Poking MalwareBytes with a stick continues. I fell down a weird rabbit hole.
MalwareBytes contains a file that is packaged with it called "malwarebytes_assistant.exe". This file is written in C#.NET, it subsequently loaded malwarebytes_assistant.dll.
As the name implies, it is indeed an assistant file. It accepts commands and does things based on the commands given to it. There's a lot of commands, but here are the interesting ones.
- AddExclusion (can't find it though)
- Deactivate
- DisableWebProtection
- StopService
- LaunchProcess
- SetRegistryValue
- CreateWFCRule
- ModifyWFCRule
- DeleteWFCRule
LaunchProcess and SetRegistryValue check the parent process of the invoker. If it is not from a process that is signed by MalwareBytes, it fails. However, everything else works. It does prompt UAC, but it says its coming from MalwareBytes.
tl;dr disable MalwareBytes, modify Windows Firewall, etc. It displays as MalwareBytes doing it.
We must continue poking it with a stick.
MalwareBytes contains a file that is packaged with it called "malwarebytes_assistant.exe". This file is written in C#.NET, it subsequently loaded malwarebytes_assistant.dll.
As the name implies, it is indeed an assistant file. It accepts commands and does things based on the commands given to it. There's a lot of commands, but here are the interesting ones.
- AddExclusion (can't find it though)
- Deactivate
- DisableWebProtection
- StopService
- LaunchProcess
- SetRegistryValue
- CreateWFCRule
- ModifyWFCRule
- DeleteWFCRule
LaunchProcess and SetRegistryValue check the parent process of the invoker. If it is not from a process that is signed by MalwareBytes, it fails. However, everything else works. It does prompt UAC, but it says its coming from MalwareBytes.
tl;dr disable MalwareBytes, modify Windows Firewall, etc. It displays as MalwareBytes doing it.
We must continue poking it with a stick.
β€41π₯14π₯°8π«‘6π’1
vx-underground
Poking MalwareBytes with a stick continues. I fell down a weird rabbit hole. MalwareBytes contains a file that is packaged with it called "malwarebytes_assistant.exe". This file is written in C#.NET, it subsequently loaded malwarebytes_assistant.dll. Asβ¦
tl;dr
"C:\Program Files\Malwarebytes\Anti-Malware\malwarebytes_assistant.exe" --disablertp
yay no more protection
"C:\Program Files\Malwarebytes\Anti-Malware\malwarebytes_assistant.exe" --disablertp
yay no more protection
π64π€©17π₯7π5π€£5π₯°2β€1π’1
It's 10pm and I'm reverse engineering Javascript malware targeting FiveM.
Why are people making malware for Grand Theft Auto V roleplay servers
Why are people making malware for Grand Theft Auto V roleplay servers
π’61π17π4π«‘4β€3π1
vx-underground
It's 10pm and I'm reverse engineering Javascript malware targeting FiveM. Why are people making malware for Grand Theft Auto V roleplay servers
I fucking HATE this shit. I hate dealing with this type of obfuscating. Ugh.
https://raw.githubusercontent.com/Linux123123/fivem-malware/refs/heads/main/second_stage/nulljj.js
https://raw.githubusercontent.com/Linux123123/fivem-malware/refs/heads/main/second_stage/nulljj.js
π«‘56β€11π’9π€―5π2π€£2π€2
I was reverse engineering this Grand Theft Auto V malware that targets FiveM stuff. It was a big ol' mess of obfuscated Javascript. I hate obfuscated Javascript.
I posted I hated obfuscated Javascript.
Subsequently, a very nice person named nullableVoidPtr deobfuscated the massive code base for me when I was sleeping. Thank you. I love you.
Anyway, when I began poking it with a stick I discovered the malware connects to blum-panel(.)me. It registers there. It's the C2.
When you visit via HTTPS it notifies you of their Discord server (also references to their Discord in their code?)?
When you connect to their Discord they advertise security services for Grand Theft Auto V stuff ... ?
What the fuck.
Dawg, do you NOT run a malware campaign and advertise it on Discord like this. Are you OUT OF YOUR MIND?
I posted I hated obfuscated Javascript.
Subsequently, a very nice person named nullableVoidPtr deobfuscated the massive code base for me when I was sleeping. Thank you. I love you.
Anyway, when I began poking it with a stick I discovered the malware connects to blum-panel(.)me. It registers there. It's the C2.
When you visit via HTTPS it notifies you of their Discord server (also references to their Discord in their code?)?
When you connect to their Discord they advertise security services for Grand Theft Auto V stuff ... ?
What the fuck.
Dawg, do you NOT run a malware campaign and advertise it on Discord like this. Are you OUT OF YOUR MIND?
π€£82β€28π8π―3π₯°1π’1
When I shared that obfuscated Javascript payload that was targeting Grand Theft Auto V FiveM stuff, I had like 6 nerds pop out the bushes telling me how much they enjoy working with obfuscated payloads (Javascript, Lua, Powershell, etc).
WHO ARE YOU PEOPLE? WHO HURT YOU?
WHO ARE YOU PEOPLE? WHO HURT YOU?
β€75π31π€£27π€―7π’3π1π₯°1π«‘1
vx-underground
When I shared that obfuscated Javascript payload that was targeting Grand Theft Auto V FiveM stuff, I had like 6 nerds pop out the bushes telling me how much they enjoy working with obfuscated payloads (Javascript, Lua, Powershell, etc). WHO ARE YOU PEOPLE?β¦
There are people out there who unironically like deobfuscating stuff like this (see attached link).
Imagine that level of schizophrenia. Imagine waking up and enjoying pain and suffering.
https://raw.githubusercontent.com/Linux123123/fivem-malware/refs/heads/main/second_stage/nulljj.js
Imagine that level of schizophrenia. Imagine waking up and enjoying pain and suffering.
https://raw.githubusercontent.com/Linux123123/fivem-malware/refs/heads/main/second_stage/nulljj.js
π₯°59π±16β€7π«‘6π’5π3π€£2π€―1
Sabrina Thipdavone Rhodes, an Intelligence Analyst with the Nevada High Intensity Drug Trafficking Area (HIDTA) working with the United States Drug Enforcement Administration, plead guilty to theft of property of the United States.
Rhodes stole and converted to cash 243,199.0421 of the virtual currency Ripple (βXRPβ) that had been seized by the DEA.
The value of the XRP stolen from the DEA Wallet would have been approximately $689,688.
Rhodes stole and converted to cash 243,199.0421 of the virtual currency Ripple (βXRPβ) that had been seized by the DEA.
The value of the XRP stolen from the DEA Wallet would have been approximately $689,688.
π€£54β€25π€―6π₯°5π’1
vx-underground
Sabrina Thipdavone Rhodes, an Intelligence Analyst with the Nevada High Intensity Drug Trafficking Area (HIDTA) working with the United States Drug Enforcement Administration, plead guilty to theft of property of the United States. Rhodes stole and convertedβ¦
More information, courtesy of the wonderful people of CourtWatch
https://storage.courtlistener.com/recap/gov.uscourts.cacd.989465/gov.uscourts.cacd.989465.3.0.pdf
https://storage.courtlistener.com/recap/gov.uscourts.cacd.989465/gov.uscourts.cacd.989465.3.0.pdf
CourtListener
Plea Agreement β #3 in United States v. Thipdavone Rhodes (C.D. Cal., 2:25-cr-00776) β CourtListener.com
PLEA AGREEMENT filed by Plaintiff USA as to Defendant Sabrina Thipdavone Rhodes (ctr) (Entered: 10/02/2025)
π₯°21π₯6β€3
The thing I find most admirable about my colleagues and peers in the United Kingdom is that they too dislike and distrust the government.
I'm like, "wtf y'all don't trust mfers either?" then I ask if they want to party and almost always they agree.
Good people across the pond
I'm like, "wtf y'all don't trust mfers either?" then I ask if they want to party and almost always they agree.
Good people across the pond
β€βπ₯65β€13π₯°10π6π’1
Nerds online have identified a malware strain using "Deno", some fancy Javascript run-time thingy. I have no idea what this means. However, other malware nerds have identified this as unique.
The payload is a second stage which comes from a payload impersonating TopWebComics (???).
They're targeting WEB COMIC NERDS (or not, nobody really knows yet for sure). It was first identified by @malwrhunterteam
Cybersecurity vendor Cylerian identified a similar malware campaign using this exact malware technique in early January, 2026. This appears* to be a relatively novel malware campaign. Unfortunately, there is insufficient information to identify it more. It is difficult to ascertain for the time being if this is something truly unique or novel, or recycled stuff from a previous malware campaign.
tl;dr need to poke with stick. Not enough information. First glance looks interesting.
This payload is also interesting because it appears (at first glance) to contain mutation-like properties. When the first stage connects and downloads the second stage (in attached link is one of the mutated Javascript payloads), the code changes each time the loader connects to the URL. However, the core functionality (domains it connects to) seems* static.
tl;dr
Stage 1 - TopWebComicsv1.msi
Stage 2 - Weird URL, obfuscated Javascript payload
Stage 3 - ???
Stage 4 - Profit!!1
Stage 2 obfuscated Javascript changes each time it is downloaded, hence it's mutation characteristics.
Some researchers have identified the same weird URL it uses to delivery the Stage 2 payload as also hosting an Amadey panel. Amadey is a very common Malware-as-a-Service provider. However, it would be ... unusual ... for an obfuscated polymorphic multi-staged Javascript payload to delivery Amadey. It would be a ton of complexity and sophistication to then throw it all out of the window for some run-of-the-mill crimeware.
If you're a nerd who likes trying to reverse engineer obfuscated Javascript this is your time to shine because, as of this moment, nobody has de-obfuscated it or determined which malware campaign it is potentially associated.
Note: some of the obfuscation SUCKS. It's very clearly an information stealer. It targets cryptowallets, Discord (???), web browsers, etc.
tl;dr tl;dr crowdsourced malware reverse engineering for clout
https://gist.github.com/vxunderground/0d0c5f265d9f5248fa9dca171aec16ba
The payload is a second stage which comes from a payload impersonating TopWebComics (???).
They're targeting WEB COMIC NERDS (or not, nobody really knows yet for sure). It was first identified by @malwrhunterteam
Cybersecurity vendor Cylerian identified a similar malware campaign using this exact malware technique in early January, 2026. This appears* to be a relatively novel malware campaign. Unfortunately, there is insufficient information to identify it more. It is difficult to ascertain for the time being if this is something truly unique or novel, or recycled stuff from a previous malware campaign.
tl;dr need to poke with stick. Not enough information. First glance looks interesting.
This payload is also interesting because it appears (at first glance) to contain mutation-like properties. When the first stage connects and downloads the second stage (in attached link is one of the mutated Javascript payloads), the code changes each time the loader connects to the URL. However, the core functionality (domains it connects to) seems* static.
tl;dr
Stage 1 - TopWebComicsv1.msi
Stage 2 - Weird URL, obfuscated Javascript payload
Stage 3 - ???
Stage 4 - Profit!!1
Stage 2 obfuscated Javascript changes each time it is downloaded, hence it's mutation characteristics.
Some researchers have identified the same weird URL it uses to delivery the Stage 2 payload as also hosting an Amadey panel. Amadey is a very common Malware-as-a-Service provider. However, it would be ... unusual ... for an obfuscated polymorphic multi-staged Javascript payload to delivery Amadey. It would be a ton of complexity and sophistication to then throw it all out of the window for some run-of-the-mill crimeware.
If you're a nerd who likes trying to reverse engineer obfuscated Javascript this is your time to shine because, as of this moment, nobody has de-obfuscated it or determined which malware campaign it is potentially associated.
Note: some of the obfuscation SUCKS. It's very clearly an information stealer. It targets cryptowallets, Discord (???), web browsers, etc.
tl;dr tl;dr crowdsourced malware reverse engineering for clout
https://gist.github.com/vxunderground/0d0c5f265d9f5248fa9dca171aec16ba
Gist
Malicious Javascript Payload impersonating TopWebComics
Malicious Javascript Payload impersonating TopWebComics - 8752e5472b9a3a80
β€21π₯4π₯°1π1
vx-underground
Nerds online have identified a malware strain using "Deno", some fancy Javascript run-time thingy. I have no idea what this means. However, other malware nerds have identified this as unique. The payload is a second stage which comes from a payload impersonatingβ¦
You don't have to be a genius to see this and say "Oh, it's targeting cryptocurrencies"
π39β€11π€£10π₯°1π’1
MalwareBytes has an local database on the machine. It is a SQLite database. It contains settings for various properties such as licensing, malware identified, and known-good and known-bad lists. This is standard anti-malware stuff. The database with "ThankYouForChoosingMalwarebytes" is the less interesting database, as it mostly contains settings (this can still be abused though).
Regardless, MalwareBytes does a couple of things with this SQLite stuff
MalwareBytes establishes a kernel-mode minifilter (mbam.sys). They setup minifilter callback routines to handle events on the system for process creation, process loading, and registry modification (Image 1)
In other words, MalwareBytes is notified immediately when a process is created or an executable image is loaded. When a process is created or an executable image is loaded, MalwareBytes has special functionality to temporarily "pause" execution so it can review it.
However, this "pause" happens faster than you or I can blink. Computers are fast.
The mbam.sys creates an internal record of all processes running. When a new process is loaded it is added to this internal record. When a program is closed, it is removed from the record. It does this so it doesn't accidentally review or "pause" the same process twice.
When a program is added to this list, the kernel-mode component communicates with the user-mode component that then signals and connects to a local SQLite database. The SQLite database then does a lookup to determine if the process "paused" is known or unknown (Image 2)
However, it should be noted, Image 2 is not the important SQLite instance I am looking for. This is something else MalwareBytes uses (and communicates to with kernel-mode components). The point still stands.
If it is known, it communicates back to the kernel-mode component that is it known. If it known, and known to be malicious, MalwareBytes takes action on the program attempting to run and immediately stops execution. If it is known to be good, MalwareBytes marks it internally as "seen" and keeps it in it's internal record.
Image 3 is from the internal database they use. It's fairly large and is mostly settings. I still haven't find where the really nice, big, and important dataset they use is. It requires more poking and more sticks.
Regardless, MalwareBytes does a couple of things with this SQLite stuff
MalwareBytes establishes a kernel-mode minifilter (mbam.sys). They setup minifilter callback routines to handle events on the system for process creation, process loading, and registry modification (Image 1)
In other words, MalwareBytes is notified immediately when a process is created or an executable image is loaded. When a process is created or an executable image is loaded, MalwareBytes has special functionality to temporarily "pause" execution so it can review it.
However, this "pause" happens faster than you or I can blink. Computers are fast.
The mbam.sys creates an internal record of all processes running. When a new process is loaded it is added to this internal record. When a program is closed, it is removed from the record. It does this so it doesn't accidentally review or "pause" the same process twice.
When a program is added to this list, the kernel-mode component communicates with the user-mode component that then signals and connects to a local SQLite database. The SQLite database then does a lookup to determine if the process "paused" is known or unknown (Image 2)
However, it should be noted, Image 2 is not the important SQLite instance I am looking for. This is something else MalwareBytes uses (and communicates to with kernel-mode components). The point still stands.
If it is known, it communicates back to the kernel-mode component that is it known. If it known, and known to be malicious, MalwareBytes takes action on the program attempting to run and immediately stops execution. If it is known to be good, MalwareBytes marks it internally as "seen" and keeps it in it's internal record.
Image 3 is from the internal database they use. It's fairly large and is mostly settings. I still haven't find where the really nice, big, and important dataset they use is. It requires more poking and more sticks.
β€βπ₯51β€22π4π₯2π2π₯°1π1π’1
Going to do a write-up on poking MalwareBytes with a stick, how it works fundamentally, some possible attack vectors against it, ... then I'll do something else.
If you have any recommendations on what I should poke with a stick please let me know.
If you have any recommendations on what I should poke with a stick please let me know.
β€35π₯°7π4π’1
Hello,
We have hit a significant milestone. 400,000 followers.
What does this mean? I've got 400,000 little people inside of my internet. I don't know how so many tiny people got in here, but you're in there.
Thank you for the love and support. If any of you by chance happen to be extremely wealthy please consider giving me a large quantity of money so I don't have to do work.
I would love having a large quantity of money.
Mildly interesting things about this accounts followers:
- Some of you are sex workers. Is this surprising that sex workers are on the internet? No. Is it surprising sex workers are interested in malware? Kind of. I'm aware some of the sex workers following this account are very famous and it surprised me.
- Some of you are employed by the United States government. I'm well aware some of you are employed by the FBI or NSA. It is very strange receiving a $5 monthly reoccurring donation from someone employed by the NSA. I'll take your money still.
- Some of you work for governments outside the United States. It is interesting receiving emails from foreign militaries asking about particular malware samples. It is also surprising some of you email me (unironically) from your military emails.
- Some of you are criminals. Yes, I see your emails and messages. I see you're ransoming places, developing ransomware, or extorting people. I speak with criminals less now because I have a baby boy and I don't want him to grow up thinking Daddy is an internet schizo
- Some of you are regular people who do regular stuff. I see you commenting and being curious about stuff. It's surprising seeing teachers, or students, or local politicians, or geologists, or firefighters, or athletes, talking to me about malware. Once again, is it surprising normal people are on the internet? No. Is it interesting to see a random ass person curious about malware? Kind of. I enjoy it.
- Some of are unironically professional video game players. If I ever want to be carried in a video game I WILL call in a favor.
- Some of you work for cool companies. I'm always delighted to get contacted by a company like Rockstar Games, or NVIDIA, or Walmart (unironically).
- Some of you are dead. I've lost several friends, peers, and colleagues since vx-underground was created. Sometimes I look at your accounts, scroll your post history, and feel sad.
Lots of cool people doing cool stuff. I appreciate the love and support over the past 6.5 years.
Cheers,
- smelly smellington
We have hit a significant milestone. 400,000 followers.
What does this mean? I've got 400,000 little people inside of my internet. I don't know how so many tiny people got in here, but you're in there.
Thank you for the love and support. If any of you by chance happen to be extremely wealthy please consider giving me a large quantity of money so I don't have to do work.
I would love having a large quantity of money.
Mildly interesting things about this accounts followers:
- Some of you are sex workers. Is this surprising that sex workers are on the internet? No. Is it surprising sex workers are interested in malware? Kind of. I'm aware some of the sex workers following this account are very famous and it surprised me.
- Some of you are employed by the United States government. I'm well aware some of you are employed by the FBI or NSA. It is very strange receiving a $5 monthly reoccurring donation from someone employed by the NSA. I'll take your money still.
- Some of you work for governments outside the United States. It is interesting receiving emails from foreign militaries asking about particular malware samples. It is also surprising some of you email me (unironically) from your military emails.
- Some of you are criminals. Yes, I see your emails and messages. I see you're ransoming places, developing ransomware, or extorting people. I speak with criminals less now because I have a baby boy and I don't want him to grow up thinking Daddy is an internet schizo
- Some of you are regular people who do regular stuff. I see you commenting and being curious about stuff. It's surprising seeing teachers, or students, or local politicians, or geologists, or firefighters, or athletes, talking to me about malware. Once again, is it surprising normal people are on the internet? No. Is it interesting to see a random ass person curious about malware? Kind of. I enjoy it.
- Some of are unironically professional video game players. If I ever want to be carried in a video game I WILL call in a favor.
- Some of you work for cool companies. I'm always delighted to get contacted by a company like Rockstar Games, or NVIDIA, or Walmart (unironically).
- Some of you are dead. I've lost several friends, peers, and colleagues since vx-underground was created. Sometimes I look at your accounts, scroll your post history, and feel sad.
Lots of cool people doing cool stuff. I appreciate the love and support over the past 6.5 years.
Cheers,
- smelly smellington
β€181π«‘22π18π₯°8π₯6β€βπ₯3π―3π1π±1π€£1
mY tEsLa iS sElF dRiViNg
This is ancient technology. Nothing new. My Dad's 94 Toyota had self driving capabilities.
It was called "cruise control".
All you did was flip the switch and then let Jesus take the wheel.
Sometimes we ran over pedestrians, drove on the sidewalk, sped through red lights, but God dammit it WORKED. We didn't need any "government" telling us how to cruise
This is ancient technology. Nothing new. My Dad's 94 Toyota had self driving capabilities.
It was called "cruise control".
All you did was flip the switch and then let Jesus take the wheel.
Sometimes we ran over pedestrians, drove on the sidewalk, sped through red lights, but God dammit it WORKED. We didn't need any "government" telling us how to cruise
π€£104β€20π₯°5π5