vxunderground | Unsorted

Telegram-канал vxunderground - vx-underground

40629

The largest collection of malware source, samples, and papers on the internet. Password: infected https://vx-underground.org/

Subscribe to a channel

vx-underground

> wake up
> take a shit
> get out of bed
> check beep boop machine
> everyone calling me names
> crazy cat malware man
> mfw

Читать полностью…

vx-underground

Please forgive me, European colleagues and friends, how hot is -120c? Should we be concerned?

Читать полностью…

vx-underground

Goodnight tiny people living inside my phone

Читать полностью…

vx-underground

It's 2026 bro, fuck it.

It's time to go to court and sue people over TUNG TUNG SAHOR and U DIN DIN DIN DIN DUN MA DIN DIN DIN DUN, intellectual property of AI slop brainrot, and Roblox mini-games.

Читать полностью…

vx-underground

>get dm
>smelly there is MALWARE for FREE on REDDIT
>mac subreddit
>ad for some goop
>look inside
>VIBE CODED MALSLOP

YOU LEFT NOTES IN YOUR BASE64 ENCODED STAGER, WHAT THE FUCK IS ACTUALLY WRONG WITH YOU

Читать полностью…

vx-underground

I tried to do a write-up on X and share some de-obfuscated malware source code

I kept getting notifications on X saying something like, "sorry—something has gone wrong, don't fret", blah blah blah.

If I removed the malcode it worked

I THOUGHT THIS WAS AMERICA

Читать полностью…

vx-underground

Chat, I don't want to jump to conclusions, but I have a sneaking suspicion this malware stager was vibe coded. Historically, malware hasn't left extremely descriptive comments in their stagers.

Читать полностью…

vx-underground

oh sorry

if youre a threat intel nerd, or anti malware nerd, who is designated to track potential state sponsored activity in south america

final payload: 5a979c309aff96456ba4482653fc213997387956c24e376645e4e0cfaa6b878a

obfuscated js payload (fragmented utf16le):
87eac5fa290387bd90d71424f8a65f2b2c7436a415f6e7f033915ef8e833ef86

file sent to colombia ppl i guess idk:
193b98595f44935e79413aeb474cd8d75e8d5ba63caf0d52470cadbeb8139c03

theyre all on VT now

Читать полностью…

vx-underground

this is the guy calling you the N word on discord

Читать полностью…

vx-underground

Okay, I'm going to bed now.

Goodnight people on X
Goodnight people on Telegram
Goodnight FBI
Goodnight NSA
Goodnight CIA
Goodnight Israel spyware
Goodnight ads tracking me
Goodnight AI scrapers

Mwah kisses
xoxo

Читать полностью…

vx-underground

original payload:

https://gist.github.com/vxunderground/91da9c50e400a6742bbacd1548a255d8

Читать полностью…

vx-underground

My deepest condolences to my colleagues in Venezuela and those impacted by the recent earthquakes.

I wish I had more to offer other than words. I hope you're all doing well and I hope you're all safe.

Читать полностью…

vx-underground

I've almost reverse engineered the SmartLoader obfuscated code all the way down to a working source code

You can't hide behind Prometheus you little bitch

Читать полностью…

vx-underground

439,000 people on X and 50,000 on Telegram, almost 500,000, whatever. Close enough.

Читать полностью…

vx-underground

inb4 "nah its just because of that oddly specific song he released, its just a meme"

Читать полностью…

vx-underground

HOLY SHIT

If you leave in the Eastern part of the United States, call into work today because it's NUCLEAR WINTER.

Fuck a sweater, buy a lead vest IMMEDIATELY. It's -184f IN JULY

Читать полностью…

vx-underground

Chat, I don't want to sound like a hater, but I think this meteorologist is using AI. Something about the image seems incorrect.

Читать полностью…

vx-underground

tl;dr
really effective malware multi-staged, multiple programming languages, use as many dependencies as possible. AI making this easier to do. AVs struggling

Historically, in regards to malware development, the end goal was minimalism. It was in your best interest to strip as many dependencies, shred the file size down, and make it position independent.

I think, as of ... now ... we need to take a different approach.

I think instead of stripping binaries, we (Red Team, Threat Emulation, malware developers) should intentionally introduce dependencies.

I have witnesses two unique things in the malware landscape since the AI boom.

1. Increase in malware slop. I continue to see stagers which contain notes in them. This is not intentional and this does not "trick" the analyst. This is a colossal mistake on the malware developers part. However, despite it being slop, AI has made malware more diverse. I am seeing more and more malware in Lua, Node JS (including SEA and nexe), Java, and Python. I am seeing more and more malware doing inter-process communication across multiple programming languages. Of course all of these have existed prior to AI, but I am seeing an explosion in these languages. This also has resulted in malware researchers creating new tools to combat this malware diversity.

2. Anti-malware services struggling. When I encounter a binary that is a Node JS SEA blob (Electron JS .exe, self-contained using SEA), which extracts a .JS payload, which uses obfuscated Java or heavily obfuscated Lua, all of these languages require a VM (PVM, LVM, JVM, whatever) for interpretation. Thus, with heavy obfuscation and multistaging, static analysis fails and the heavy abstraction makes it difficult for traditional hooking or minifilters to be effective, in essence there is too much noise. Many of these payloads with heavy dependencies easily avoid static analysis and even some emulation systems because they fail to account for the necessary dependencies which are required to emulate it correctly.

pic maybe related idk

Читать полностью…

vx-underground

the stager gives you a apple applescript thingy. its not obfuscated. its just the raw src code.

i uploaded to vt, but here is the goopus (free malware source code)

https://gist.github.com/vxunderground/a211579dc084f2e430d7f0dda424bf14

Читать полностью…

vx-underground

THEYRE PREVENTING THE PEOPLE FROM GETTING MALWARE!!!!!!

Читать полностью…

vx-underground

omg i got FREE malware from REDDIT

Читать полностью…

vx-underground

> get more dms
> more free malware
> yay
> "smelly someone says this cheat src code is malware"
> download
> look inside
> visual studio prebuild event builds vbs script
> vbs script decrypts .ps1 script
> downloads RAT
> contains link to a YT video

https://www.youtube.com/watch?v=akoxddx6lgc

Читать полностью…

vx-underground

> get dm
> "government ppl in Colombia getting weird file"
> lolwtf
> send link
> look inside
> phishing page (looks good tho tbh)
> image 1
> i dont speak spanish, idk wtf it says
> look inside .html
> .zip hidden inside it as base64
> lol ok
> bonk with stick
> "Oficio 2231" zip file
> idk what that means still
> look inside
> .zip has .js inside of it
> look inside
> big ass fuck off obfuscated bs trying to trick u
> image 2
> utf16 bullshit
> utf16 makes another file
> ???
> extract from tiny little fragments of js
> look inside
> .dll .net file
> wtf lol
> look inside
> heavily obfuscated .net malware
> image 3
> tiny .js fragments contain powershell script
> ???

tl;dr
.html does something that triggers .js which extracts .zip. the .js from .html executes the .js inside the .zip which reads the .ps script from the .js. the .ps then executes a c# .dll which is named taskscheduler (its malware)

why would someone send government officials in Colombia this file wtf lol

Читать полностью…

vx-underground

Oh, I forgot

Goodnight Chinese espionage campaigns residing in United States critical infrastructure believed to be aggregating and collecting intelligence on United States citizens

Mwah

Читать полностью…

vx-underground

> get dm
> "hey smelly, i work for (kind of important place)"
> "vendor sent us weird file, its sus af"
> "what do u think?"
> download file
> look inside
> ultra mega fuck off malware
> pe position independent .code is set to RWX
> multiple extra sections
> extracts .bss segment
> .bss has .exe inside it
> .exe ASPack 2 compressed
> emulate
> has anti-vm features
> pulls .bat from c2 to self-delete
> still bonking

my brother in christ, if your company ran this .exe from this vendor, you better call someone ASAP because your company is COOKED. also, this vendor is either a criminal enterprise or compromised. gl big dawg. happy monday

Читать полностью…

vx-underground

> be SmartLoader
> big ass fuck off malware campaign
> tracked by dozens of anti malware companies
> heavily obfuscated lua
> bamboozles everyone
> me jimmies rustled
> team up with roblox cheater nerd
> reverse engineer it back to src
> (almost done)

https://gist.github.com/vxunderground/aaa6a88823afc83b4f8a73366694966d

Читать полностью…

vx-underground

I'm sorry, SmartLoader malware campaign, I shouldn't have called you a little bitch. That is very rude of me.

I am just passionate and have spent some time working on it, so my emotions are high.

I love you.

Читать полностью…

vx-underground

Chat, we are cooking.

Previously on Dragon Ball Z, someone DM'd me a spoopy GitHub they found. They asked if it was malware. It was malware.

The GitHub contained HEAVILY obfuscated Lua. The malware payload is using Prometheus Obfuscator.

Upon review, it was determined this malware is SmartLoader. SmartLoader is a malware campaign heavily associated with Rhadamanthys Stealer and StealC Stealer.

SmartLoader is relatively new and is being tracked by AhnLabs, TrendMicro, Hexastrike, McAfee, and the GitHub security team. It first emerged around March, 2024.

SmartLoader is pretty sophisticated. It is multi-staged, uses Polygon Smart Contracts for C2 information retrieval, and despite being Lua, it is also makes usage of NTDLL makes low-level WINAPI function invocations. One interesting attribute also is it programmatically inflates or deflates its file size for pseudo-polymorphism. This is extremely cool.

I mention this, and the whole cookin' thing, because after I made a post complaining about the obfuscated Lua, a very, very, very gifted person in Lua obfuscation and de-obfuscation contacted me and successfully deobfuscated it. I don't know if they want credit or not, because they're so cool and badass, but they're extremely famous in the Roblox hacking scene.

Anyway, the de-obfuscation is so precise it borders on having the actual source code to SmartLoader. I am very happy. I will share it when I am not dealing with my baby.

Читать полностью…

vx-underground

"HoW CaN yOu bE aN eXpErT iF yoU rAn maLwaRe oN YouR PC???"

It's very shrimple.

1. I'm comfortable admitting my mistakes publicly in front of hundreds of thousands of people. If I make a mistake, small or catastrophic, I will admit it. I feel comfortable with my skill set. I open myself to criticism from everyone. No, obviously it does not feel good being called "retarded", "jackass", "skid", "moron", etc by people, but it is what it is. If I do not open myself to criticism I will not improve. My success and failure also demonstrates what to do and what not to do. But seriously, sometimes I read some of these comments and I'm like, "dayum, theyre cookin me fr"

2. I am desensitized to malware. I am around it nonstop (writing, collecting, reversing) so I do things in a way I would not advise someone else to do. I feel comfortable doing really dangerous things with malware because I am familiar with how they work. Additionally, in the spirit of full-disclosure, sometimes I don't like dealing with VMs because I feel like they slow me down.

video: when i make a mistake in front of 500,000 people and get called a retard by a bunch of ppl

Читать полностью…

vx-underground

> be United States government
> 1985
> have a bunch of people they want arrested
> idea.jpeg
> make fake company
> Flagship International Sports Television
> send invites to a bunch of people
> tickets to Washington Redskins FOR FREE!!!
> name it Operation Flagship
> mail tickets
> now_we_wait.mp4
> over 100 people show up for free tickets
> arrest them
> ez gg get rekt nerd
> pause
> fast forward
> 2026
> Drake doing concert tour thingy
> free tickets for women named "Janice"
> only in specific cities at specific times
> when Janice arrives must show government id
> Janice must be their legal first name

Probably not a United States government operation trying to identify and locate a fugitive or person they label an enemy of the United States. It is probably Drake just being silly and meme-y and wanting to ONLY INVITE women named Janice in New York, Los Angeles, Miami, Toronto, or Houston because of that oddly specific "Janice STFU" song he released previously this year.

Читать полностью…
Subscribe to a channel