40629
The largest collection of malware source, samples, and papers on the internet. Password: infected https://vx-underground.org/
Chat, we are cooking.
Previously on Dragon Ball Z, someone DM'd me a spoopy GitHub they found. They asked if it was malware. It was malware.
The GitHub contained HEAVILY obfuscated Lua. The malware payload is using Prometheus Obfuscator.
Upon review, it was determined this malware is SmartLoader. SmartLoader is a malware campaign heavily associated with Rhadamanthys Stealer and StealC Stealer.
SmartLoader is relatively new and is being tracked by AhnLabs, TrendMicro, Hexastrike, McAfee, and the GitHub security team. It first emerged around March, 2024.
SmartLoader is pretty sophisticated. It is multi-staged, uses Polygon Smart Contracts for C2 information retrieval, and despite being Lua, it is also makes usage of NTDLL makes low-level WINAPI function invocations. One interesting attribute also is it programmatically inflates or deflates its file size for pseudo-polymorphism. This is extremely cool.
I mention this, and the whole cookin' thing, because after I made a post complaining about the obfuscated Lua, a very, very, very gifted person in Lua obfuscation and de-obfuscation contacted me and successfully deobfuscated it. I don't know if they want credit or not, because they're so cool and badass, but they're extremely famous in the Roblox hacking scene.
Anyway, the de-obfuscation is so precise it borders on having the actual source code to SmartLoader. I am very happy. I will share it when I am not dealing with my baby.
"HoW CaN yOu bE aN eXpErT iF yoU rAn maLwaRe oN YouR PC???"
It's very shrimple.
1. I'm comfortable admitting my mistakes publicly in front of hundreds of thousands of people. If I make a mistake, small or catastrophic, I will admit it. I feel comfortable with my skill set. I open myself to criticism from everyone. No, obviously it does not feel good being called "retarded", "jackass", "skid", "moron", etc by people, but it is what it is. If I do not open myself to criticism I will not improve. My success and failure also demonstrates what to do and what not to do. But seriously, sometimes I read some of these comments and I'm like, "dayum, theyre cookin me fr"
2. I am desensitized to malware. I am around it nonstop (writing, collecting, reversing) so I do things in a way I would not advise someone else to do. I feel comfortable doing really dangerous things with malware because I am familiar with how they work. Additionally, in the spirit of full-disclosure, sometimes I don't like dealing with VMs because I feel like they slow me down.
video: when i make a mistake in front of 500,000 people and get called a retard by a bunch of ppl
> be United States government
> 1985
> have a bunch of people they want arrested
> idea.jpeg
> make fake company
> Flagship International Sports Television
> send invites to a bunch of people
> tickets to Washington Redskins FOR FREE!!!
> name it Operation Flagship
> mail tickets
> now_we_wait.mp4
> over 100 people show up for free tickets
> arrest them
> ez gg get rekt nerd
> pause
> fast forward
> 2026
> Drake doing concert tour thingy
> free tickets for women named "Janice"
> only in specific cities at specific times
> when Janice arrives must show government id
> Janice must be their legal first name
Probably not a United States government operation trying to identify and locate a fugitive or person they label an enemy of the United States. It is probably Drake just being silly and meme-y and wanting to ONLY INVITE women named Janice in New York, Los Angeles, Miami, Toronto, or Houston because of that oddly specific "Janice STFU" song he released previously this year.
Holy shit, the homeless guy outside the gas station literally said the same thing to me last week
Читать полностью…
> "hey smelly check out nmssaveeditor(.)com"
> no mans save editor?
> AI generated website?
> "downloaded file is password protected"
> "password is goatfungus"
> lolwtf
> download file
> .zip protected with goatfungus
> extract with the power of goatfungus
> .msi installer file
> look inside
> random generated file names
> look inside silly names
> random ass goopie file (encrypted file)
> obfuscated .vbs file
> big ass fuck off .exe
> mystery java file
> big ass fuck off javascript file
> ???
> deobfuscate vbs file
> runs big ass fuck off .exe
> bonk .exe
> no idea wtf this thing is
> node.js, but weird, weird stuff, bonk with big stick
> not normal node.js .exe
> brain confused
> emulate
> emulate fails, .exe has anti-vm stuff
> wtf is this shit? all for no mans sky?
> get big stick and manually carve out weird .js
> super obfuscated goop
> WTF AM I LOOKING AT
> yara rule match
> GACHI LOADER AND KIDKADI LOADER
> double check
> perfect match
> original research from eversinc33 and JaromirHorejsi
> ihbnibYYhwenfw!!2345glerp schmmermies
> RHAD STEALER
> NEXE
This thing is a bitch. You're both heroes for bonking this with a stick and saving me a lot of time and energy.
pic unrelated
I love when I meet nerds with who are deep in the trenches in esoteric concepts in esoteric things
I met a guy who has dedicated the past couple years of his life to Batch file obfuscation and deobfuscation
He has completely lost his mind. I like it. I respect it.
Someone sent me a file and it's confusing my little brain. It was a .exe and I disassembled it back to approx. source.
This code programmatically makes Epic games accounts and uses it to get Discord nitro somehow? I don't understand.
https://gist.github.com/vxunderground/4616b6249dc47a87647b746882652687
WHO WROTE THIS GHOST LAUNCHER THINGIE
I know you're somewhere on this Telegram, or the COM, or something. There is no way you're not hanging around here somewhere. I demand to know what AI agent was used and why you decided to targets gamers
Telegram nerds, you've missed the whole drama on X, so I'll just paste the final message. In summary, I'm crashing out because this nerd got sent a payload on Discord, but it was legit malware but vibe coded and it irritated me
Читать полностью…
Hello, I have a lot to say. However, I have come to discover many of you dislike long posts. To make this easier for some of you I will speak like a caveman to convey this information.
1. lots malware on internet. me collect malware. me put malware on website. download malware. malware good. you like malware.
2. me add papers. read papers. ooga booga. read good for brain.
3. people ask for all papers in 7z. this many papers. me no think people want lots of papers. me do later. this many papers
Click linky for list of malware and papers. Me no want to list all here
https://vx-underground.org/Updates
> be spaceX employee
> be rustled
> say spaceX sucks
> go on dread
> advertise being an insider threat
> verified by dread as being legit spaceX employee
> offer access to ransomware groups
> everyone see it
> everyone on telegram talking about it
Hello
1. If you're reading this, that means you live inside my computer. Please leave my computer. You are stinking the place up.
2. I am syncing 150,000+ malwares to the internet. Please download the malware.
3. I now possess 14TB (7z ultra compressed) of malware
Two members of the infamous Scattered Spider group (a sub-group of ALPHV ransomware group) have plead guilty to the attack on TfL (Transport for London).
Thalha Jubair, 20 (image 1) and Owen Flowers, 18 (image 2).
Flowers was initially released from custody on strict conditions, which the courts note he violated on two occasions in March, 2025 and May, 2025.
According to the National Crime Agency, Mr. Jubair and Mr. Flowers initially intended to take their cases to a trial in Woolwich Crown Court. However, both individuals later switched to a guilty plea.
Both individuals are scheduled for sentencing July 16th, 2026.
While both fall under the United Kingdom's Computer Misuse Act, and is capable of delivering life in prison for both individuals, due to their young age and guilty plea, Mr. Jubair and Mr. Flowers are likely facing 10 years in prison.
Images via United Kingdom National Crime Agency, see subsequent post for more information and case details.
GTV VI leaks reportedly show the pricing for the game at $25,999
Gamers can take out a loan from Rockstar Games official banking app, or get a 2% discount if they pay in full at checkout
They have options available if you have no credit or poor credit
I know you expected a post about malware, or something, but I've been battling demons (trying to get a baby to sleep) and I've got nothing.
I did however find this video to be cute and silly, so I decided to share it
439,000 people on X and 50,000 on Telegram, almost 500,000, whatever. Close enough.
Читать полностью…
inb4 "nah its just because of that oddly specific song he released, its just a meme"
Читать полностью…
If she goes on to say in the next couple of posts Barack Obama was created in a CIA test tube and Donald Trump is being controlled from nanobots then this lady might be onto something, I don't know
Читать полностью…
Chat, someone sent me a message. It has a very silly payload.
I cannot figure out this Lua code. I hate obfuscated Lua. Look at this fucking piece of shit (warning: is a piece of shit).
https://gist.github.com/vxunderground/91da9c50e400a6742bbacd1548a255d8
Literally shaking, screaming, crying, throwing up right now. I thought I found a silly malware loader, but the person who wrote this bamboozled themselves.
Their obfuscation toolkit failed somewhere, and Windows WScript can't parse the VBS correctly, resulting in it imploding into itself.
It could have given me more free malware, instead this goof ball didn't test his malware (testing is for nerds, I can't blame them).
I think they may have copied the obfuscation definition thingies at the top too many times, but I don't feel like unironically debugging their obfuscated malicious VBS code to make it work, that is ridiculous.
Anyway, look at this piece of shit:
https://gist.github.com/vxunderground/dc225d9180d8da7285e911372f99c527
Oh, Discord and Epic games ran some promotion where Epic games gave you Discord Nitro if you were new to Epic Games. This code automated the process. Spammers used it to harvest Discord Nitro codes and then sell them online.
Читать полностью…
I am absolutely flabbergasted
Okay, so this nerd DMs me saying he thinks he got sent malware. He said I should check it out. I said "I'm in my undies, I'll do it later when I'm on my PC" (Image 1)
This malware has so many twists and turns bro, this shit is all vibe coded too. I don't know what AI agent wrote it, but I know it's vibe coded because THE NOTES FROM THE AI AGENT ARE PRESENT.
I think the Threat Actor who wrote this didn't understand how reverse engineering works, so they didn't know the AI agent notes would be present.
This malware wasn't super sophisticated, it didn't contain any extreme logic or anything, but it was a convoluted fucking MESS and it a colossal pain in the ass.
A normal malware developer could have written this too, but it's got so many stages this would be more akin to a well-established Threat Actor. This was written by someone who doesn't understand how reverse engineering works and someone who is willing to target GAMERS OVER DISCORD with malware that is actually pretty decent.
In fairness, it could be MaaS, but this doesn't line up with anything I've seen from my peers (yet). It's possible I've missed it. But, this is a bitch of a payload and I unironically enjoyed it.
Here is the silly meme summary
> get sent rivals_toolkit.exe
> electron app goop
> masquerades as legit toolkit
> electron app contains resource called "Discord.exe"
> Discord.exe is a malware loader
> Discord creates a Java VM
> Loads obfuscated Java payload
> I can't find where it the JVM payload
> JVM payload hidden in different file from Electron app
> Annoying.jpg
> Electron App also has spoopy secondary functionality
> Displays legit HTML stuff
> Secondary thread executes, executes Ira.JS stager
> f91a7efa0d476811455271e023dfb3be
> Decodes and executes initial stager, Ira.jsc
> c286ad4c51128266e10ad0a49da9cb3f
> Decodes and drops secondary payload stage
> 816bfabbb3408ad2114ba351690410c3
> Decodes and drops third payload stage
> 7364f758b4b8623c0beb020a74ff09b5
> Decodes and drops fourth payload stage
> 7b9627f07f7fb604f5edfb23c706b22a
> Final payloads syncs and does IPC with Java payload
> Contains AI notes (Image 2)
Holy Christ, all of this for fucking gamers on Discord? Multi-staged masquerading payload with cross-language IPC? What the fuck?
> "hey smelly, is this malware?"
> sends url
> look inside (image 1)
> base64 encoded string installer
> obviously malware
> decode
> look inside
> obviously malware (image 2)
> decode the gunky stuff
> verse-57(.)com
> curl request to gunky url (image 3)
> gives 3.143mb file
> look inside
> CA FE BA BE
> ???
> CA FE BA BE
> ???
> java file?
> hash file
> 5a897367792b56d8c8b3fe624937ea97
> never seen before on vt
> closest match to static signature is amos stealer
> legit macOS malware
> i dont do macOS malware
> i dont know how to use a mac (image 4)
A person operating under the moniker "mizanthropiaz" compromised the Brazilian governments Emergency Alert System in Sao Paulo, Rio, and Brasilia. The Threat Actor sent a notification to hundreds of thousands of people which read "misanthropi4".
More details have emerged regarding the compromise, and truthfully, it is terrifying. The Brazilian government is extremely secure and it is quite remarkable any living person could have gotten past their enhanced security measures.
"mizanthropiaz" found a username and password login to the Brazilian governments Emergency Alert System. The username and password was present because an employee working there accidentally infected themselves with malware in 2016.
The employee there did not change the password in over 10 years.
But, after the employee accidentally infected their computer with malware, did they change their password? No.
But, did the Brazilian government do IP address blacklisting which would prevent unauthorized devices from accessing the Emergency Alert System? No.
But, did the Brazilian government require a VPN connection to authenticate to the Emergency Alert System because it's a government network? No.
But, did the Brazilian government require MFA (e-mail, text, or Authenticator Code)? No.
But, did the Brazilian government send notifications on new devices connecting? No.
But, did the Brazilian government issue alerts on password changes or password change requests? No.
But, did the Brazilian government require e-mail verification prior to changing or resetting passwords? No.
But, did the Brazilian government have rate-limiting to prevent brute-force attacks? No.
But, did the Brazilian government introduce a CAPTCHA to prevent brute-force attacks? Yes, but it was 2+2 and it never changed. It always asked "2+2="
But, did the Brazilian government require password complexity to make brute-forcing difficult? No, the password to the Brazilian government employee was the same as their username.
More information: https://www.nationalcrimeagency.gov.uk/news/cyber-criminals-who-hacked-into-transport-for-londons-computer-network-are-convicted
Читать полностью…
Randomly remembered when one of the developers of the IcedId botnet successfully bribed Ukrainian police to forge his death certificate to avoid being arrested
That is so unbelievably cool and badass.
The best thing about being a Dad is that now I can dress like Dad
I just purchased several pairs of cargo shorts and button up shirts I intend on tucking in.
I get so many DMs, emails, and comments on social media of people calling me a cat
It's some sort of deep state psyop by silly cat picture to make me a furry
It's not going to work. Stop calling me a cat and stop asking me to meow you goobers