40629
The largest collection of malware source, samples, and papers on the internet. Password: infected https://vx-underground.org/
Please remember me as man who tried his best and really enjoyed pictures of silly kitty cats.
I'm ready now. I'm at peace. The gamers will now call me a retard and the N-word for an eternity.
BREAKING: New intelligence from the United States Department of War suggest cars go all like VRRROOOOOM, SKRRRT, and PFFFTBLOOOOSH.
Donald Trump is being briefed on the situation now.
ShinyHunters leaked the RockStar Games data.
The data isn't anything special. There is no PII or source code. The data is primarily financial metrics.
This may come as a surprise to some of you, but based off of this data, it appears RockStar Games makes a FUCK TON of money
Over 200 media outlets are blocking Internet Archive.
Media outlets say because AI, or something, but also (and TOTALLY UNRELATED) since they're blocking Internet Archive there is no way to tell if the government or media outlet has deleted or change something.
However, they say this is TOTALLY UNRELATED and they block Internet Archive because AI can train off Internet Archive, or something, I don't know, it's all bullshit.
https://www.wired.com/story/the-internets-most-powerful-archiving-tool-is-in-mortal-peril/
Hi
I've added another 550,000+ malwares to the malware library. Please download the malware and share it with your friends and family.
https://vx-underground.org/Updates
Bro is sending me e-mails from a (extremely convincing) Police Department ON A SATURDAY.
Dawg, Saturday I am in SHAMBLES. I am trying to survive with this baby. Do you have any idea how often these things defecate and eat? It's unreal
> be me
> mentioned by LTT
> large YouTube channel
> "oh that's cool, I'm on TV"
> show the clip where mentioned
> check comments
I don't want to assume anything, but I think this person dislikes LTT and now dislikes me for being shown on his recent video.
Read a tragic story today about a 17 year old girl in the United States who died from "excessive caffeine usage".
I felt bad for the parents. If I lost my son I don't think I would be able to cope with the loss of my baby boy.
The story went on to explain the young woman's parents are suing the energy group company (Alani) for not adequately explaining the dangers of caffeine.
I was curious... How much caffeine was she consuming? According to her official death report she died from 200mg of caffeine
200 MG OF CAFFEINE?!
Peace and love to the parents, but dawg 200mg of caffeine isn't fucking shit. That is amateur hour. That is well within the daily recommended limit of caffeine consumption.
I DARE her parents to go to any IT place (cybersecurity, networking, programming, etc) and fucking look around the room for 2 seconds. They would be FLABBERGASTED.
I myself personally consume 600mg - 800mg of caffeine a day.
I know this lady who does malware stuff who unironically drinks coffee ALL DAY LONG. Every other word out here mouth is, "excuse me for a moment, I need to make another pot of coffee", and she's probably ingesting 1.6 GRAMS of caffeine.
One of my colleagues is an ex-military guy WHO DRINKS WORKOUT SUPPLEMENT because his caffeine tolerance is so high.
Don't even get me started on the nerds who take no-doz (caffeine pills).
Then combine all of this caffeine with the nerds drinking alcohol, or smoking cigarettes, or weed, or vape, or Adderall.
Her parents are trying to make a cash grab or something, I don't know bro.
RockStar Games being extorted (again)
ShinyHunters were able to get data from Rockstar Games by compromising a third-party entity (Anodot) which allowed them to pivot to SnowFlake which allowed them pivot to RockStar Games data.
What data they were able to get is unknown.
Analysis from eSentire:
https://www.esentire.com/blog/stx-rat-a-new-rat-in-2026-with-infostealer-capabilities
CPU-Z and HWMonitor nerd (d0cTB) put out a statement.
Compromise was present for approx. 6 hours. This is an extremely short period of time.
Also, extremely fast response by the nerds at cpuid.
Mr. Titus Tech is correct. cpuid-dot-com is indeed delivering malware right now.
As I began poking this with I stick I discovered this is not your typical run-of-the-mill malware. This malware is deeply trojanized, distributes from a compromised domain (cpuid-dot-com), performs file masquerading, is multi-staged, operates (almost) entirely in-memory, and uses some interesting methods to evade EDRs and/or AVs such as proxying NTDLL functionality from a .NET assembly.
The C2 domain present in one of the binaries is a clear IoC. This is the same Threat Group who was masquerading FileZilla in early March, 2026. They've been busy.
I made a series of posts similar to this one designed to illustrate how astronomically absurd 10pb of data is.
It (somehow) transformed into a bunch of stinky nerds arguing about storage costs, architectural requirements, local storage vs. cloud storage, etc.
It appears I have made a series of mistakes when reviewing some of the financial data from RockStar Games.
What does this mean? I've spread misinformation and I will be burned at the stake by gamers.
It was nice knowing all of you
I am absolutely sickened by the amount of money Grand Theft Auto V Online makes
Читать полностью…
In fairness, media outlets want to charge you $9.99/month to read their half-AI generated web articles and Internet Archive does sometimes sort of provide a way to evade this.
However, there are tons of other ways to bypass this pay wall. I also do not trust the government. I also am extremely suspicious of media outlets. Sometimes I read what they're saying and I go, "HMMMMMMMM", hence I am extremely biased in this post.
This is very good malware.
This is solid-solid-SOLID B+ malware, very close to A- malware.
APT37 is using a old-school playbook. They're doing EPO (Entry Point Obfuscation) on a self-delivered binary for evasion. They also unironically are using something akin to cavity infection ... but on themselves. This is something you saw more in the Windows 95 - Windows XP era, not something you see in 2026.
Very cool. I respect it.
The multi-staged fragmentation of shellcode phases is also really, really, really cool. This is (once again) a more old-school technique usually reserved for infected binaries, not self-delivered binaries.
Despite all of these super cool features, APT37 shoots themselves in the foot immediately.
- EAT walking for Kernel32 functionality (???)
- XOR decryption is a huge red flag
- Allocating with PAGE_EXECUTE_READWRITE (???)
- Hardcoded OAuth token (???)
- Used external dependency for AES (???)
Why not use NT functionality to hook evasion? XOR is easily identified in static analysis, why XOR? Allocating memory with VirtualAlloc with RWX is a MASSIVE RED FLAG. They also hardcode a OAuth token ... they can multi-staged shellcode payload with old-school malware techniques but hardcore AN OAUTH TOKEN?
It unironically makes me wonder if they had one old-head malware guy working on it, then they had some newer dude do the non-hardcore stuff. There is a huge gap in skill sets here.
Or the old-head hasn't kept up to date on malware stuff since 2005... or they got lazy... I don't know, really weird.
https://www.genians.co.kr/en/blog/threat_intelligence/pretexting
1 year olds are far more exhausting than 6 month olds.
Parents warned me. They were correct.
Bro HAS to put ALL FOOD on his head.
- Beans
- Soup
- Mac and Cheese
- Strawberries
- Blueberries
If he doesn't rub it on his head, or eat it, he throws it on the floor.
I'm tired.
Dear Threat Actors,
I typically do not reply on weekends. I am busy doing stuff with my 1 year old son. Please send your e-mails during regular business hours M-F so I have an opportunity to send silly pictures of kitty cats.
Thanks,
-smelly
For the record, I'm not mad at this person or bothered by the comment.
The extreme hostility from what I believed to be a relatively benign clip made me audibly laugh.
Bro DOES NOT like LTT.
I guarantee you half you stinky nerds reading this right now have consumed more than 200mg and it's only noon (in parts of the United States).
I'm sorry to her parents, I'd be devastated, but 200mg of caffeine is nothing
I don't care what those nerds at Kaspersky say, I stand by my opinion STX Rat is a solid B- malware.
Yeah, the cpuid-dot-com operation was a gigantic fumble, but the malware is pretty neat, far superior to the generic crimeware you find online.
I'm happy LTT included the cat
The United States economy is doing so bad financially motivated Threat Actors don't even want to steal from us Ameriburgers anymore. They're stealing from Mexicans now :(
Читать полностью…
Chat, I've changed my mind. We have some problems in the AI department.
It turns out someone compromised the Mexican government to an unbelievable extent using nothing but Claude and ChatGPT. I'll link the full paper in the subsequent post. However, here is the highlights of how an unknown Threat Actor "vibe hacked" the Mexico government.
Data stolen from...
1. SAT (Servicio de Administracion Tributaria) - Federal tax authority:
- 195 million taxpayer records
- 52 million directory records
2. Estado de Mexico - State government:
- 15.5M vehicle registry records
- 3.6M property owner records
3. Registro Civil de CDMX - Mexico City civil registry:
- 220M civil records
4. Jalisco state government:
- 50K patient records
- 17K domestic violence victim records
- 36K healthcare employee records
- 180K digital government records
5. INE (Instituto Nacional Electoral) - National electoral institute:
- 13.8K voter card records
6. Michoacan state government:
- 2.28M property records
- 2K user accounts with plaintext passwords
7. SADM Monterrey (Agua y Drenaje) Municipal water utility:
- 3.5K procurement and vendor records
- 5K procurement bid records
I woke up this morning curious as to what my peers had discovered about this cpuid shenanigans. I was not disappointed.
Several of my peers ripped this thing apart much more thoroughly than I did. I am immensely impressed by how neurotic some of you are when bonking malware with sticks (N3mes1s).
To make a long story short, the cpuid-dot-com compromise, CPU-Z malware, and HWMonitor malware campaign was performed using "STX Rat". STX Rat is a new malware family discovered around early March, 2026, and has been gaining some traction.
Interestingly, a really in-depth analysis of it was published April 8th, 2026 by eSentire (I'll link in subsequent post, research was performed by YungBinary). From my super quick bonking I was correct this cpuid malware campaign does indeed steal credentials. However, what I missed was that it also allows the Threat Actor remote desktop capabilities into your machine.
I also missed some of it's unusual hashing capabilities, .db Powershell persistence method, ... and some other really cool malware technologies it utilizes. This is NOT trash malware. The people who wrote this very clearly know what they're doing.
Very interesting stuff
Yeah, so pretty much this http://cpuid.com
malware is a pain in the ass. I'd have to spend a good bit of time trying to bonk it with a stick and reconstruct some of it. Whoever developed this malware actually cares about evasion and made some intelligent decisions when developing this malware payload.
This appears to only impact HWMonitor 64bit. It appears (based on user reports) cpuid became malicious around 7PM EST, April 10th, 2026. However, it is possible it was much earlier than this, this is just when people began noticing and discussing it online.
From an extremely high-level overview, it appears the ultimate goal of this malware is data theft, specifically browser credentials. However, I could be wrong in that assessment, but I'm fairly confident in it. I'm guessing this is the end goal because when I emulated it I can see it messing with Google Chrome's IElevation COM interface (trying to dump and decrypt saved passwords). However, between this it does a bunch of other stuff too.
1. They (an unknown Threat Actor) compromised http://cpuid.com
to deliver malware from HWMonitor. It impacts the actual installer as well as the portable installer. It downloads stuff from supp0v3-dot-com, the same domain used from a previous malware campaign targeting FileZilla in the beginning of March, 2026 initially reported by MalwareBytes.
2. HWMonitor comes packaged with a malicious CRYPTBASE.dll. CRYPTBASE.dll is a legitimate Windows library, but they made a fake one to blend in (malware masquerading). This DLL is responsible for connecting to their C2 and downloading the other malware stages.
3. It tries to detect emulation and prevent reverse engineering by checking for the presence of specific registry keys on the machine. However, they failed doing this and didn't account for everything. Notably, they only check for VirtualBox (whomp, whomp).
4. It downloads a .cs file from a remote C2 and then compiles it manually on the machine by invoking .NET stuff. This is an interesting strategy. It does all of this via Powershell (LOLBIN nonsense).
5. The .cs file it compiles is a .NET binary with NTDLL exports. The main HWMonitor binary performs process injection using this compiled .NET binary. This is an interesting strategy.
6. Almost everything it does is performed in-memory. I would have to do through this and manually bonk all of this stuff with a stick and determine precisely how it operates. However, I don't think that is necessary because at this point we know this is malware and we know it's trying to steal browser credentials.
+2 points for IElevation COM Interface credential dumping
+1 point for inline Powershell CLI DLL compilation
+1 point for .NET assembly NTDLL export proxying
-1 point for botched anti-emulation
+2 points for website compromise and supply chain attack
+1 point for memory persistence
-3 points for recycling the same C2 from March, 2026 campaign
Overall I give this malware a B-. This is pretty good malware.
Here is a silly explanation
> company gets bamboozled
> fires, explosions, people screaming at the sky
> bystanders pointing saying "omg"
> literally screaming, crying, throwing up
> threat intel all over it
> cybercrime tmz all over it (that includes me)
> DFIR nerds come in
> DFIR contain the crime scene
> DFIR tells businesses to clam down
> DFIR tell people "nothing to see here"
> look inside
> TeamPCP
> AV vendors begin building rules
> Threat Intels say: "hmph, interesting"
> Threat Actors say: "ooga booga"
> quiet, eerily quiet
> DFIR working, AV working, lawyers lawyering
> Threat Actor probably extorting
> fire is put out, now people have to clean up mess
> no fire? no interesting
> clean up is LAME and for NOT EXCITING
> Threat Actor creep back into the shadows
> DFIR angry in quiet
> Lawyers lawyer in quiet
> Threat Intel do the internet stalking
> customers do the lawsuits
> th—
> BOOM EXPLOSION
> "wtf was that???"
> everyone turns to their left
> wh—
> NEW FIRE!! NEW EXPLOSIONS!!!
> bystanders pointing saying "omg"
> literally screaming, crying, throwing up
> threat intel all over it
> cybercrime tmz all over it (that includes me)
> DFIR nerds come in
> DFIR contain the crime scene
> DFIR tells businesses to clam down
> DFIR tell people "nothing to see here"
> look inside
> (not TeamPCP, different Threat Actor)
... and then repeat this cycle about 100 times a week but for different countries, different companies, and different Threat Actors.
And while everyone is focusing on a different fire and explosion Threat Actors are shifting focus, laundering money, cleaning up, or scouting new targets. Blue Team is suffocating from the sheer volume of crime while AI nerds say shit like "cybersecurity is dead" (it is, don't go into cybersecurity)
tl;dr it's the cycle of life
>Hacking is illegal and for nerds
>"Uhm, actually, hacking isn't illegal. Hac....."
SILENCE NORMIE