14365
The largest collection of malware source, samples, and papers on the internet. Password: infected Website: https://www.vx-underground.org/ vx-underground Telegram chatroom link: https://t.me/+njfLzUrqos01ZWNh
Hello to the Threat Actor who compromised the Parliament of the Republic of South Africa Xitter account and gave us a shoutout... kind of?
They live streamed homosexual pornography and left the vx-underground Xitter tab open.
🥴🥴
The attached images is from a 1988 malware analysis report from AT&T Bell Labs. The report does a high-level overview of a viral infector targeting UNIX operating systems.
Читать полностью…
We've got lots of stuff to add to vx-underground. We've re-prioritized — unironically highest priority is creating kitty cat 7z torrent.
Читать полностью…
We'll be making a torrent.
This was a joke file — we didn't anticipate literally thousands, upon thousands, of people to actually want to download 110,000+ photos of kitty cats. This was our most popular file ever downloaded, ever. It destroyed our infrastructure.
This collection is from various scraping we've done. Some of the images are doggies, horsies, a few silly pictures of human babies being babies, some other cute animals like foxes and rabbits.
99% are kitty cats
Per request of like, a dozen people, in roughly 90 minutes we will be releasing something super cool (unless you dislike kitty cat pictures).
Un momento, señor y señora.
Scott Presler, American conservative political activist, shared details today on social media regarding unusual activity on his Xitter account.
What could it mean?
American social media and politics is absolutely amazing and is x10 better than any other country.
Two dorks got into a Twitter argument over tariff impact on clothing and have mutually agreed to settle there differences with physical violence.
America 🤝 Violence
After the FBI and NCA UK took down Lockbit ransomware group servers, arrested their lead developer, sanctioned the group, and listed the "leader" of the group on the FBI's Most Wanted, we assumed Lockbit ransomware group would either rebrand or die.
Well, they died for a little. But we are beginning to see signs of Lockbit ransomware group again. The past few weeks we have seen more and more reports surface of their attacks. Although they are no longer near where they used to be (30+ ransoms a day), the fact they're making a comeback is both impressive and scary.
Lockbit ransomware group is like a cockroach. He is immune to virtually everything — we thought he was dead, but he is alive still.
Hot take: privacy nerds will resort to "pirating" YouTube videos before succumbing to advertisements and tracking from Google
Читать полностью…
For those who stated Mr. Urban may have spent his stolen money: (un)fortunately, because Mr. Urban has agreed to restitution, it is mandatory under federal law he repay the stolen money. If Mr. Urban does not have the full $13,000,000 he will have to do the following:
1. Establish a payment plan with the court system
2. Begin making payments while serving jail time (Inmate Financial Responsibility Program)
3. Payment toward victims continue even when sentencing is completed.
While Mr. Urban is in prison he will be "employed" in federal prison and earn money for his work — generally $0.40/hr. Although, Mr. Urban is capable of receiving a $30 bonus at the end of each month for good work.
Any money Mr. Urban receives from friends, family, or general employment will be seized and returned to victims until the total amount is returned. He cannot declare bankruptcy to avoid restitution. It does not "fall off" like traditional debts in the United States.
It is in Mr. Urban's best interest he has the full $13,000,000. Otherwise he will be paying restitution for the majority of his life.
In July, 2022 we created "VX Feed" — a Discord server which provides updates in-near-real-time from various websites and ransomware blogs.
We forgot it existed.
We checked on it today, it's still running. It's got several thousand members.
We could probably hire someone to do nothing except reply to people all day.
We don't have the money for it, but we have the volume of e-mails and DMs for it.
Sorry we don't reply, but we do appreciate the information shared, or kitty cat pictures shared.
-smelly smellington
You know what does well in a recession?
Cybercrime.
Threat Intel, Threat Actors, Defenders, Attackers — chat, we're so back. High 5s all around.
Updates to the Malware Builder collection via Cryakl (may include subvariants)
-A7m3dRat
-CraxsRat
-Gh0stCringe
-HadesRat
-KazyBot
-Nbclass
-PhoenixKeylogger
-PurpleFox
https://vx-underground.org/Builders
APT samples and papers:
2024.10.24 - Operation Cobalt Whisper - Threat Actor Targets Multiple Industries Across Hong Kong and Pakistan
2025.01.20 - Operation Hurricane - A brief discussion of the techniques and tactics of the Xinhai Lotus organization in memory
2025.01.21 - Love and hate under war - The GamaCopy uses military-related bait to launch attacks on Russia
2025.01.23 - Mapping Suspected KEYPLUG Infrastructure - TLS Certificates, GhostWolf, and RedGolf APT41 Activity
2025.01.23 - The J-Magic Show - Magic Packets and Where to find them
2025.01.28 - ScatterBrain - Unmasking the Shadow of PoisonPlug's Obfuscator
2025.01.29 - CL-STA-0048 - An Espionage Operation Against High-Value Targets in South Asia
2025.01.29 - Operation Phantom Circuit - North Koreas Global Data Exfiltration Campaign
2025.02.03 - Analysis of malicious HWP cases of APT37 group distributed through K messenger
2025.02.03 - macOS FlexibleFerret - Further Variants of DPRK Malware Family Unearthed
2025.02.07 - Chinese-Speaking Group Manipulates SEO with BadIIS
2025.02.11 - Sandworm APT Targets Ukrainian Users with Trojanized Microsoft KMS Activation Tools in Cyber Espionage Campaigns
2025.02.12 - 2024 Global APT Research Report
2025.02.12 - Cybercrime - A Multifaceted National Security Threat
2025.02.12 - The BadPilot campaign - Seashell Blizzard subgroup conducts multiyear global access operation
2025.02.12 - UAC-0063 Cyber Espionage Operation Expanding from Central Asia
2025.02.13 - Analyzing DEEP#DRIVE - North Korean Threat Actors Observed Exploiting Trusted Platforms for Targeted Attacks
2025.02.13 - Multiple Russian Threat Actors Targeting Microsoft Device Code Authentication
2025.02.13 - RedMike (Salt Typhoon) Exploits Vulnerable Cisco Devices of Global Telecommunications Providers
2025.02.13 - Stimmen aus Moskau - Russian Influence Operations Target German Elections
2025.02.13 - You've Got Malware - FINALDRAFT Hides in Your Drafts
2025.02.18 - Earth Preta Mixes Legitimate and Malicious Components to Sidestep Detection
2025.02.19 - Signals of Trouble - Multiple Russia-Aligned Threat Actors Actively Targeting Signal Messenger
2025.02.20 - Analysis of the APT-C-28 (ScarCruft) organizations attack activities using fileless delivery of RokRat
2025.02.20 - DeceptiveDevelopment targets freelance developers
2025.02.20 - SPAWNCHIMERA Malware - The Chimera Spawning from Ivanti Connect Secure Vulnerability
2025.02.20 - Stately Taurus Activity in Southeast Asia Links to Bookworm Malware
2025.02.20 - Weathering the storm - In the midst of a Typhoon
2025.02.21 - Angry Likho - Old beasts in a new forest
2025.02.23 - The Bybit Incident - When Research Meets Reality
2025.02.24 - Erudite Mogwai Uses Custom Stowaway to Stealthily Advance Online
2025.02.24 - Operation SalmonSlalom - A new attack targeting industrial organizations in APAC
2025.02.25 - Chinese APT Target Royal Thai Police in Malware Campaign
2025.02.26 - RustDoor and Koi Stealer for macOS Used by North Korea-Linked Threat Actor to Target the Cryptocurrency Sector
2025.02.27 - A case of phishing email attack by Larva-24005 group targeting Japan
2025.02.27 - Lotus Blossom espionage group targets multiple industries with different versions of Sagerunex and hacking tools
2025.02.27 - Squidoor - Suspected Chinese Threat Actor's Backdoor Targets Global Organizations
2025.03.03 - Operation sea elephant - The dying walrus wandering the Indian Ocean
2025.03.04 - Call It What You Want - Threat Actor Delivers Highly Targeted Multistage Polyglot Malware
2025.03.04 - Likely DPRK Network Backstops on GitHub, Targets Companies Globally
2025.03.05 - Silk Typhoon targeting IT supply chain
2025.03.12 - Ghost in the Router - China-Nexus Espionage Actor UNC3886 Targets Juniper Routers
2025.03.12 - Hack The Sandbox - Unveiling the Truth Behind Disappearing Artifacts
2025.03.12 - New Android Spyware by North Korean APT37
2025.03.13 - Analyzing OBSCURE#BAT - Threat Actors Lure Victims into Executing Malicious Batch Scripts to Deploy Stealthy Rootkits
2025.03.13 - Detailed Analysis of DocSwap Malware Disguised as Securit
>Openly share 159GB file of kitty cat pictures
>5,350+ people rush to download the file
>850TB of web traffic flood in
>Cloudflare reports 1,850% increase in web traffic
>everyone_panic.jpeg
>More people try to download the file can't
>People angry, demand cats
Our hosting provider TorGuard wondering why our host suddenly received terabytes of traffic within a few minutes and why it's all related to kitty cat photos
Читать полностью…
Chat, we've got a problem.
Over 5,000 people are trying to download our kitty cat collection file. It is 159GB.
What is 159GB x 5,000 downloads at the same time? Unironically, we are DDoSing ourselves with cat pictures.
In these trying times the one thing which remains constant is the value of kitty cat pictures.
Please take a copy of our kitty cat picture collection. It is 159.9GB (111,429 files) of kitty cat pictures.
Economic problems 🤝Kitty cats
https://vx-underground.org/tmp
We've updated our malware builders collection.
It's beautiful. Thank you so much to Cryakl for assembling this MASSIVE collection. We have 545 malware builders!
*Please exercise caution if you decide to experiment with them
https://vx-underground.org/Builders
Actually, we take it back, France is the current leader is political outrage. But America is a strong contender.
Читать полностью…
Everyone: wtf lockbit just give up bro, the fbi and nca uk reported youve made over $1,000,000,000 from ransomware
Lockbit:
Note: this was from the ProtonPrivacy Reddit. The cell phone image was shared on "Tech Crimes" on Telegram.
Some users have speculated it is from "too many people using the same VPN server" (?). Others reported they had the same issue when using Mullvad
Users reported it only impacts specific YouTube channels — other state the error is across all YouTube channels. Some users stated they were able to evade the flag when using "Stealth Protocol" with Proton.
About 2 weeks ago privacy nerds on Reddit began reporting they're unable to watch YouTube videos when using a VPN. YouTube displays a "VPN/Proxy Detected" warning.
Initially it was displayed on desktop computers, however it is now being displayed on mobile devices too.
April 4th Noah Urban a/k/a "King Bob", an alleged member of the infamous "Scattered Spider" group, plead guilty to all charges in all cases.
Mr. Urban has two cases. One case is in Florida, United States. One case in California, United States.
Per court documents Mr. Urban, as a member of what Threat Intelligence defined as "Scattered Spider", was responsible for:
- Social engineering company targets by posing as IT staff or Help Desk. Mr. Urban often used SMS or telephone calls to impersonate employees.
- Social engineer company targets, by posing as IT staff or Help Desk, toward remote access tools to provide access to other individuals within "Scattered Spider"
- Social engineer company targets to share one-time passwords used for MFA
- Monetized access to victim networks by extortion enabled by ransomware and data theft
Mr. Urban plead guilty to the following charges in Florida:
- One (1) count of Conspiracy to Commit Wire Fraud
- One (1) count of Wire Fraud
- One (1) count of Aggravated Identity Theft
Mr. Urban plead guilty to the following charges in California:
- One (1) count of Conspiracy to Commit Wire Fraud
Per court records, Mr. Urban took a plea deal which states Mr. Urban must forfeit stolen money to each victim individually (restitution) with the sum being in excess of $13,000,000 between 59 individuals. Additionally, Mr. Urban waived his right to pay restitution to victims not listed in official court paperwork — meaning he may have to pay more at a later period of time if more victims are identified.
Mr. Urban has agreed to forfeit the following toward victims: "Dai", "Ethereum", "Monero", "Bitcoin", "Ripple", as well as any cash in Mr. Urban's possession and any physical item worth sufficient value (undefined).
Mr. Urban, despite taking a plea deal and agreeing to restitution, is still subject to sentencing. Mr. Urban official sentencing is expected to take place on or around Friday, June 20th, 2025.
Mr. Urban is facing a maximum sentencing of 82 years in prison. However, per standard sentencing guidelines and because Mr. Urban has taken a plea deal, he will receive a much lighter sentence. The Aggravated Identity Theft charge in Florida carries a mandatory two (2) years in prison.
We also appreciate all our "sleeper agents".
Anytime we make a post about: an arrest, breach, or Threat Actor, we always have at least 1 or 2 people who contact us who are familiar with the situation unfolding.
I love you so much.
tl;dr vx-underground hive mind
Rest in pepperoni to our software engineers though. They're absolutely cooked. They're facing AI and a recession — they're fighting a war on both fronts.
Читать полностью…
On April 1st, 2025 (No April Fools), the Russian FSB (Federal Security Service of the Russian Federation, Федеральная служба безопасности Российской Федерации), conducted a raid in St. Petersburg, Russia, on an IT facility named "Aeza Group".
Aeza Group is (rumored) to provide network infrastructure for Russia's Doppelgänger propaganda network. The location raided was once the home for Yevgeny Prigozhin's Wagner Center (tl;dr no idea who is stating these rumors, it's just news articles and Telegram).
Law enforcement agents allege the CEO, Yuri Bozoyan, and two employees of the organization, Maxim Orel and Tatyana Zubova, were arrested for aiding, abetting, or facilitating criminals groups. More specifically, the FSB asserts Mr. Bozoyan and his co-conspirators trafficked narcotics at large scale.
Additionally, it was (rumored) Aeza Group provided infrastructure for "darknet" groups and malware groups. However, we have been unable to find substantial evidence to support these claims other than various news articles (tl;dr who the fuck is saying this?).
Edit: Commenters suggested "arrest" photo was AI generated. That is the photo that was shared. We agree it looks suspicious, so we've removed it. Instead have a nice photo of Mr. Bozoyan