We can assert with a high degree of confidence that this 'incident' is of extreme severity. The immediate presence of the NCA and NCSC drives this point further.
Today we ingested 1,721,892 suspected malicious binaries.
Non-junk malware: less than 100,000, probably closer to 60,000
We've updated the vx-underground Windows malware paper collection. We have a lot more papers in queue.
Read them.
Papers:
- 2024-08-31 - Finding open file handles in PS
- 2024-08-30 - Evil MSI A story about vulnerabilities in MSI Files
- 2024-08-26 - DLL Sideloading ith LicenseDiag.exe
- 2024-08-19 - DRMBIN - Prevent binaries from running on other machines
- 2024-08-15 - Offline SAM Editing
- 2024-08-14 - Tricks with Microsoft Word and Sandboxes
- 2024-08-13 - Abusing AVEDR Exclusions to Evade Detections
- 2024-06-09 - Bypassing EDR NTDSdit protection using BlueTeam tools
Oh, our website if you didn't know:
https://virus.exchange
Babyvx is currently compiling. However, the compiler is poorly optimized and the estimated time remaining is roughly 6.5 months.
Читать полностью…
Dear 'gay4smellyvx'
Yes, we can see your friend request and user activity. We will allow you to continue using your Call of Duty account — you're a funny person.
No updates today. We're just gonna kick back, relax, and play some Elder Scrolls
Читать полностью…
One time a high ranking official for the United States National Security Agency made a post on Twitter about memes.
We sent them a private message. They never responded.
This is the video we sent:
Improving the homelab today — decided to run some cables through the wall to be fancy.
Читать полностью…
We have performed a colossal oopsie doopsie.
Our malware ingestion system prepended 'file=' to every file being sent to VirusTotal, thus impacting AV vendors down stream. Sent vendors hundreds of thousands of botched malware samples
> compromise high profile social media accounts tied to powerful american political figures
> can do catastrophic damage
> shills crypto
Updates to vx-underground:
Papers:
- 2024-09-03 - Rundll32 and Phantom DLL lolbins
- 2024-08-17 - HookChain - A new perspective for Bypassing EDR Solutions
- 2024-08-11 - DriverJack
- 2024-08-11 - Blocking EDR drivers with HVCIDisallowedimage
- 2024-08-10 - ShimMe - Manipulating Shim and Office for Code Injection
- 2024-08-09 - Blocking EDR Drivers with WDAC policies
- 2024-08-08 - Abusing Windows Hello without a severed hand
Families:
- Android.BlankBot
- AteraAgent
- AtlantidaStealer
- Azorult
- BruteRatel
- CobaltStrike
- DCRat
- DonutLoader
- GCleaner
- Gh0stRAT
- GuLoader
- Lokibot
- LummaStealer
- Mirai
- Neshta
- NjRat
- Pony
- PureLogStealer
- RhadamanthysLoader
- Sliver
- Vidar
- XWorm
- ArcStealer
- AgentTesla
- Amadey
- Andromeda
- AsyncRAT
- AugustStealer
- CryptBot
- CyberGateRAT
- Danabot
- Formbook
- Latrodectus
- MicroClip
- Rakos
- Redline
- Remcos
- StealC
- XenoRAT
Note: someone said the artwork we use when pushing updates is scary, they requested we post something cute instead.
Saw XI: Internet Dweeb Edition:
Jigsaw voice: "Hello, internet pirate, want to play a game? One of these buttons is a real pirated version of Photoshop. The other three deliver Redline information stealer. Make your choice."
Generally speaking, the ultimate goal of collecting malware is getting malware which offers intelligence in some capacity.
- Novel malware
- Stagers and/or chains (leading to malware)
- Active malware campaigns
There is a metric poop-ton of dead malware floating in cyber space which offers nothing of value. Collecting it simply allows you to add (yet another) SHA256 entry in your DB of known-bad files. It will do (probably) nothing except alter system files and be annoying.
Ideally, you'd like malware you can extract C2 information from, tie to a malware campaign, study for making detection rules, or study to learn new malware development techniques.
Old and dead malware does nothing except take up space. But, some vendors like it just to check it off as 'lol this bad fr'.
As an example: our malware ingestion can take it millions upon millions of "padodor", "berbew", "qukart", "vilsel", "zegost", or "vbclone" samples. Most of these don't even work on modern windows, drop like, 100+ copies of itself, and can't connect to anything.
tl;dr its dead
"why doesn't vxug prompt for cookies"
the only cookies present are for maintaining your session on vxug or vxdb. we dont track you, we dont collect data, we dont do ads, blah blah blah. its just malware ok download it
As a side note, because others have asked, we have no intention on implementing malware configuration extractors, gathering C2 information, etc. That is something more along the lines of Triage. That is much more exhaustive work.
https://tria.ge