I have continued to poke MalwareBytes with a stick. I've written a little article about it.
I discuss their main executable, some of their minifilter stuff, their proprietary file format ... I haven't even scratched the surface. I am TIRED
https://malwaresourcecode.com/home/my-projects/write-ups/malwarebytes-internals-incomplete
I discuss their main executable, some of their minifilter stuff, their proprietary file format ... I haven't even scratched the surface. I am TIRED
https://malwaresourcecode.com/home/my-projects/write-ups/malwarebytes-internals-incomplete
Malwaresourcecode
MalwareBytes internals (incomplete) | malware source code
β€43π’2
vx-underground
I have continued to poke MalwareBytes with a stick. I've written a little article about it. I discuss their main executable, some of their minifilter stuff, their proprietary file format ... I haven't even scratched the surface. I am TIRED https://malwaβ¦
There is so much to reverse with their "SwissKnife", internal COM stuff, their internal protocol, their VPN technology, their hooking mechanisms.
I don't know if I got that dog in me to finish this. It's really interesting, but I want to do something else now.
I don't know if I got that dog in me to finish this. It's really interesting, but I want to do something else now.
π€£49β€11π«‘8π2π’2
One of my biggest weaknesses is writing. I hate writing.
My cybersecurity peers, colleagues, friends, who have the willpower to sit down and write and explain their work (or discoveries) is truly amazing.
I'd argue the process of writing is actually more difficult than the actual reverse engineering and/or development part. Partially because it's really boring, partially because it requires you to put structure and coherency on the madness floating around in your brain.
Huge shout-out to the nerds who have written big ass blog posts (or books).
My cybersecurity peers, colleagues, friends, who have the willpower to sit down and write and explain their work (or discoveries) is truly amazing.
I'd argue the process of writing is actually more difficult than the actual reverse engineering and/or development part. Partially because it's really boring, partially because it requires you to put structure and coherency on the madness floating around in your brain.
Huge shout-out to the nerds who have written big ass blog posts (or books).
β€88π«‘23π―13π₯°8β€βπ₯4π4π2π’2π€2π₯1π1
Discussion on the internet today on the origins of traffic on the highway and the accordion effect it produces.
People were critical toward others who intentionally slowed down to be "nosey" about car accidents.
Let me be totally clear: I am one of those people.
I want to see the aftermath of a violent car accident. I am curious who is involved. I want to see a dead body. I 100% will slow down and take my time to inspect the scene. If possible, I will take out my phone and try to record it so I can show my friends later.
People were critical toward others who intentionally slowed down to be "nosey" about car accidents.
Let me be totally clear: I am one of those people.
I want to see the aftermath of a violent car accident. I am curious who is involved. I want to see a dead body. I 100% will slow down and take my time to inspect the scene. If possible, I will take out my phone and try to record it so I can show my friends later.
π€£66π₯°23π€5π’3β€2π2π€―2π€2π―1
A few days ago malwrhunterteam discovered a new malware family (I think, I couldn't find any family overlap, vendors please confirm).
I poked it with a stick. I've named it Smokest.
It was deobfuscated by nullableVoidPtr. It's neato.
https://malwaresourcecode.com/home/my-projects/write-ups/smokest-stealer-a-new-malware-family-maybe
I poked it with a stick. I've named it Smokest.
It was deobfuscated by nullableVoidPtr. It's neato.
https://malwaresourcecode.com/home/my-projects/write-ups/smokest-stealer-a-new-malware-family-maybe
Malwaresourcecode
Smokest Stealer, a new malware family? Maybe? | malware source code
π₯°27β€14
vx-underground
A few days ago malwrhunterteam discovered a new malware family (I think, I couldn't find any family overlap, vendors please confirm). I poked it with a stick. I've named it Smokest. It was deobfuscated by nullableVoidPtr. It's neato. https://malwaresoβ¦
It should probably be noted their C2 leaks information (don't tell them that). It shows Smokest has stolen 5,850 passwords, 23,085 cookies, 0 wallets.
https://gist.github.com/vxunderground/87ce045ddfa57f05e53e65e423b51f49
https://gist.github.com/vxunderground/87ce045ddfa57f05e53e65e423b51f49
Gist
Smokest Leaks
GitHub Gist: instantly share code, notes, and snippets.
π€£36π₯°8β€4
FYI: Security research pedro2sudo (I have no idea who they are, they just randomly send me pictures of cats) has noted the discovery of malware targeting HyTale
What does this mean? I don't know. I'm not a NERD.
What does this mean? I don't know. I'm not a NERD.
π€£50β€9π€6π₯°1
We've solved the mystery. Who's That Pokemon? It's CastleRAT a/k/a TAG-150!
Okay, here is the drama and scoop, or whatever. I don't know if anyone cares, but this has been a really interesting puzzle with lots of twists and turns.
Previously malwrhunterteam discovered an unusual malicious .MSI file called "TopWebComics". It dropped an obfuscated .JS file.
nullableVoidPtr deobfuscated the malicious .JS, I reverse engineered it and named it "Smokest Stealer". However, Kali3ndo went off my research notes and discovered that Smokest drops an additional malicious .PS1 file when Smokest connects to the C2.
The malicious .PS1 file drops a malicious .PY file, encoded with PyArmor. The Python script extracts a payload from a .JPEG.
After reviewing it, poking it with a stick, and having all sorts of fun, it turns out this payload was first noted by YungBinary in August, 2025. This payload is CastleRAT (and tracked as TAG-150 by RecordedFuture).
CastleRAT payload found January, 18th:
8d2e77912e2e1d9d8cafb76d4562686cfaad556ca1df1919bfba304b31193402
"Smokest Stealer" MSI:
5a1c14335d0a8b007ff2813e6ef738e8836be38257cc82fe03c02b71d71e1b01
"Smokest Stealer" JS:
29e13df9547d4e85e7ca3fc5b95eab90f56a233aabc406638bee2ded368acd3d
Thank you to my peers and colleagues for reversing this with me throughout the day and having fun with it. This was a very silly malware sample.
Okay, here is the drama and scoop, or whatever. I don't know if anyone cares, but this has been a really interesting puzzle with lots of twists and turns.
Previously malwrhunterteam discovered an unusual malicious .MSI file called "TopWebComics". It dropped an obfuscated .JS file.
nullableVoidPtr deobfuscated the malicious .JS, I reverse engineered it and named it "Smokest Stealer". However, Kali3ndo went off my research notes and discovered that Smokest drops an additional malicious .PS1 file when Smokest connects to the C2.
The malicious .PS1 file drops a malicious .PY file, encoded with PyArmor. The Python script extracts a payload from a .JPEG.
After reviewing it, poking it with a stick, and having all sorts of fun, it turns out this payload was first noted by YungBinary in August, 2025. This payload is CastleRAT (and tracked as TAG-150 by RecordedFuture).
CastleRAT payload found January, 18th:
8d2e77912e2e1d9d8cafb76d4562686cfaad556ca1df1919bfba304b31193402
"Smokest Stealer" MSI:
5a1c14335d0a8b007ff2813e6ef738e8836be38257cc82fe03c02b71d71e1b01
"Smokest Stealer" JS:
29e13df9547d4e85e7ca3fc5b95eab90f56a233aabc406638bee2ded368acd3d
Thank you to my peers and colleagues for reversing this with me throughout the day and having fun with it. This was a very silly malware sample.
π51β€14π₯6
vx-underground
We've solved the mystery. Who's That Pokemon? It's CastleRAT a/k/a TAG-150! Okay, here is the drama and scoop, or whatever. I don't know if anyone cares, but this has been a really interesting puzzle with lots of twists and turns. Previously malwrhunterteamβ¦
More information about Threat Actor Group (TAG) 150:
https://www.recordedfuture.com/research/from-castleloader-to-castlerat-tag-150-advances-operations
https://www.recordedfuture.com/research/from-castleloader-to-castlerat-tag-150-advances-operations
Recordedfuture
From CastleLoader to CastleRAT: TAG-150 Advances Operations with Multi-Tiered Infrastructure
Insikt Group reveals TAG-150βs multi-tiered infrastructure and CastleRAT malwareβan advanced threat actor evolving rapidly with stealth and scale.
β€26π€8
Big news coming later today. It'll be the slopocalypse.
I don't feel like writing about it right now, because I'm tired from a teething baby with sleep regression, but basically all these fucking AI vibe coders are using Firebase and like, 22,000,000 records are exposed, or something, an outrageously high number.
Also, a disgustingly high amount of people trying to use AI for CSAM.
It's not my research, it's someone else's, but I want to give them a proper shout out and explanation of their work.
I cannot stress this enough: DO NOT TRUST VIBE CODERS. DO NOT DO IT. AI CODE IS NOT SECURE. DO NOT DO IT. STOP THE SLOP.
I don't feel like writing about it right now, because I'm tired from a teething baby with sleep regression, but basically all these fucking AI vibe coders are using Firebase and like, 22,000,000 records are exposed, or something, an outrageously high number.
Also, a disgustingly high amount of people trying to use AI for CSAM.
It's not my research, it's someone else's, but I want to give them a proper shout out and explanation of their work.
I cannot stress this enough: DO NOT TRUST VIBE CODERS. DO NOT DO IT. AI CODE IS NOT SECURE. DO NOT DO IT. STOP THE SLOP.
β€76π«‘16π€10π€5π’4π2π₯°2π―2π₯1π€―1
It's the slopocalypse.
OSINT nerd Harrris0n has created "Firehound". He (or others, I don't know) have begun the daunting task of hunting AI slop in the Apple app store.
They have identified (as of this writing) 198 iOS apps which leak information on users (in some capacity). Unsurprisingly, the top are all related to AI.
The top currently leaking user data is "Chat & Ask AI by Codeway" which has exposed 18M users information including:
- Name
- Email
- Creation date
- Messages (sent, received, content, etc)
- Voice chats
... anything you've said to this AI agent is exposed. It is 400,000,000+ messages... (Image 1, redacted)
Next up up on the slop-o-meter is "YPT - Study Group" which currently exposes over 2M users information including:
- AI tokens
- User ID
- User Key
- Chats (sent, received, content
This is all AI slop for things under education, entertainment, graphic design, health and fitness, "lifestyle", social networking, and more.
Some of the stuff is present is absurd. Harrris0n notes the presence of people doing CSAM (child pornography) related things with the AI agents. (tl;dr pedophiles identifying information currently leaking online) ... as well as "LooksMaxxing" stuff (???).
It's an infinite blackhole of user personable identifiable information, beside just names, emails, etc, but also their personal conversations with AI agents.
It's the slopocalypse.
See for yourself:
https://firehound.covertlabs.io/
OSINT nerd Harrris0n has created "Firehound". He (or others, I don't know) have begun the daunting task of hunting AI slop in the Apple app store.
They have identified (as of this writing) 198 iOS apps which leak information on users (in some capacity). Unsurprisingly, the top are all related to AI.
The top currently leaking user data is "Chat & Ask AI by Codeway" which has exposed 18M users information including:
- Name
- Creation date
- Messages (sent, received, content, etc)
- Voice chats
... anything you've said to this AI agent is exposed. It is 400,000,000+ messages... (Image 1, redacted)
Next up up on the slop-o-meter is "YPT - Study Group" which currently exposes over 2M users information including:
- AI tokens
- User ID
- User Key
- Chats (sent, received, content
This is all AI slop for things under education, entertainment, graphic design, health and fitness, "lifestyle", social networking, and more.
Some of the stuff is present is absurd. Harrris0n notes the presence of people doing CSAM (child pornography) related things with the AI agents. (tl;dr pedophiles identifying information currently leaking online) ... as well as "LooksMaxxing" stuff (???).
It's an infinite blackhole of user personable identifiable information, beside just names, emails, etc, but also their personal conversations with AI agents.
It's the slopocalypse.
See for yourself:
https://firehound.covertlabs.io/
firehound.covertlabs.io
Firehound | Security Operations
Industrial management platform for Firehound-Go scans.
π€£48π₯11π₯°6β€4π3π±2
vx-underground
It's the slopocalypse. OSINT nerd Harrris0n has created "Firehound". He (or others, I don't know) have begun the daunting task of hunting AI slop in the Apple app store. They have identified (as of this writing) 198 iOS apps which leak information on usersβ¦
I deleted previous post and decided to do a mini-write-up for people too lazy to explore themselves, provide key insights, and also give Harrris0n credit for his work.
β€48
vx-underground
It's the slopocalypse. OSINT nerd Harrris0n has created "Firehound". He (or others, I don't know) have begun the daunting task of hunting AI slop in the Apple app store. They have identified (as of this writing) 198 iOS apps which leak information on usersβ¦
Look at this and tell there is a God
https://gist.github.com/vxunderground/52cd17f363f83792243be814c1e85b30
https://gist.github.com/vxunderground/52cd17f363f83792243be814c1e85b30
Gist
Sample information
GitHub Gist: instantly share code, notes, and snippets.
π’34π₯°12π±10β€4π4π1π1