40552
The largest collection of malware source, samples, and papers on the internet. Password: infected https://vx-underground.org/
A long time ago the administrator of Simland, a chatroom dedicated to the discussion of sim swapping (probably), did me a massive solid. I told him, "Thank you, I appreciate it. If you ever need anything let me know.".
Well, he is invoking his favor request. His chatroom was banned, or suspended, or something, from Telegram and he is requesting I notify the general public it has returned.
You can do so here: @joinsimlandbot
New lore update on IntelBroker a/k/a Kai West
- Did swatting and bomb threats as a teenager
- Was raided by NCA UK
- NCA enrolls Mr. West in a cybersecurity trainee program (steer him in positive direction)
- Less than 2 years later he returns to cyber-crime
This is a totally normal way for a person to start a conversation
Читать полностью…
There is this weird idea that once a cyber criminal is convicted they immediately work for law enforcement.
I know this may be hard for some of you to hear, but the United States government does possess talented individuals and they do not need to hire and/or work with a convicted criminal to achieve their objectives.
More often than not, if the person is apprehended and it is not public knowledge, the person will become their puppet. A puppet is not an employee. You do not want to be a puppet for the United States government.
As stated previously, Mr. West and dozens of other Threat Actors we have seen are caught because they (incorrectly) believe law enforcement does not know their identity because they have not been visited or apprehended.
Law enforcement was able to easily identify Mr. West via Coinbase because of KYC (Know Your Customer), hence law enforcement was able to get Mr. West's drivers license and various other PII.
Once identified, law enforcement monitored Mr. West, as well as his associates, and established a long case and wrap sheet.
He is currently facing over 20 years in prison in the United States.
French Media outlets are reporting IntelBroker was apprehended by law enforcement February 22nd. Today they're reporting French law enforcement have apprehended 4 more individuals believed to act as administrators for breached
https://www.valeursactuelles.com/societe/info-va-les-administrateurs-francais-du-site-de-vente-de-donnees-volees-breachforums-interpelles
4. April 3rd, 2024: Mr. May distributes a CSAM compilation music video. The compilation includes a male forcing a prepubescent girl to perform oral sex on a dog, a man ejaculation on the face of a newborn baby, and a newborn baby being forced to consume the ejaculate of a male.
5. April 1st, 2024: Mr. May sends 3 different individuals a video of a group of men sexually assaulting a newborn child.
6. April 1st, 2024: Mr. May receives footage of a woman masturbating while she gives a newborn baby a fellatio.
The United States Department of Justice continues to provide profoundly graphic descriptions of the material Mr. May received. I am sharing the abridged descriptions of the official documents. I am too sickened to keep reading and discussing them. They share in total 10 descriptions. I am stopping at number 6. They continue to get progressively worse and more violent.
If found guilty he faces a total of 200 years in prison and $2,500,000 of fines.
[Content Warning: This post contains graphic descriptions that some readers may find distressing]
June 13th, 2025, United States South Carolina Senator Robert John May III was arrested in connection to the distribution of Child Sexual Abuse Material (CSAM). In April, 2025, the United States National Center for Missing and Exploited Children was notified of Mr. May's actions on social media platform Kik.
On March 31, 2024, Kik flagged several of Mr. May's videos as CSAM.
Mr. May was operating on Kik under the moniker "joebidennnn69" and other places online as "Eric Rentling" where he actively traded CSAM with other users. Kik flagged 28 unique CSAM videos shared by Mr. May with additional data showing the material derived from an IP address located in West Columbia, South Carolina, United States.
Following the notification from Kik, on June 27th, 2024, the Lexington County Sheriff's Office obtained a state warrant to retrieve information on the AT&T IP address distributing the CSAM. The IP address was tied to an AT&T account holder "Robert John May III" who was an acting United States Senator.
Because of Mr. May's career as a United States Senator this resulted in the United States Department of Homeland Security Investigations to review the case further. The United States HSI concluded the Kik account "joebidennnn69" connected back directly to Mr. May's residence via VPN 48 times, via cellular internet 67 times, and via the home internet 958 times. Additionally, the HSI concluded the home devices were NOT compromised as a result of a Threat Actor. Hence, according to the HSI, all CSAM activity on Kik was conducted by someone in the home who owned a Samsung SM-G781U1.
On August 5th, 2024, the HSI in conjunction with the Lexington County Sheriff's Office raided Mr. May's residency.
Authorities retrieved materials including a Samsung SM-G781U1 Android smart phone which was found on Mr. May's bed side. The phone contained the same e-mail address which was used to register on Kik.
The contents of the phone unveiled a total of 265 CSAM videos.
Forensic evidence shows Mr. May used Kik, Telegram, Loki Messenger, and MEGA to actively share CSAM and finder other like-minded individuals. Interestingly, forensic shows Mr. May deleted all of his CSAM accounts April 4th, 2024 all within seconds of each other.
The MEGA account was registered to "Eric Rentling" which contained CSAM. Additionally, forensic evidence showed Mr. May possessed a secondary Facebook account which operated under the name "Eric Rentling". The Facebook account "Eric Rentling" contained a image of Mr. May. Upon examination the "Eric Rentling" Facebook account showed Mr. May speaking with sex workers in Colombia.
Per the United States Department of Justice on conjunction with the United States Department of Homeland Investigations, the United States Department of Justice’s Child Exploitation & Obscenity Section, and United States South Carolina Lexington County Sheriff's Office, Mr. May was found in the possession of the following:
Idea: CAPTCHA-ware.
Every time the user clicks with the mouse (left / right click) a CAPTCHA takes focus and covers the screen. They must solve the CAPTCHA to continue
Users must either:
1. Learn to navigate using only the keyboard
2. Upload cat pictures to a website
I was thicc boi at 280lbs (127kg). Happy to share I've dropped down to 230lbs (104kg).
My goal is 180lbs (81kg).
50lbs (23kg) weight loss in 8 months
She's mastered the N word in her professional life
Читать полностью…
hOw iS maLwARe wRiTteN
I unironically see this question posed by people who can program.
In its simplest form malware is just like any other program written except it has task automation present. Anything after the task automation segment is an auxiliary component and designed to avoid detection.
For example, if we discuss information stealer malware (which is rampant online), it can broken down into a few different "steps".
Step 1. "Land" on the machine. Your first step is getting the program on the machine and getting the user to run the program. More often than not, this is the most difficult part for malware. The most common method is file masquerading — in other words, "ImportantFile.pdf.exe".
To make this file masquerading "Step" more believable to the target, you simply change the files default icon to be that of a PDF file. This is extremely common in programming in general, I'm sure many of you have tried to customize your program.
2. Enumerate files on the machine. This is extremely easy to do and I'm sure any programmer can do this. Most files will be stored in the Documents directory. You use Windows GetEnvironmentVariableW function (or some variant of it) to get the user document directory. Then all you do is iterate through each file in that folder.
3. Examine each file discovered in the directory and/or follow sub-directories. Each file you encounter you should examine the file by determining its file extension. If the file extension is something which may possess something valuable (e.g. .PDF, .TXT, .PNG, .DOCX), then appropriate action should be taken and the next "Step" should be triggered.
4. Data exfiltrating — any file deemed potentially valuable should be uploaded to a remote host you own. You can use any method you want and any host you want. Some malware uses Discord, some use FTPs, some use their own custom infrastructure. If you've ever written code that sends a document somewhere then you can do this.
5. Self-terminate. Your malware has done its job.
Anything else beyond those 5 key "Steps" is used to avoid detection. Additionally, malware developers will spend a great deal of time trying to find unique ways to enumerate files, identify files, or send files to remote hosts. The more unusual you can make your malware the better. Of course more "Steps" may be introduced to steal cookies, cached passwords, etc. Other "Steps" may be to identify where the malware is running (e.g. country, what version of Windows, etc).
Thanks for coming to my Ted Talk
Furthermore, it is probably worth reminding people that the IRGC-CEC successfully compromised Donald J. Trump's political campaign in 2024.
3 individuals operating under the monikers "Jalili", "Aghamiri", and "Balaghi" successfully compromised aides to the current President of the United States via social engineering.
The United States government issued an official indictment for the individuals believed to be responsible for the compromise.
More information: https://www.documentcloud.org/documents/25177046-24-cr-439-indictment
Shout-out to YouTube
YouTube is scheduled to begin experimenting with unskippable advertisements.
YouTube will teach the kids (indirectly) to sail to seven seas.
Facebook by default makes all AI conversations public (???)
Now Facebook timelines are filled with people sharing incredibly sensitive information with Meta AI. This ranges from people discussing health problems, admission to tax fraud, people asking how to find young women, and more
To make things even worse, Meta AI allows audio input.
It's absurd that the NCA UK very seriously tried to steer a young Mr. West in a positive direction. They formally enrolled him as an official trainee, which makes his resume look good. They cleaned up his record. He was attending a university.
Despite his crimes, the United Kingdom government genuinely tried to steer him on a positive path and give him a bright feature.
He took that opportunity and threw it in the trash.
How he is being extradited to the United States and he will rot in a cell for 20 years.
What the fuck is this dude thinking?
Something very interesting happened.
An anonymous individual contacted vx-underground today regarding Kai West a/k/a IntelBroker.
This person told us that they attended the same university as him.
He informed us that Mr. West was apprehended previously in 2018 operating under the moniker "PartialDuplex" and was in a group who called themselves "Apophis Squad".
The National Crime Agency of the United Kingdom actually features a 17 year old Mr. West for his previous crimes of swatting and bomb threat hoaxes.
hE wAs iN rAnSomWaRe lOl hEs GnnA wOrK aT tHe CiA
Bro, the ransomware dorks fucking buy stolen credentials from Redline logs. Then they log in, make a half assed attempt to get to the domain controller, and push a payload. Even more "sophisticated" groups rely heavily on social engineering. You think the United States government, or any of their allies, can't buy Redline logs or social engineer people?
The fucking CIA spied on Muslims by creating a popular and free Islamic Prayer App on the Google Play store. They don't need some dorks making fucking phone calls for access to shit. Like, they've got a budget the size of other countries total GDP, you don't think they can just fork out some insane amount of cash for schizo exploits or malware?
Look at what Snowden leaked and then go look at the shitty ass malware you see from Threat Groups. Compare them. That shit from Snowden is old now too, you think they just randomly stopped doing shit?
Whatever man, I'm gonna go look at cat pictures
It's so incredibly depressing seeing young people, such as Kai West a/k/a IntelBroker, throw away their lives.
Let's think about it for a second.
If Mr. West is found guilty (which he probably will), he is facing 20 years (or more) in federal prison.
Think about how insanely long 20 years is. When Mr. West is released from prison he will be about 45 years old. He will have spent a good portion of his adult life in a prison cell.
I myself personally will be well into my 50s. My son will be in his 20s.
Many of you, who I know interacted with Mr. West, will be well into your 30s, or 40s. Many of you will have settled down and be married with children.
Celebrities we know right now will become irrelevant or die. Many current politicians will succumb to old age and die. If Mr. West has any beloved pets they will be dead.
Assuming Mr. West's parents are in their 40s right now, when he is released they'll be considered senior citizens. Mr. West will spend every Christmas, New Year's, Birthday, and even funerals, behind bars thousands of miles away from his friends and family.
Think of how many Threat Groups and Threat Actors appeared 20 years ago. How many do you remember? How many of you remember zf0? Presumably very few.
In 20 years Breached and Raid will likely be a distant memory that will be brought up on occasion or when discussing the history of cybercrime. IntelBroker may or may not be discussed. Regardless, as life carries on he will be locked in a cell.
That sucks so much
Note: This is a correction post. I incorrectly stated Kai West a/k/a IntelBroker moved money from RAMP (Ransomware MarketPlace) to Coinbase. That is wrong. I misread the court documents. It was RAMP Exchange Network.
tldr too many acronyms, I'm dumb
Per court documents, the Threat Actor known as IntelBroker was caught because he transfered money from RAMP (RAMP Exchange) to his personal Coinbase account.
He tried obfuscating the money transfer but it didn't work.
The Federal Bureau of Investigation and National Crime Agency have known IntelBrokers identity since later 2023, early 2024.
Deleting files recursively on Linux:
rm -rf /path/to/folder
Deleting files recursively on Windows:
set "target=C:\Path\To\Folder"
for /R "%target%" %F in (*) do del /F /Q "%F"
for /F "delims=" %D in ('dir "%target%" /AD /B /S ^| sort /R') do rd "%D"
[Warning: This is your last warning. The following segment is extremely graphic. This information was made public by the United States Department of Justice. We are sharing it in the spirit of full-disclosure and to illustrate the crimes by Mr. May]
1. April 3rd, 2024: Mr. May sent 5 individuals footage of a fully clothed child giving a grown man a fellatio. The man recording the video pans the camera to the left in which the man receiving the fellatio is performing the act in front of his wife and newborn child
2. April 3rd, 2024: Mr. May receives footage of an adult male penetrating a newborn babies vagina. The baby winces in pain and cries.
3. April 3rd, 2024: Mr. May receives footage of a woman kneeling an infant down with it's bottom exposed. A woman than performs oral sex on the newborn.
Parents,
I heard a weird noise coming from my child's room. I checked, and he was reading Windows Internals Vol. 1, specifically on the Windows I/O system. He also wearing some computer virus swag.
Has anyone seen this before? What do we do?
Thanks,
Never cared I was getting thicc. Decided to lose weight so my son didn't see fat stinky Dad on computer being yucky.
Now he just sees stinky Dad being yucky
Good morning, afternoon, or evening.
The boys are making some backend infrastructure changes. We'll be moving some data and stuff. Once this is completed we will begin doing updates.
I have probably 400+ papers in queue. Lots of cool stuff.
Malware is cool
when i see misinformation vs misinformation on malware
Читать полностью…
It's interesting seeing people make shit up on social media. The first attached image is a lie.
tl;dr real hacker, did real and serious damage, "mr soll" didnt do some weird made up bullshit
"Mr. Soll" a/k/a Mr. Soul is a person operating within the "CyberAv3ngers" group. The CyberAv3ngers are a well-known state sponsored group operating within the IRGC-CEC (Islamic Revolutionary Guard Corps, Cyber-Electronic Command). The CyberAv3ngers have been active for several years.
Historically, the CyberAv3ngers have targeted critical infrastructure within the United States and Israel using a malware dubbed "IOCONTROL". Using IOCONTROL CyberAv3ngers targeted ICS/SCADA devices (Industrial Control System/Supervisory Control And Data Acquisition) as well as other devices such as PLCs (Programmable Logic Controllers).
CyberAv3ngers made a significant amount of "noise" in November, 2023, when one of their operations targeted default credentials on PLC devices across the United States. The compromised device would display "You have been hacked, down with Israel. Every equipment ‘made in Israel’ is CyberAv3ngers legal target." The attack often rendered the PLC inoperable using "Crucio ransomware".
"Mr. Soll" did no such action stated in the first attached image — but "Mr. Soll" and/or the CyberAv3ngers have taken offensive cyber approaches for many years. However, CyberAv3ngers will gladly accept this post and declare it as truth as this aligns with IRGC-CEC misinformation campaigns.
Correction: Facebook users are saying it does not make the Meta AI conversations public. Instead users are somehow sharing it (???)
Users gonna be users, or something.
That is exactly how financial point of sale systems work
Читать полностью…