vx-underground

07 Nov 2023 19:06

Hello, how are you?

We're now granting permission to individuals who would like to upload malware to our VXDB. We are only granting this to select individuals we know, or individuals we know who can be trusted (or vouched for). We are doing this to prevent our VXDB being flooded with junk data or non-malicious files.

No changes will be made to the VXDB for user registration or downloads. It will always be free.

If you'd like to contribute to the VXDB you can contact us Twitter DMs or via e-mail at staff@vx-underground.org

Additionally, we are still working on refining the VXDB, bulk download (via API) is still not supported yet. It is in our ever-growing todo list.

Thank you everyone for the love, support, donations, and sponsorships you've given us. We would not have been able to create this VXDB, get this much malware, or share it with this many people if it were not for all of you helping us out.

Love you,

vx-underground

07 Nov 2023 17:15

Swift removing ++ and -- operators because they can be confusing because of code like this:

int i = 5;
i = ++i + i++;

vx-underground

06 Nov 2023 19:59

Swift developers proving they're very not cool

tl;dr says "++" and "--" operators are confusing

vx-underground

05 Nov 2023 15:07

Reminder that Threat Actors (probably) haven't paid for a Red Teaming course or any sort of formal education

vx-underground

04 Nov 2023 14:41

Forgot to link to the website, but whatever. If you don't know the website by now you've got some sort of cognitive damage.

Going back to bed. If you need anything... don't need anything

vx-underground

03 Nov 2023 22:43

An image illustrating the current CloudFlare status

https://www.cloudflarestatus.com/

vx-underground

03 Nov 2023 03:24

Alternatives to 'whoami.exe'.

COM interface ideas:
- IADsADSystemInfo
- IADsWinNTSystemInfo
- IADsComputer
- WMI COM provider to query 'whoami.exe'

IADsADSystemInfo, IADsWinNTSystemInfo, and IADsComputer are all fundamentally similar in calling syntax and are pretty copy-pasta ish. Windows SDK is kind of a pain though, the GUIDs weren't located easily, so they needed to be manually defined.
Example: https://pastebin.com/raw/S32nYDAp

Advapi32 functionality:
- Advapi32!LookupAccountSidW
- Advapi32!LsaLookupSids

LookupAccountSidW is an internal wrapper that calls LsaOpenPolicy, LsaLookupSids, and subsequently LsaFreeMemory. LsaFreeMemory is a wrapper to RtlFreeHeap.
Example: https://pastebin.com/raw/zJVShnay

Other possibilities:

- NpGetUserName - gets the username from a named pipe. Requires spawning a secondary thread, creating a named pipe, connecting to it, impersonating it, ... it is a long story =D

- Offlinesame.dll - Offline sam has a lot of functionality for enumerating users and domains on the machine. This is undocumented and requires a little more work. However, it has been demonstrated loosely by 0gtweet
Example: https://github.com/gtworek/PSBits/blob/master/OfflineSAM/OfflineAddAdmin.c

tl;dr can't stop thinking about whoami.exe :(

vx-underground

02 Nov 2023 15:20

tl;dr 3rd party vendor breached - resulting in Okta employees data exposed

Okta was breached (again). Their last breach was announced October 20th, 2023. They've been compromised 4 times now

- March, 2022
- December, 2022
- October, 2023
- November, 2023

Image via BrettCallow

vx-underground

02 Nov 2023 13:06

We've updated the vx-underground malware sample collection

- MedusaLocker
- XLoader
- SystemBC
- MinodoLoader
- ShellBot
- Moqhao
- XMRig
- PlayRansomware
- MoneyRansomware
- PrivateLoader
- AridGopher
- Micropsoa
- IcedId
and more...

Check it out here: vx-underground.org/

vx-underground

02 Nov 2023 02:18

We are behind schedule on almost all of our tasks. 1/2 of our staff is sick.

Seasonal changes are illegal and for nerds

vx-underground

01 Nov 2023 17:32

This one simple trick will land you a job anywhere

vx-underground

01 Nov 2023 02:40

We keep getting pinged. Yes, Boeing has been removed from Lockbit ransomware groups website.

Lockbit administrative staff informed us they removed Boeing because negotiations have begun.

We don't know anything else. It is Halloween. Cya nerds tomorrow. We're busy.

vx-underground

30 Oct 2023 21:13

ZachXBT, an independent cryptocurrency investigator who monitors and tracks cryptocurrency scams, shared ANOTHER video of cryptocurrency thieves taunting him.

The sign says "Fuck ZachXBT. Chards"

That's 3 videos now 😭

vx-underground

30 Oct 2023 03:24

Sim swappers and crypto drainers seem to dislike ZachXBT. We received an anonymous message today with this video.

vx-underground

29 Oct 2023 22:06

(there's 100% more unique ways, but this is meant to be funny and illustrate the possibilities other than whoami.exe, please do not start with the ACKCHYUALLY)

vx-underground

07 Nov 2023 17:21

The argument is that this is potentially undefined behavior because of how the pre-increment and post-increment expression will be interpretted (and/or optimized) by the compiler.

tl;dr don't write goofy goober code

tl;dr tl;dr nerds arguing over methods to increment an integer

vx-underground

07 Nov 2023 14:44

We've updated the vx-underground Windows malware paper collection

- 2023-09-10 - GIF Steganography from First Principles
- 2023-09-11 - MATLAB Reverse Shell
- 2023-10-09 - Demonstrating Sleep Obfuscation - KrakenMask

Check it out here: https://www.vx-underground.org/

vx-underground

05 Nov 2023 15:09

"Sorry, you can't join our ransomware group, you don't have a Bachelors degree in computer science and you don't seem to have any certificates"

vx-underground

04 Nov 2023 14:44

Insider Threats come in many shapes and sizes and are a major hurdle to any organization.

vx-underground

04 Nov 2023 14:39

We've updated the vx-underground Windows malware paper collection

- 2023-07-29 - Lord Of The Ring0 - Part 5 Sarumans Manipulation
- 2023-08-13 - LAPS 2.0 Internals
- 2023-08-29 - DevTunnels for C2
- 2023-09-06 - How to Troll an AV

vx-underground

03 Nov 2023 17:34

Here is a very poorly written way to do 'whoami' using CreateNamedPipe and Advapi32!NpGetUserName.

This undocumented function will do the generic LookupAccountSidW via GetUserNameExW, but it can act as a proxy function, or something.

https://pastebin.com/raw/ZsReS7k4

vx-underground

02 Nov 2023 16:54

Google is introducing more new TLDs =D

.ing and .meme

New phishing links inbound!

vx-underground

02 Nov 2023 13:53

52,807 new malware samples queued for upload in our VXDB and the vx-underground website.

*Reminder our VXDB allows you to search through our malware collection and download for free 🫡

https://virus.exchange

vx-underground

02 Nov 2023 12:37

6 hours ago Reuters got confirmation from Boeing that they were impacted by 'cyber incident'. Boeing declined to comment on whether Lockbit was responsible for the 'cyber incident'.

More information: https://www.reuters.com/business/aerospace-defense/boeing-investigating-cyber-incident-affecting-parts-business-2023-11-01/

vx-underground

01 Nov 2023 17:57

> "DONT DO THIS!!! THIS IS A FELONY!!!"

No shit, Sherlock. It's satire

vx-underground

01 Nov 2023 12:55

Yesterday ALPHV ransomware group listed Advarra, a clinical research technology company

Advarra told ALPHV quote "We do not pay digital terrorists". Additionally, ALPHV tried contacting one of their executives via text message. She told ALPHV "go fuk yourself"

😂😂😂😂😂

vx-underground

31 Oct 2023 22:04

In the spirit of Halloween we will share something with you that is truly terrifying.

*Yes, this is real game made by EA

vx-underground

30 Oct 2023 21:04

We've updated the vx-underground malware source code collection on GitHub.

Yesterday the source code to banking trojans Android.Hook and Android.Ermac were leaked online.

*Hook is the successor to Ermac
*Thanks to 3xp0rtblog for the code

https://github.com/vxunderground/MalwareSourceCode

vx-underground

30 Oct 2023 01:41

Christmas is coming early for Android malware fans.

vx-underground

29 Oct 2023 21:53

There's been a bit of a debate lately about "whoami.exe".