40629
The largest collection of malware source, samples, and papers on the internet. Password: infected https://vx-underground.org/
> wake up
> take a shit
> get out of bed
> check beep boop machine
> everyone calling me names
> crazy cat malware man
> mfw
Please forgive me, European colleagues and friends, how hot is -120c? Should we be concerned?
Читать полностью…
It's 2026 bro, fuck it.
It's time to go to court and sue people over TUNG TUNG SAHOR and U DIN DIN DIN DIN DUN MA DIN DIN DIN DUN, intellectual property of AI slop brainrot, and Roblox mini-games.
>get dm
>smelly there is MALWARE for FREE on REDDIT
>mac subreddit
>ad for some goop
>look inside
>VIBE CODED MALSLOP
YOU LEFT NOTES IN YOUR BASE64 ENCODED STAGER, WHAT THE FUCK IS ACTUALLY WRONG WITH YOU
I tried to do a write-up on X and share some de-obfuscated malware source code
I kept getting notifications on X saying something like, "sorry—something has gone wrong, don't fret", blah blah blah.
If I removed the malcode it worked
I THOUGHT THIS WAS AMERICA
Chat, I don't want to jump to conclusions, but I have a sneaking suspicion this malware stager was vibe coded. Historically, malware hasn't left extremely descriptive comments in their stagers.
Читать полностью…
oh sorry
if youre a threat intel nerd, or anti malware nerd, who is designated to track potential state sponsored activity in south america
final payload: 5a979c309aff96456ba4482653fc213997387956c24e376645e4e0cfaa6b878a
obfuscated js payload (fragmented utf16le):
87eac5fa290387bd90d71424f8a65f2b2c7436a415f6e7f033915ef8e833ef86
file sent to colombia ppl i guess idk:
193b98595f44935e79413aeb474cd8d75e8d5ba63caf0d52470cadbeb8139c03
theyre all on VT now
this is the guy calling you the N word on discord
Читать полностью…
Okay, I'm going to bed now.
Goodnight people on X
Goodnight people on Telegram
Goodnight FBI
Goodnight NSA
Goodnight CIA
Goodnight Israel spyware
Goodnight ads tracking me
Goodnight AI scrapers
Mwah kisses
xoxo
original payload:
https://gist.github.com/vxunderground/91da9c50e400a6742bbacd1548a255d8
My deepest condolences to my colleagues in Venezuela and those impacted by the recent earthquakes.
I wish I had more to offer other than words. I hope you're all doing well and I hope you're all safe.
I've almost reverse engineered the SmartLoader obfuscated code all the way down to a working source code
You can't hide behind Prometheus you little bitch
439,000 people on X and 50,000 on Telegram, almost 500,000, whatever. Close enough.
Читать полностью…
inb4 "nah its just because of that oddly specific song he released, its just a meme"
Читать полностью…
HOLY SHIT
If you leave in the Eastern part of the United States, call into work today because it's NUCLEAR WINTER.
Fuck a sweater, buy a lead vest IMMEDIATELY. It's -184f IN JULY
Chat, I don't want to sound like a hater, but I think this meteorologist is using AI. Something about the image seems incorrect.
Читать полностью…
tl;dr
really effective malware multi-staged, multiple programming languages, use as many dependencies as possible. AI making this easier to do. AVs struggling
Historically, in regards to malware development, the end goal was minimalism. It was in your best interest to strip as many dependencies, shred the file size down, and make it position independent.
I think, as of ... now ... we need to take a different approach.
I think instead of stripping binaries, we (Red Team, Threat Emulation, malware developers) should intentionally introduce dependencies.
I have witnesses two unique things in the malware landscape since the AI boom.
1. Increase in malware slop. I continue to see stagers which contain notes in them. This is not intentional and this does not "trick" the analyst. This is a colossal mistake on the malware developers part. However, despite it being slop, AI has made malware more diverse. I am seeing more and more malware in Lua, Node JS (including SEA and nexe), Java, and Python. I am seeing more and more malware doing inter-process communication across multiple programming languages. Of course all of these have existed prior to AI, but I am seeing an explosion in these languages. This also has resulted in malware researchers creating new tools to combat this malware diversity.
2. Anti-malware services struggling. When I encounter a binary that is a Node JS SEA blob (Electron JS .exe, self-contained using SEA), which extracts a .JS payload, which uses obfuscated Java or heavily obfuscated Lua, all of these languages require a VM (PVM, LVM, JVM, whatever) for interpretation. Thus, with heavy obfuscation and multistaging, static analysis fails and the heavy abstraction makes it difficult for traditional hooking or minifilters to be effective, in essence there is too much noise. Many of these payloads with heavy dependencies easily avoid static analysis and even some emulation systems because they fail to account for the necessary dependencies which are required to emulate it correctly.
pic maybe related idk
the stager gives you a apple applescript thingy. its not obfuscated. its just the raw src code.
i uploaded to vt, but here is the goopus (free malware source code)
https://gist.github.com/vxunderground/a211579dc084f2e430d7f0dda424bf14
THEYRE PREVENTING THE PEOPLE FROM GETTING MALWARE!!!!!!
Читать полностью…
> get more dms
> more free malware
> yay
> "smelly someone says this cheat src code is malware"
> download
> look inside
> visual studio prebuild event builds vbs script
> vbs script decrypts .ps1 script
> downloads RAT
> contains link to a YT video
https://www.youtube.com/watch?v=akoxddx6lgc
> get dm
> "government ppl in Colombia getting weird file"
> lolwtf
> send link
> look inside
> phishing page (looks good tho tbh)
> image 1
> i dont speak spanish, idk wtf it says
> look inside .html
> .zip hidden inside it as base64
> lol ok
> bonk with stick
> "Oficio 2231" zip file
> idk what that means still
> look inside
> .zip has .js inside of it
> look inside
> big ass fuck off obfuscated bs trying to trick u
> image 2
> utf16 bullshit
> utf16 makes another file
> ???
> extract from tiny little fragments of js
> look inside
> .dll .net file
> wtf lol
> look inside
> heavily obfuscated .net malware
> image 3
> tiny .js fragments contain powershell script
> ???
tl;dr
.html does something that triggers .js which extracts .zip. the .js from .html executes the .js inside the .zip which reads the .ps script from the .js. the .ps then executes a c# .dll which is named taskscheduler (its malware)
why would someone send government officials in Colombia this file wtf lol
Oh, I forgot
Goodnight Chinese espionage campaigns residing in United States critical infrastructure believed to be aggregating and collecting intelligence on United States citizens
Mwah
> get dm
> "hey smelly, i work for (kind of important place)"
> "vendor sent us weird file, its sus af"
> "what do u think?"
> download file
> look inside
> ultra mega fuck off malware
> pe position independent .code is set to RWX
> multiple extra sections
> extracts .bss segment
> .bss has .exe inside it
> .exe ASPack 2 compressed
> emulate
> has anti-vm features
> pulls .bat from c2 to self-delete
> still bonking
my brother in christ, if your company ran this .exe from this vendor, you better call someone ASAP because your company is COOKED. also, this vendor is either a criminal enterprise or compromised. gl big dawg. happy monday
> be SmartLoader
> big ass fuck off malware campaign
> tracked by dozens of anti malware companies
> heavily obfuscated lua
> bamboozles everyone
> me jimmies rustled
> team up with roblox cheater nerd
> reverse engineer it back to src
> (almost done)
https://gist.github.com/vxunderground/aaa6a88823afc83b4f8a73366694966d
I'm sorry, SmartLoader malware campaign, I shouldn't have called you a little bitch. That is very rude of me.
I am just passionate and have spent some time working on it, so my emotions are high.
I love you.
Chat, we are cooking.
Previously on Dragon Ball Z, someone DM'd me a spoopy GitHub they found. They asked if it was malware. It was malware.
The GitHub contained HEAVILY obfuscated Lua. The malware payload is using Prometheus Obfuscator.
Upon review, it was determined this malware is SmartLoader. SmartLoader is a malware campaign heavily associated with Rhadamanthys Stealer and StealC Stealer.
SmartLoader is relatively new and is being tracked by AhnLabs, TrendMicro, Hexastrike, McAfee, and the GitHub security team. It first emerged around March, 2024.
SmartLoader is pretty sophisticated. It is multi-staged, uses Polygon Smart Contracts for C2 information retrieval, and despite being Lua, it is also makes usage of NTDLL makes low-level WINAPI function invocations. One interesting attribute also is it programmatically inflates or deflates its file size for pseudo-polymorphism. This is extremely cool.
I mention this, and the whole cookin' thing, because after I made a post complaining about the obfuscated Lua, a very, very, very gifted person in Lua obfuscation and de-obfuscation contacted me and successfully deobfuscated it. I don't know if they want credit or not, because they're so cool and badass, but they're extremely famous in the Roblox hacking scene.
Anyway, the de-obfuscation is so precise it borders on having the actual source code to SmartLoader. I am very happy. I will share it when I am not dealing with my baby.
"HoW CaN yOu bE aN eXpErT iF yoU rAn maLwaRe oN YouR PC???"
It's very shrimple.
1. I'm comfortable admitting my mistakes publicly in front of hundreds of thousands of people. If I make a mistake, small or catastrophic, I will admit it. I feel comfortable with my skill set. I open myself to criticism from everyone. No, obviously it does not feel good being called "retarded", "jackass", "skid", "moron", etc by people, but it is what it is. If I do not open myself to criticism I will not improve. My success and failure also demonstrates what to do and what not to do. But seriously, sometimes I read some of these comments and I'm like, "dayum, theyre cookin me fr"
2. I am desensitized to malware. I am around it nonstop (writing, collecting, reversing) so I do things in a way I would not advise someone else to do. I feel comfortable doing really dangerous things with malware because I am familiar with how they work. Additionally, in the spirit of full-disclosure, sometimes I don't like dealing with VMs because I feel like they slow me down.
video: when i make a mistake in front of 500,000 people and get called a retard by a bunch of ppl
> be United States government
> 1985
> have a bunch of people they want arrested
> idea.jpeg
> make fake company
> Flagship International Sports Television
> send invites to a bunch of people
> tickets to Washington Redskins FOR FREE!!!
> name it Operation Flagship
> mail tickets
> now_we_wait.mp4
> over 100 people show up for free tickets
> arrest them
> ez gg get rekt nerd
> pause
> fast forward
> 2026
> Drake doing concert tour thingy
> free tickets for women named "Janice"
> only in specific cities at specific times
> when Janice arrives must show government id
> Janice must be their legal first name
Probably not a United States government operation trying to identify and locate a fugitive or person they label an enemy of the United States. It is probably Drake just being silly and meme-y and wanting to ONLY INVITE women named Janice in New York, Los Angeles, Miami, Toronto, or Houston because of that oddly specific "Janice STFU" song he released previously this year.