14367
The largest collection of malware source, samples, and papers on the internet. Password: infected Website: https://www.vx-underground.org/ vx-underground Telegram chatroom link: https://t.me/+njfLzUrqos01ZWNh
The malware oopsie-doopsie paradox
The more evasive techniques introduced into your payload, the more likely it be detected
The less evasive techniques introduced into your payload, the more likely it be detected
One thing noobie scoobies don't seem to understand is that malware is literally just software. Understandably, that seems kind of obvious, it's in the name — 'malicious software'. But it seems less obvious to some that, in order to write malware, you apply the exact same principles, techniques, and structures that legitimate software uses.
Malware is regular ol' programming with some sprinkles of weird stuff. These weird things are documented and shared. Some try to find new weird things.
When people ask what language is best for malware... it's kind of like asking 'what's the best ice cream flavor?'. It's entirely subjective. Everyone will tell you something different. You'll notice a lot of people will prefer Chocolate or Vanilla, you may encounter some who like Raspberry Banana Sprinkle Jam-Blam Blast, or Minty Schminty SpongeBob Sticks Bombs, but at the end of the day it's all still ice cream.
In it's most simple form, all malware techniques are things legitimate software may do.
Ransomware?
- Step 1. Enumerate files in a directory
- Step 2. Lock and encrypt files
Information Stealers?
- Step 1. Enumerate files in a directory
- Step 2. Upload files somewhere
RATs?
- Step 1. Make program run at start
- Step 2. Execute commands (cmd, powershell, other programs)
- Step 3. Upload files somewhere
Loaders?
- Step 1. Download file from somewhere
- Step 2. Run file
Everything the malware does is just an expansion of what is explained above.
Want to find new malware techniques? Find new ways to execute a process, find new ways to enumerate files in a directory, file new ways to upload files somewhere, find new ways to download files from somewhere, find new ways to write to files or delete files, etc.
How do you do this? Read. Read everything. Blogs, Windows documentation, StackOverflow, Wikipedia, our website. Look at every DLL you find on your computer in Ida or Ghidra, just open stuff and look around. Look at other peoples work and see if you can expand on it and find something new.
tl;dr learn to code, then learn weird stuff
Congratulations to everyone who survived 2024.
2025 is double elimination round.
Happy New Year
In celebration of the 2025, you will all be given one (1) limited edition kitty cat.
Cheers,
A 20 year old United States soldier worked with Threat Actors and, following the arrest of his associates, threatened to leak telephone logs from Kamala Harris and Donald Trump.
This was a very, very, very bad decision.
https://krebsonsecurity.com/2024/12/u-s-army-soldier-arrested-in-att-verizon-extortions/
We are in the process of deploying 150,000 new malware samples.
This should have occurred earlier. However, a Threat Actor conducted a sophisticated cyberattack and compromised our infrastructure (my puppy decided to chew on the cables connecting to my local backup NAS).
Hi
We've updated the VirusSign collection.
- VirusSign.2024.12.04
- VirusSign.2024.12.05
- VirusSign.2024.12.06
- VirusSign.2024.12.07
- VirusSign.2024.12.08
- VirusSign.2024.12.09
- VirusSign.2024.12.10
- VirusSign.2024.12.11
- VirusSign.2024.12.12
- VirusSign.2024.12.13
- VirusSign.2024.12.14
- VirusSign.2024.12.15
- VirusSign.2024.12.16
- VirusSign.2024.12.17
- VirusSign.2024.12.18
- VirusSign.2024.12.19
- VirusSign.2024.12.20
- VirusSign.2024.12.21
- VirusSign.2024.12.22
- VirusSign.2024.12.23
- VirusSign.2024.12.24
- VirusSign.2024.12.25
- VirusSign.2024.12.26
- VirusSign.2024.12.27
Approx. 70,000 malicious binaries
Good morning, afternoon, or evening,
We have completed our re-organization of the Windows malware papers (per the request of many). We have introduced more precise sections.
In the future these sections may expand or contract — papers may move. ¯\_(ツ)_/¯
Our Telegram userbase missed the message earlier.
We have historically enjoyed posting photos of cats. They're pretty cool. We came up with this idea of doing mass aggregation of cat photos. We are aiming to make a cat photo exchange (???). No idea why. There is no objective with it. It is quite literally mass-scale cat photo aggregation and displaying it on social media.
Each cat will be hashed to remove duplicates.
tl;dr largest collection of cat photos on the internet
dudes steals a South Korean government Xitter profile and tweets "north korea is best korea". thats diabolical stuff
Читать полностью…
Cyberhaven, a thing we've never heard about before until about 2 minutes ago, that does something with cybersecurity and lists it's biggest customers on it's website, was compromised. It resulted in a web-browser-based supply chain attack.
Читать полностью…
Sometime in 2020 a guy named "Shikata" recommended we make the vx-underground slogan be: "spread the infection."
It was such a god awful, abomination of a slogan, I never forgot about it. It's been almost 5 years.
- smelly
It wouldn't be a Christmas unless a company did something horrifically stupid.
This year concludes with Activision. Activision decided to release some promotional artwork which was created using Artificial Intelligence.
tl;dr massive game studio doesn't use their artists
per 404media — most of the southern part of the United States has been banned by PornHub (and associated companies e.g. Brazzers, RedTube, YouPorn, Reality Kings, etc) due to new legislation which requires age verification.
PornHub and associates assert it will be difficult to comply with new legislation and, to avoid legal liability, have opted to simply ban and/or block some portions of the United States from their websites.
As a result of these new age verification laws, what will happen?
A. People say, "wow, pornography is not cool anyway" and stop watching pornography
B. People begin purchasing VPNs (if they can afford it) to bypass geographical bans OR if unable to afford a VPN, people begin going to more shady and less-safe websites to watch pornography
C. Law makers in the southern part of the United States have a sudden change of heart and reverse recent legislation
D. Pornography vendors have a change of heart and decide to review thousands, possibly hundreds of thousands, of United States citizens PII (and pinky promise to not sell it), and put a target on their back from Threat Actors
This year we're starting off strong.
First and foremost, we've got some new sponsors. Our friends over at Binary_Defense and TrustedSec have helped us out tremendously lately. We'd especially like to thank HackingDave for helping the little nerds out and keeping malware cool and badass (and free) forever and ever. We'll be listing them on the website later.
Next up: we're working with our friends at TorGuard VPN to expand our infrastructure. They have a lot (and quite honestly, a disturbing) amount of computational resources. We will be working with them for 2 things.
1. Wide spread cat picture aggregation.
2. Wide spread malware ingestion
Next, next, on the other side of the autism spectrum: our in-house software engineer guessthepw is working on constructing a kitty cat photo database. All cats ingested will be available to browse, download, whatever.
People have asked: "smelly smellington, what's your end game with these cats?". The answer is very shrimple: no idea, thought of it while using the restroom.
Let's see where this whacky adventure takes us. Maybe in a few years it'll be bigger than vx-underground and we can use it to fuel our malware addiction. Or, alternatively, nothing will happen and the project will be dead in a year. Let's see what happens! Sometimes in life you gotta do just a thing, see if it fails, or succeeds, or what happens.
We've got lots of work to do in 2025.
Finally, as is tradition, we've got more malware to add, more malware papers to add, lots and lots of stuff. Very cool.
Thanks,
- smelly smellington
We've never personally encountered an active United States military personnel doing something like this.
It is difficult to assess if they'll go to trial as a civilian or as a soldier (United States military court) or both (which is possible, a rare double whammy)
Threat Actor using advanced evasion techniques (if he can't see you, you can't see him).
Читать полностью…
Every single time a Threat Actor compromises a large Twitter account they drop the ball.
Best usage we've seen thus far has been "North Korea is Best Korea" (a silly message), followed by goofy crypto-drainers.
tl;dr 1 shot, 1 opportunity, doesn't seize the moment, slips
We've updated the malware family collection.
Updates:
- Xworm
- AkiraRansomware
- Android.AndroRAT
- Android.Joker
- Azorult
- BruteRatel
- BumbleBeeLoader
- CrytoxRansomware
- Prometei
- PureStealer
- Rekoobe
- Remcos
- RhadamanthysLoader
- StampadoRansomware
- StealC
- SunSpinner
- DarkComet
- DCRat
- Emotet
- Furtim
- GhostPulse
- LummaStealer
- MacOS.Keydnap
- Mirai
- Multigrain
- Orcus
- PetyaRansomware
- PLAYRansomware
- PoisonIvy
"why are you guys collecting cats?"
The truth is: from discussing, reviewing, reversing, and writing about malware every single day for 6 years, we are deep fried.
It is either we collect cats, alongside malware, or alternatively we fall into a malware induced psychosis
Administrative update:
tl;dr bradley is out, i'm back. reorganizing papers. were collecting cats. no more goofing around.
0. Bradley is out-of-office. He was supposed to man-the-ship. He has experienced a family medical emergency. I am now steering the ship again.
1. Currently the Windows malware paper collection is not organized. We have been dumping them into a giant pool. We have received feedback from users regarding their dissatisfaction with this decision. Hence, we are re-organizing the Windows malware paper collection and introducing new sections to make navigation easier.
New sections:
- AMSI
- Evasion
- GPU Abuse
- Hooking
- Infection
- Initial Access
- Internals and Analysis
- Kernel Mode
- Keylogging
- LSASS
- Networking
- Persistence
- Process Injection
- Shellcode Execution
- Syscalls
- System Components and Abuse
- Windows COM
2. We have begun processing our massive backlog of malware samples. Our current backlog dates back to November, 29th. The current ingestion estimate is 600,000 new malwares.
3. As many have you seen — we have made a pseudo-pseudo-fork of vx-underground. We now have an entire 'side project' dedicated to collecting images of cats. We have received and reviewed your feedback — all images received will be pHashed (perpetually hashed?) to ensure no duplicate photos of cats exist. We have purchased a domain for the side project, we are actively developing something to display and distribute photos of cats. The current cats-related Twitter profiles do not suffice. They fail to categorize them in a structured database and do not actively distribute the cat image data to their userbase. It is disgusting and we hate it.
This is only partially a joke. But, we're wondering if we can use our nerd-mindset to defeat large cat-centric social media profiles.
4. Beside the stupid idea of collecting cat photos, we are returning to business as usual. All giveaways are done, poop posting will be minimal(ish)(depends on mood), our focus will be shifted back to malware-related material aggregation and being cybercrime TMZ.
Thanks,
- smelly smellington
The targeted advanced attack they mention was phishing (someone somewhere said it). It wasn't like when APT29 hopped laterally across buildings via WiFi using a 0day exploit
Читать полностью…
Black Mass Volume III is coming soon. We aim to continue our malware book dominance on Amazon
Читать полностью…
This sweater is super cool.
If we were younger, more attractive, had a sense of fashion, and capable of dressing ourselves — we'd purchase this.
AI artwork was really cool and impressive for about 3 weeks. Then it was immediately abused by low-lifes and cheap bastards to cut corners and make money.
Now AI artwork looks like a big stinky pile of shit drizzled in corporate greed
> write 20 page paper on opaque malware technique
> 5,000 lines of C++
> *crickets*
> write 1 paragraph explaining basic malware concept
> -5,000 lines of C++
> ZOOOMFGGGGG!!!1111 whOAOAOAOAOA
Today 404mediaco released an article on Anthaney O’Connor. Mr. O’Connor reported someone to law enforcement for possessing CSAM.
However, while law enforcement was conducting their investigation, they discovered Mr. O’Connor also possessed CSAM. Additionally, he was actively developing a virtual reality video game to perform sexual acts with children. The video game had both real and AI generated pornographic images of children in it. Mr. O’Connor intended to sell and distribute this video game for $200.
More information: https://www.404media.co/tipster-arrested-after-feds-find-ai-child-exploit-images-and-plans-to-make-vr-csam-2/