40629
The largest collection of malware source, samples, and papers on the internet. Password: infected https://vx-underground.org/
I got the payload to this malware. It is absurdly silly. This malware is killing me bro. It is so unbelievably silly.
This was 100% written using Claude or ChatGPT. I've never seen a malware payload LEAVE NOTES describing what it's doing.
The malware has a Powershell script that connects to the C2 for stinky malware stuff. This module is responsible for persistence. Thankfully their persistence script documented the entire code base and file locations.
Very cool. Thank you spoopy Russian Counter Strike scammers.
Even more silly, the C2 is hardcoded as a string (seen in attached image). The C2 address shows it has been an active malware campaign since at least January 31st, 2026 based off of data present on VirusTotal. It was initially uploaded as "9lixh".
This persistence script was from a victim machine so I've censored some data. Regardless, the botched cyrillic notes also makes me giggle.
Russian to English translations present in this silly script which documents everything for us:
# Пути для удаления
# Paths for deletion
# Завершаем процессы python и pythonw
# Terminate/finish the python and pythonw processes
# Удаляем автозапуск из реестра
# Remove autorun from the registry
# Завершаем процесс монитора
# Stop the monitoring process
# Новая функция для проверки f.json и убийства процессов
# New function for checking f.json and killing processes
# Проверяем флаг library
# Check the library flag
# Список процессов для убийства
# List of processes to kill
# Проверка флага удаления (каждые 20 секунд)
# Check the deletion flag (every 20 seconds)
# 20 секунд при интервале 2 секунды
# 20 seconds with a 2-second interval
# Проверка f.json и убийство процессов (каждые 4 секунды)
# Check f.json and kill processes (every 4 seconds)
Hello,
Awhile ago some guy on Xitter was talking about his friend being scammed and losing Counter Strike stuff. I'm not a gamer, I don't understand Counter Strike markets and stuff, but the gist of everything was he purchased an item and he was (in some capacity) scammed?
He said Steam support was DMing him over Steam. People were memeing him, saying Steam doesn't communicate over Steam like an instant messenger client. People questioned the validity of the images.
I had a bunch of people DM me, tag me on the post, etc. I saw it, but I was busy with my baby boy, so I put it on the back burner. However, it peaked my interest because it was extremely unusual. I do play stuff on Steam sometimes, and I've never seen or heard of malware which is curated to specifically target Steam coupled with social engineering work.
Two things
1. I get tons of messages, DMs, and emails. I can't find the original post anymore. If you know what I'm describing please comment it below, or something, I don't know. The post itself is interesting and provides context to second part of this write-up.
2. This is malware. I was on THE STREETS DAWG (talking with stinky nerds on Telegram) passively to see if anyone knew anything about this. I was able to receive the payload as well the decompiled source code (it's written in Python). This malware was developed by some nerds in Russia determined to ... drain people on Counter Strike and steal their items? Again, I'm not a gamer or Counter Strike nerd, so I don't understand the objective of this malware or the monetary value behind this, but apparently it is enough to motivate someone to create malware which injects itself into Steam to allow them to manipulate the application and impersonate Steam support (API hooking).
I haven't had a chance to review the malware in totality yet. I've briefly skimmed it. It's got a bunch of different modules and stages. Someone seems to have put quite a bit of effort into this. I've never seen anything like this, so it's really cool.
On a side note, I've been noticing a trend of Threat Actors targeting Steam. It was initially by creating fake and malicious games. Now we are seeing malware payloads that inject themselves into the Steam application itself and manipulate it in ways to trick users into giving them valuable video game items or potentially pushing more malware to their machine.
Very cool.
Chat, I don't want to be that guy, but I think Microsoft has really pissed off security researchers and we're approaching the tipping point.
This Eclipse guy has really rocked the boat for Microsoft.
I have added another 250,000 malwares to the malware collection.
Please download the malware here:
https://vx-underground.org
Thank you.
Chat, I'll tell you one thing right now, if end users complained so much that AV vendors were forced to migrate their detection engines to user-mode, I'd tell my wife to drop the baby off at Grandmas house.
It's Red Panty night.
What does the future hold for vx-underground?
- More malware samples
- More malware papers
- More malware source code
- More silly pictures of kitty cats
- Sharing news I find interesting
- Commenting on news
- Sharing memes
- ???
- Remain free
- Eventually die
People who are asking for context: I frequently upload pictures of cats and cat memes and refer to them as kitty cats. The malware IoC file names are kitty and cat.
Читать полностью…
If you're a programmer, and you're reading this, you're already dead
Читать полностью…
BREAKING:
MICROSOFT ANNOUNCES YOU CAN SOON MOVE THE TASK BAR TO ANY SIDE OF THE SCREEN
THIS HAS NEVER BEEN DONE BEFORE
EVERYONE FREAK THE FUCK OUT
You must follow the Yellow Brick Road a/k/a be one of the following:
- Think like someone incredibly ignorant about computers
- Be a high-profile target
- Be a company
- Be a crypto nerd
If you can successfully be one of these things, or larp as one, you will find the malware. Truthfully, I myself have a hard time finding malware in the wild. I am incapable of thinking like an internet doofus. I have tried many times.
I have noticed though that the easiest way to get free malware is looking for video game cheats. You can find tons upon tons of malware that targets Roblox nerds, CounterStrike nerds, and Call of Duty nerds.
There is this thing in the Roblox cheating community called an "Executor". Basically, it's a tool they utilize to perform process injection into the Roblox client. These "Executors" are NOTORIOUS for having impersonators which are actually malware and sometimes even the paid "Executors" betray their customer base. It is cool and badass if you like malware. It is not cool and not badass if you dislike malware.
Depending on what you're looking for though these fake Executors are almost always Information Stealing payloads, so you won't find much.
If you lookup aimbots for Call of Duty or Counter Strike you will almost always find malware on YouTube. They'll display a video of some dork spazzing out, blasting nerds through walls, and display the download link in the video description. To avoid detection the video description also has the "password" to the "aim bot". It's password protected to prevent automated scraping and automated detonation from anti-malware services.
There are other ways too, but this is the easiest and most low effort (in my opinion).
Okay, I got to go now. My wife says I have to go outside.
I enjoy the "For You" recommendations on social media.
Everyday it is something truly unique. An omnipotent being named "The Algorithm" recommended:
- Educational video about Sharks
- Silly pictures of cats
- Interesting history facts
- Cool skateboarding compilations
- Funny short skits about aging
It was all educational, entertaining, light-hearted, and funny.
Then I kept scrolling and saw:
- Hatred toward Indians
- Hatred toward Black people
- Hatred toward Trans people
- Hatred toward women
- Some dude named Chud
- Violent street fights
- Deadly car accidents
- People overdosing on drugs
- Police corruption videos
- Police chase videos
- War footage (death from drones)
I said, wtf where are the silly cat videos "The Algorithm"? The Algorithm replied, "Hatred and disdain toward others is more likely to keep you engaged. You must witness the horrors of man."
I said "o ok"
United States government relatively frustrated this morning. The Federal Bureau of Investigation has placed a $200,000 bounty for any information on Monica Witt which leads to her apprehension.
Monica Witt a/k/a Fatemah Zahra bamboozled the United States government in 2013. She was an Intelligence Officer who defected to Iran because, according to her, the United States is not cool and is not badass (she actually did a long tangent about war and atrocities, or something, I don't know).
Ms. Witt is believed to operate as part of Phosphorus Group a/k/a CharmingKitten, a state-sponsored Iranian military unit specialized in cyber espionage and misinformation campaigns.
Daniel Wierzbicki, special agent in charge of the FBI Washington Field Office’s Counterintelligence and Cyber Division wrote today "The FBI has not forgotten"
tl;dr
I saw a write-up today from ZachXBT about a Threat Actor named Dritan.
In this write-up he showed Dritan flexing money, going "band for band" with people on Discord, purchasing luxury clothing, and many other things.
It is believed he may possess as much as $19,000,000 from fraud.
That is absolutely disgusting. It sickens me.
Do you have any idea how much pizza, Monster energy drinks, prescription medication, and Robux I could purchase with $19,000,000?
He needs to stop this hedonistic lifestyle and focus on what's important.
Someone commented on Xitter immediately. Context for TG nerds:
https://x.com/GMBA/status/2059692291028144219
Microsoft Security Response Center put out a blog post today about Eclipse Nightmare guy
Basically they think he's super mean and totally not cool he's dropping zero days. They say you're a jerk if you do this stuff because it's dangerous and stuff
https://www.microsoft.com/en-us/msrc/blog/2026/05/a-shared-responsibility-protecting-customers-through-coordinated-vulnerability-disclosure
"haha you're not very underground anymore are you, vx-underground?"
IM SUFFERING FROM SUCCESS
Someone on social media was bragging they got a CSAM website taken offline. They illustrated this by showing a CloudFlare report.
The report shows the domain this person reported. CloudFlare clearly states it is being investigated, forwarded to authorities, and thanks the person for the report.
This persons post (as of this writing) sits at over 782,000 views and, unsurprisingly, the website is not offline because it is being investigated. It has hundreds of comments and sub-comments, people are discussing the website, it's material, and explicitly noting it is not offline.
I'm speechless. This bragging was more akin to free advertisement.
The Pope is meeting up with Claude nerds to bless vibe coded slop, or something, I don't know
https://www.ncronline.org/vatican/vatican-news/pope-leo-present-his-encyclical-ai-alongside-anthropic-co-founder
> get on social media
> nerds arguing about anti cheats
> nerds discuss antiviruses
> "anti viruses shouldn't be in kernel mode"
You are absolutely correct. Please have the anti-malware vendors migrate their detection engines to user-mode. Nothing bad could happen.
Hi
vx-underground is 7 years old, as of 2 days ago. I forgot my own website birthday.
Some of you who found vx-underground as early to mid teenagers are now adults.
Some of you who found vx-underground while attending university are now in the work force.
Some people who follow this account have unfortunately passed away.
Some followers have been arrested. Some followers have already been released from prison.
Some of you (including myself) have had children.
A lot has changed over the past 7 years.
The only thing that hasn't really changed is the website: free malware source code, samples, and papers, forever.
Thank you for letting me serve the community. It has been a pleasure. I look forward to serving all of you for another ... unknown duration of time, probably a long time, I don't know. I'm not sure how long I'll do this, but I'm already 7 years deep.
Two kids shot up a mosque in California and live streamed the whole thing in a first person POV on Discord
Kids on Discord recorded the whole thing
🚨BRAKING 🚨: ANTHROOPK CEO SAYS 90% OF CODE WILL BE WRITTEN BY AI IN 3 TO 6 MONTHS
Читать полностью…
What staring at a computer monitor everyday for the past 20 years has done to me
Читать полностью…
Another Windows zero day released by Nightmare Eclipse (sort of)
It turns out Microsoft just straight up didn't patch an old CVE from 2020 correctly.
https://github.com/Nightmare-Eclipse/MiniPlasma
Microsoft: PowerShell is simple and easy to use.
Actual PowerShell command: Remove-MgIdentityAuthenticationEventFlowAsOnGraphAPretributeCollectionExternalUserSelfServiceSignUpAttributeIdentityUserFlowAttributeByRef
I need to make a confession. When I initially read "band for band" I thought he meant a musical band. Like, they were both playing the guitar or something to see who had the most cool and badass guitar solo.
Читать полностью…
Yippie
Two new Microsoft Windows 0days. The exploits have cool and badass mysterious names to be extra spoopy
- GreenPlasma: Windows CTFMON Arbitrary Section Creation Elevation of Privileges Vulnerability
- YellowKey: Bitlocker Bypass Vulnerability
https://github.com/Nightmare-Eclipse