14367
The largest collection of malware source, samples, and papers on the internet. Password: infected Website: https://www.vx-underground.org/ vx-underground Telegram chatroom link: https://t.me/+njfLzUrqos01ZWNh
The most powerful tools in a hackers arsenal? Visual Studio Code, Kali Linux (the quieter you are, the louder your farts), and YouTube premium
Читать полностью…
Thank you to our friends at VirusTotal for the cool and badass t-shirts and stickers
Читать полностью…
🚨FIRST ALERT: BREAKING 🚨
THE GIFT SHOP IS SELLING BREWSTER LOVE BIRD GROOM ORNAMENTS FOR $37
In the 2nd image the hyperlink is purple because we clicked the link. We need to learn how to get FREE vBucks.
Читать полностью…
Other things we dislike:
1. Us missing messages or notifications and people taking it personal. They act like we're avoiding them, or something
2. Conspiracy theorists piecing together our posts — thinking we're the illuminati
3. People rude as hell for zero reason
Good morning, or evening.
After a months, we're finally releasing the Dispossessor ransomware leaks. They're now available to download.
Please exercise extreme caution. This archive contains ransomware payloads.
https://vx-underground.org/Archive/Dispossessor%20Leaks
A few weeks (or months) ago we made some posts about having some more ransomware leaks. We have internal insights, tooling, etc. on Dispossessor ransomware group.
We forgot to make it public. Thankfully, someone left a condescending remark on one of our posts and reminded us.
Malware delivery idea:
>Account 1 makes inaccurate post on X
>Account 2 leaves community note
>Have X bots upvote community note so it's visible
>Community note cites malicious site
>Site determines OS, if Windows, drop malicious file
>Other platform shows legit information
Note: "Mr. Moucka was identified by law enforcement by his Apple iCloud account. The Apple iCloud account was linked to his Discord account. Additionally, the Apple iCloud account was tied to his cryptocurrency wallets."
We have lost count by the number of times people have been identified from Discord and Apple products. If you're committing crime, don't use Discord or Apple products. They will cooperate with law enforcement agencies.
Andrew Tate has publicly commented on the compromise of The Real World (Hustlers University).
He asserts the compromise was a result of the Threat Actor(s) paying for membership and simply scraping the site.
His response minimizes the compromise and concludes with him stating he is wealthy.
Based on the data we've seen, he is indeed fairly wealthy if each individual on the website purchased membership. However, his response does not account for the email addresses exfiltrated as a result of the compromise and the database fields visible.
Hi,
We're aware of the stuff that happened today. We see your messages (and cat pictures). Tomorrow we'll review the stuff on the alleged* Ticketmaster hacker and the new information released on him. We'll review the Spotify stuff too.
Love you,
- smelly
Listening to James Elliot from MSTC discuss the "Triple Threat" of North Korean IT workers a/k/a Ruby Sleet via CYBERWARCON.
We've learned a lot about their methods of applying for jobs, their templates and portfolios, how they use AI for faking images, etc. Included in this is how North Korea pays United States citizens to receive laptops for them, keeping them plugged in and alive — the "laptop farms".
In August, 2024, the United States Federal Bureau of Investigation took down a North Korean "laptop farm" for their IT workers which housed over 800 proxies.
tl;dr if you're new to information security (or IT in general) and say you can't get a job, you're doing something wrong.
tl;dr tl;dr the north koreans took your job
Today at CYBERWARCON we watched arguably one of the most interesting talks we've seen in awhile.
Steven Adair gave a nearly 1 hour presentation regarding APT28's "Nearest Neighbor Attack". In summary, because it was a long and wild story, APT28 successfully compromised one of their clients by compromising a company across the street from the client.
APT28, presumably unable to compromise their target, compromised a company across the street from the target. Then, using a combination of attacks including a 0day exploit, moved laterally across the street pivoting from WiFi. Yes, APT28 daisy chained their way to the target by WiFi. Subsequent to the compromise they primarily lived off the land and covered their tracks using CIPHER.exe
Volexity has released the paper on the talk. However, the paper does not truly do justice to the attack and does not truly emphasize the complexity of the attack. If you ever have a chance, watch the video.
Paper: https://www.volexity.com/blog/2024/11/22/the-nearest-neighbor-attack-how-a-russian-apt-weaponized-nearby-wi-fi-networks-for-covert-access/
This is not pronounced like "MAGA". It's pronounced like: "Mmmmmm. Aga". The double M's are pronounced like you just ate a delicious slice of pizza. The "Aga" part is pronounced like you're stuck in traffic — a strenuous sigh almost.
It's shrimple.
Yesterday Banshee Stealer, the MacOS-based Malware-as-a-Service infostealer, had their source code leaked online.
As a result of the leak they've shut down their operations. We've archived the leak and made it available for download on GitHub.
https://github.com/vxunderground/MalwareSourceCode
🚨BREAKING🚨
RANSOMHUB RANSOMWARE GROUP HAS RANSOMED A GIFT SHOP IN ROCHESTER, NEW YORK. IT IS EXPECTED TO CAUSE OVER $15 IN DAMAGES, ALL 3 EMPLOYEES ARE PANICKING AS THEIR UBER EATS ORDERS MAY BE LEAKED ONLINE
Last week 404mediaco did an article on Threat Actors using Spotify to host malicious software and/or pirated software.
In summary, karol_paciorek and g0njxa discovered nerds are using Spotify playlists titles to amplify malware.
Sometimes it's very frustrating administrating a large account on social media. Whenever we make a post we try to be as succinct as possible to avoid misinterpretation. That doesn't always happen, and it's frustating.
tl;dr
"I like pancakes"
"oh, so you hate waffles???"
Next week we'll scrub victim data and make it available for download on vx-underground. Thank you, random angry person on the internet, for reminding us.
Читать полностью…
Is this a good and/or practical malware delivery method? No, probably not. It can easily be stopped and requires a lot of work.
Is it a cool and badass idea? Yes
Good morning,
We've successfully received the court documents from the Canadian judicial system regarding Connor Moucka, the individual allegedly responsible for the compromise of Snowflake.
We cannot in good faith share these documents because, as a surprise to us, the Canadian government unveiled Mr. Moucka's home address, telephone number, passport information, a brief description of his childhood, etc.
We believe this information could potentially put him (or his family) in danger from people who strongly dislike Mr. Moucka.
Hello,
We've had quite a few people reach out to us regarding the Connor Moucka a/k/a Waifu court documents. Unfortunately, we are not Canadian and we are unable to access to the Canadian court system documents (or we are not privy to how to access it or navigate it, we've never done stuff within the Canadian judicial system). Our information derived directly from an Ontario based news station which has been covering the case.
We are trying to the best of our ability to obtain the documents. We cannot promise anything. If you'd like to review the direct news source, it is attached to this post. However, it is paywalled (inb4 nerds bypass it)
Source: https://www.theglobeandmail.com/business/article-ontario-man-in-alleged-snowflake-hacking-case-also-accused-of-posting/
More information has been released regarding Connor Moucka a/k/a Alexander Moucka a/k/a Judische a/k/a Catist a/k/a Waifu, the person allegedly responsible for the Ticketmaster compromise (among many others)
He has way too many aliases
November 22nd, 2024, unsealed documents (from Canada) state authorities believe him to be dangerous to himself, and the public. They also state he a flight risk.
Documents show Mr. Moucka used racial slurs online, frequently discussed killing black people, mass mailing black people "sodium nitrate pills", acquiring weapons to kill random Canadians, and discussing wanting to commit suicide by cop.
Court documents show Mr. Moucka plotting and scheming the Snowflake compromise, which resulted in the Ticketmaster compromise. Chat logs show the scheme, him and his associates discussing how to use stolen credentials, access to private data (banking information, payroll records, driver license numbers, passports, and social security numbers). The scheme conversation included how they would extort people.
Unsealed documents show images of Mr. Moucka's home and how law enforcement identified him. Mr. Moucka was identified by law enforcement by his Apple iCloud account. The Apple iCloud account was linked to his Discord account. Additionally, the Apple iCloud account was tied to his cryptocurrency wallets.
Court records show Mr. Moucka was charged in November, 2023 at age 25 for harassing a woman online and threatening to kill her.
Mr. Moucka's next court case regarding his extradition to the United States is November 29th, 2024.
Update: 720,845 emails are stored in one of the private chatrooms (???), removing duplicates will probably bring it to the number being reported.
Breach is 100% legit
Yesterday night (or early morning November 22nd depending on where you reside), it was unveiled an unknown Threat Actor(s) had compromised Andrew Tate's online university, dubbed "The Real World (Hustler's University)".
Note(s):
1. The content was given to non-profit organization DDoSecrets (unable to tag on X due to their account being suspended) and is available for anyone to review
2. Upon compromise (and exfiltration of data, presumably), the individual(s) responsible for the compromise inserted pro-transgender emojis onto the site and uploaded AI photos of Andrew Tate with a transgender flag. The compromise of Andrew Tate's website appears to be ideologically motivated, not financially motivated
3. Upon review of the compromised data we spotted some inconsistencies with reporting from media outlets. Some media outlets have stated the stolen data contains over 325,000 user email addresses. However, upon review we do not see email addresses UNLESS the users actual username on the website was their email address. We only spotted a few thousand (see image 1)
The file in the leaked, "users.json", contains the following:
- Unique UserID
- Username
- External UserID
- Score (reputation)
- Coin balance (forum based currency)
- Server (unsure)
- "User" (unsure)
- Join Date
- Roles
Other fields visible, which appear to be optional entries based on users interaction with the website:
- Profile content
- "Learnv2"
- Avatar
Also present in the compromise is chat logs from both public and private rooms. These rooms include:
- AI Automation
- Business Mastery
- Content Creation & AI Campus
- Copywriting
- Crypto DeFi
- Crypto Trading
- Cryptocurrency Investing
- ECommerce
- Fitness
- Hustler's Campus
- Social Media & Client Acquisition
- The Real World
Each room described has a both public and private variant. We briefly skimmed the contents of these and can confirm they have unfathomable amounts of chat logs and conversations. In the spirit of full disclosure: we are not going to review and/or read these chat logs. They are massive. In summary: the dumped conversations are legit.
As a disclaimer: it may be possible that email addresses and more sensitive information is in the chat logs. We have not reviewed this in totality to confirm that (we don't feel like it).
Update: CYBERWARCON is now holding us hostage. They have done talks back-to-back, no time to get snacks or use the restroom.
We have ripped up the carpet and starting gnawing on the adhesives for nutrients. We have resorted to urinating in our pants.
"my computer harddrive is surrounded by tannerite. if the FBI raids me my harddrive will explode and they'll have no evidence"
Wow. Bravo. You'll be investigated by the FBI and the ATF.
2 birds with 1 stone. Brilliant tactics.