40629
The largest collection of malware source, samples, and papers on the internet. Password: infected https://vx-underground.org/
Oh, I forgot, to create a directory you cannot use CreateFile. CreateFile is only used for getting access to a directory object. If you want to create a directory you need to use CreateDirectory or CreateDirectoryEx.
There is also OpenFile, which kind of acts similar to CreateFile, and you can also call DeleteFile instead of CreateFile with the FILE_FLAG_DELETE_ON_CLOSE flag.
This is absolutely disgusting content.
My Mother, an angel whom'st've never used a GNU or a Linux, was a devout Windows user. She was not a Linux.
Also, I am not a larp. I own several Gay Fox masks and have visited 4channel. I used Kali Linux twice (when my Mom wasn't looking), and have only given my ID verification to Instagram and Facebook.
Oh, and by the way, I encrypt my banking information using Coinbase Bitcoin.
I'm off the grid.
omggg i made a joke about only 25 people using arch and all the fucking arch nerds appeared like UHMM ERRM SCHMELLY, ID LIKE TO INTERJECT FOR A MOMENT ,,, ASHCTULALY ARCH IS P POPULAR AND ITS USED FOR STEAM AND
holy cannoli bro, shut uppppp. its a joke. fucking hell
It is worth noting this compromise contains many elements which appear assisted by AI. I am making an educated guess and am going to state I believe these Threat Actors may have used AI to assist in this compromise (to an unknown extent).
Читать полностью…
I'm not going to lie: I've basically completely tuned out this Arch Linux supply chain attack stuff. I'm being dead ass serious when I say I can't FATHOM this having a widespread impact.
Seriously, this is your target? Nerds who compile kernels for fun? Wtf?
Watching UFC 250 Freedom
They just announced Meta, with something from Mark Zuckerberg, are gifting Meta Glasses to every veteran who has poor eye sight or is blind
I don't trust it. I don't trust Zuckerberg. I don't trust the government.
This is a tricky question and, in a bit of irony, there is a kind of like ... an unspoken ... or poorly documented philosophy of malware development. You kind of learn tricks of the trade as you write malware and witness malware campaigns operating in the wild.
tl;dr idk it depends on wtf ur doing bro
non-tl;dr
To be direct, malware that works is not necessarily good malware. You can write a simple Windows batch script that deletes every file in an important directory and (technically) this would be "wiper" malware. This does not make it good, or sophisticated.
Additionally, what defines "good" has changed over time. There tends to be trends with malware development. Malware tricks that used to work in the 90's are old news. Malware tricks from 2025 are old news (sort of). However, some malware tricks from the 90's are still applicable and can still be evasive.
It's weird.
You'll also see old tricks the 90's suddenly reappear and catch everyone off guard because... people simply forgot it even existed... The trick is usually only identified from industry veterans (or as the kids say, "unc" or "old heads") who are also surprised the trick has re-emerged. What's old is new. What's old is also old. What's new will eventually be old.
Anyway, "good malware" also depends on the objective. State-sponsored malware (malware written by governments, or written for government or military usage) has extremely strict rules of engagement (usually, not always, but usually). State-sponsored is usually extremely narrow in scope and designed for a very small and limited audience. State-sponsored may not necessarily be super advanced and cutting edge, but because it is so narrow in scope it is difficult to identify.
Conversely, financially motivated Threat Actors (malware developed for ... crime ...) is usually designed to be ass blasted in your face and sprayed across the internet.
Financially motivated Threat Actors will typically (if it's "good malware") design malware to be modular. In other words, because it is being blasted all over the internet it will be detected quickly, hence their malware needs to be broken down into almost like ... plugins ... and they need to have it so their malware can quickly replace one segment of code with another (and quickly).
If you've ever seen racing like NASCAR or F1, you'll notice vehicles can be torn apart in basically seconds and re-assembled, parts effortlessly replaced so it can quickly get back in the race. Likewise, modular malware needs to be able to change quickly to avoid it's inevitable detection. If you're curious, look up TrickBot, Emotet, or QakBot. They kind of defined what it means to be modular. They also kind of gave birth to what's known as "MaaS" (Malware-as-a-Service).
State-sponsored Threat Actors malware is trickier because it needs to be designed for a target. For example, when the United States (allegedly) targeted the Chinese government (allegedly) as APT NightEagle (allegedly) the malware was developed to work almost exclusively for specific Chinese infrastructure and (allegedly) contained exploits which would work in ideal scenarios which (allegedly) were that of Chinese critical infrastructure.
This can also be seen with what the Russian government alleges the United States and Israel (allegedly) did with Operation Triangulation whereas the malware (allegedly) only worked for specific sets of hardware (allegedly). Furthermore, this can also (allegedly) be seen with the United States (allegedly) purchasing cell phone malware from Israeli companies (allegedly) which were developed and sold to ICE (allegedly) to spy on people critical of ICE (allegedly).
These companies are called NSO Group and Intellexa Alliance.
Of course, the United States and Israel government vehemently deny the allegations from the Chinese and Russian government.
Okay, I have to stop writing and schizo ranting for the time being. I have to go back to watching a baby and stuff.
Holy cow
Unlimited AI usage!!!!
Just run GPT_Claude_Free.exe as admin
I've been asked a bunch about AI and malware.
As many others have stated many times, and I will happily regurgitate, AI acts as an augmentation device to skilled Threat Actors and a kiddy booster to non-skilled Threat Actors.
AI has yet to produce truly sophisticated malware, presumably because non-skilled Threat Actors don't know the correct nomenclature or what exists and what doesn't.
Skilled Threat Actors know what is, and what isn't, possible and AI enhances their skill set and allows RAD (Rapid Application Development) for languages people may be less skilled in.
Conversely, my malware library must adjust appropriately for the future and include malware targeting AI agents. AI focused malware is a new and evolving threat. Is it paramount information like this be archived. Unfortunately, I myself am not an AI expert, I only have an elementary understanding on the programmatic implementation of AI models, hence I am incapable of assessing what is a good malware paper on AI agents, and what isn't.
We'll figure it out.
Cheers
i have absolutely no idea what to do but i was assured ill do great and its easy
Читать полностью…
New movie coming out about Mark Zuckerberg.
I didn't read the plot because I don't give a fuck, but look at who they hired to play Zuckerberg. It's like if Zuckerberg had a high-functioning autistic Uncle named Mark Uncleberg
June 2nd, McAfee released a paper on malware targeting Minecraft nerds.
Minecraft nerds and malware aside, this is the header image they used in the paper.
I don't know the whole lore, but nine crypto drainers and/or sim swappers have been apprehended in the UAE.
According to Threat Actors, cryptocurrency nerds (including ZachXBT), the people in the UAE are being tortured.
The full extent is currently unknown, however it's been reported the UAE government has broken their fingers, pulled their teeth out with pliers, and beating them in detention cells. They're still locked away.
These nine individuals have been in Dubai flexing expensive watches, partying with models, showing off expensive cars, etc. None are citizens of the UAE.
I don't know what they did to make the UAE so angry, but they're extremely angry. I also don't know if prisoners have the same rights in the UAE as you would countries like the UK or USA.
I considered sharing the screenshot, but from what I've seen and heard, Instagram are severing the heads of people who post Marks phone number. I've seen a few X accounts get suspended
Silly shenanigans indeed
I've got a backstreet boys song stuck in my head I haven't heard since 1999
Читать полностью…
Tired of noobs complaining the WINAPI for malware development is weird. It's not.
How do you create a file?
The CreateFile function.
How do you open a file for reading?
The CreateFile function.
How do you open a file for writing?
The CreateFile function.
How do you get a handle to a directory?
The CreateFile function.
How do delete a file?
The CreateFile function.
How do you get access to a physical disk?
The CreateFile function.
How do you get access to a file stream?
The CreateFile function.
How do you get access to the console buffer?
The CreateFile function.
How do you get access to pipes?
The CreateFile function.
How do you perform interprocess communication?
The CreateFile function.
Just make sure you use the appropriate version of CreateFile (CreateFileA for ANSI, or CreateFileW for wide characters).
Alternatively, you can use CreateFile2 which is the same as CreateFile except the parameters are passed as a data structure named CREATEFILE2_EXTENDED_PARAMETERS. However, be aware CreateFile2 only works on Windows 8 and above and designed more or less for programs running from the Windows app store.
Alternatively, alternatively, you could use CreateFile3 which is nearly identical to CreateFile2 except it uses the CREATEFILE3_EXTENDED_PARAMETERS structure and is more or less designed for sandboxed packaged applications. However, be aware CreateFile3 only works on Windows11 24H2 and above.
It's shrimple, honestly.
ERHMMM SCHMEEELY ITS USED BY ABOOT 10 PERCENT OF THE LIN...
i dont care bro, its a joke, save your factoids for someone else.
Something is fundamentally broken with Telegram. Telegram nerds have informed me they're receiving ... dating advertisements? On the vx-underground channel?
I've literally never felt the touch of a woman
Novo Nordisk has been compromised. Novo Nordisk has confirmed the compromise.
Novo Nordisk is the company that became famous after producing weight loss drugs like Ozempic and Wegovy
The Threat Actor(s) responsible for the attack has been playfully extorting Novo Nordisk (they're not being playful) and have unveiled some details regarding what was stolen.
Interestingly, it appears Novo Nordisk has it's own internal AI thing because some of the data stolen was stuff from their internal AI agents.
Data stolen (according to the Threat Actor):
- Trained model checkpoint (16GB)
- Proprietary training dataset (407MB)
- Full source code (modeling_novopert.py, training pipeline)
- 113 training runs with complete logs
- Internal infrastructure maps (HPC, Slurm, SSH)
- Container images (53GB+)
- Developer identities and internal hostnames
- Private GitHub repository URL
Arch Linux is still having supply-chain attacks and other misc. security issues.
This is devastating to the over 25 people who use Arch as a daily driver.
I love writing "allegedly" in these. It makes me giggle. The United States will be caught red handed and they're like, "nah, wasn't me" and everyone in cybersecurity is like, "damn..." then nothing happens.
Silly NSA and CIA doing silly stuff
Someone showed me this on Telegram. It is very silly. It is clearly masquerading as "Free GPT and Claude". Anyone with half a brain knows this is malicious, but people will still fall for it.
People asked what it is. I have some free time. I poked it with a stick,
People discussing it said it is XMRig. That is not entirely accurate. This is not XMRig. This is flagged as XMRig from Triage and VirusTotal because it does indeed drop XMRig, but it is much more than that. This is a (maybe new) information stealer packaged with XMRig as a double whammy.
This malware is interesting because of a few things:
1. It is position independent, they care enough to be evasive and strip out a majority of dependencies. This is usually indicative of more serious malware.
2. They .zip it delivers from the "Free GPT and Claude" is intentionally bloated (payload inflation). It is 97MB, which may evade a majority of anti-malware product (initially) due to it's large size. It packages itself with FFMpeg and various other audio codecs.
3. It accesses Microsoft Outlook e-mails, accesses Chrome stuff using the COM IElevationService, looks for any SFTP credentials
It (currently) does not have any matching YARA rules from AV vendors. The closest approximation is LummaStealer. My knowledge base on the Information Stealer scene is out-of-date (it changes a lot). However, on first initial glance this appears like a new information stealer. Again, this should be taken with a grain of salt.
It's also worth noting the domain it exfiltrates to does not appear in any malware reports. The domain is unique, and the payload does not match any existing YARA rules (it's behavioral characteristics do, but not a specific malware family), so this is actually a pretty interesting sample.
A lookup though shows this is an emerging malware campaign. It first appeared around the end of May. This is (probably) a known Threat Actor who has switched it up a bit (or it's MaaS, whatever though).
The malware appears online masquerading as various products.
- ecore-sourceproject
- LogiDA
- GPT_Claude_Free
- CortexSystems.v3.4.2.Stable
- TikTokBot-v2.2
- CortexLauncher
Funny enough, this malware would have been much, much, much, MUCH more evasive if they didn't package it with XMRig. VirusTotal and Triage immediately flagged it because after it establishes persistence, and steals any credentials on the machine, it pulls XMRig to turn into a cryptocurrency miner.
If they did not pull the XMRig binary this stealer would be much more quiet. I have no idea why they decided to burn their OPSEC with XMRig.
C2: dfwioeiofwr-dot-info
Payload (and associated families from the C2)
027d576c6b5512d661081aaeeeb8e611f95a469ccf5ba35e0a390e8814334d05
5dcc599cf48227e65ea49d2708d08704fd1cb7e3b89736718d0d8e557857c49c
5e8b40b0b7512e1a1355374fb0cf34bfdf1260ebdb80a353c8f9da2490beeed3
6a0c332296b017220fc2b522da653fce36a8a3c5c79de0200d61c5fc31eb89ce
a2f8ebf65d54a4d9c8b720d01da77ad796683f1a5b8bd3d08738d7df4365f8a
9d4aaa9842c947756b7c128c432292732098fb71d247ef0bce60368563572da3
c4caca93e2291c018e701c217b7d232c534e4dd142042a59aa4d32754ef3022a
There is some bizarre thought that AI can just wish hyper sophisticated, never seen before, malware into existence. The reality of the matter is that truly sophisticated malware requires quite a bit of creativity combined with objectives and targets. It is not malware aimlessly blasted into the wild.
Читать полностью…
Literally the worst cable management I've ever seen in my life
Читать полностью…
Through a series of shenanigan events, I will be participating in the Continuum Con keynote
I saw people discussing it. I joked if I could join. I was suddenly invited. I have no idea what I'm doing.
tl;dr shitposted my way into giving a keynote, scared and confused
Anti-malware companies vs me doing malware analysis
Читать полностью…
> be Zuckerberg
> needs AI everywhere (apparently)
> lays off a bunch of employees
> replaces with AI
> fast forward
> AI is dog shit
> AI tricked into stealing accounts
> try to fix
> fail like 5 times
> product now leaking CEOs PII
AI truly is the future, wow
Meta is still having some minor security problems. Instagram is currently exposing phone numbers and email addresses associated with accounts when trying to perform a password reset
This is cool and badass because everyone is sharing Mark Zuckerbergs phone number right now
Ah ha! I've got an idea! I cover every inch of the website with big dick pill advertisements.
Читать полностью…