It should probably be noted their C2 leaks information (don't tell them that). It shows Smokest has stolen 5,850 passwords, 23,085 cookies, 0 wallets.

https://gist.github.com/vxunderground/87ce045ddfa57f05e53e65e423b51f49

FYI: Security research pedro2sudo (I have no idea who they are, they just randomly send me pictures of cats) has noted the discovery of malware targeting HyTale

What does this mean? I don't know. I'm not a NERD.

We've solved the mystery. Who's That Pokemon? It's CastleRAT a/k/a TAG-150!

Okay, here is the drama and scoop, or whatever. I don't know if anyone cares, but this has been a really interesting puzzle with lots of twists and turns.

Previously malwrhunterteam discovered an unusual malicious .MSI file called "TopWebComics". It dropped an obfuscated .JS file.

nullableVoidPtr deobfuscated the malicious .JS, I reverse engineered it and named it "Smokest Stealer". However, Kali3ndo went off my research notes and discovered that Smokest drops an additional malicious .PS1 file when Smokest connects to the C2.

The malicious .PS1 file drops a malicious .PY file, encoded with PyArmor. The Python script extracts a payload from a .JPEG.

After reviewing it, poking it with a stick, and having all sorts of fun, it turns out this payload was first noted by YungBinary in August, 2025. This payload is CastleRAT (and tracked as TAG-150 by RecordedFuture).

CastleRAT payload found January, 18th:
8d2e77912e2e1d9d8cafb76d4562686cfaad556ca1df1919bfba304b31193402

"Smokest Stealer" MSI:
5a1c14335d0a8b007ff2813e6ef738e8836be38257cc82fe03c02b71d71e1b01

"Smokest Stealer" JS:
29e13df9547d4e85e7ca3fc5b95eab90f56a233aabc406638bee2ded368acd3d

Thank you to my peers and colleagues for reversing this with me throughout the day and having fun with it. This was a very silly malware sample.

More information about Threat Actor Group (TAG) 150:

https://www.recordedfuture.com/research/from-castleloader-to-castlerat-tag-150-advances-operations

Big news coming later today. It'll be the slopocalypse.

I don't feel like writing about it right now, because I'm tired from a teething baby with sleep regression, but basically all these fucking AI vibe coders are using Firebase and like, 22,000,000 records are exposed, or something, an outrageously high number.

Also, a disgustingly high amount of people trying to use AI for CSAM.

It's not my research, it's someone else's, but I want to give them a proper shout out and explanation of their work.

I cannot stress this enough: DO NOT TRUST VIBE CODERS. DO NOT DO IT. AI CODE IS NOT SECURE. DO NOT DO IT. STOP THE SLOP.

It's the slopocalypse.

OSINT nerd Harrris0n has created "Firehound". He (or others, I don't know) have begun the daunting task of hunting AI slop in the Apple app store.

They have identified (as of this writing) 198 iOS apps which leak information on users (in some capacity). Unsurprisingly, the top are all related to AI.

The top currently leaking user data is "Chat & Ask AI by Codeway" which has exposed 18M users information including:
- Name
- Email
- Creation date
- Messages (sent, received, content, etc)
- Voice chats
... anything you've said to this AI agent is exposed. It is 400,000,000+ messages... (Image 1, redacted)

Next up up on the slop-o-meter is "YPT - Study Group" which currently exposes over 2M users information including:
- AI tokens
- User ID
- User Key
- Chats (sent, received, content

This is all AI slop for things under education, entertainment, graphic design, health and fitness, "lifestyle", social networking, and more.

Some of the stuff is present is absurd. Harrris0n notes the presence of people doing CSAM (child pornography) related things with the AI agents. (tl;dr pedophiles identifying information currently leaking online) ... as well as "LooksMaxxing" stuff (???).

It's an infinite blackhole of user personable identifiable information, beside just names, emails, etc, but also their personal conversations with AI agents.

It's the slopocalypse.

See for yourself:

https://firehound.covertlabs.io/

I deleted previous post and decided to do a mini-write-up for people too lazy to explore themselves, provide key insights, and also give Harrris0n credit for his work.

Troy Hunt from HaveIBeenPwned seeing 198 vulnerable apps (and counting) exposing user PII (he's going to be busy for months)

Look at this and tell there is a God

https://gist.github.com/vxunderground/52cd17f363f83792243be814c1e85b30

> It's the year 2026
> Future_af_boi.exe
> Anyone can make anything, or something
> Can bring ideas to life easily
> Vibe coded app leaks these magical ideas
> Look inside

wtf is bro doing

I've been receiving messages from both Lockbit ransomware group and ALPHV ransomware group for months.

I've been so preoccupied with my newborn son I thought it was an imposter.

They've been trying to tell me stuff, and I just kept sending cat pictures. They eventually gave up and started replying with pictures of cats too.

¯\_(ツ)_/¯

Today ALPHV ransomware group (who swears they've never rebranded) informed me they've made a new ransomware group with a new and cool and badass name.

I learned a few things.

1. ALPHV follows me on social media. They pay attention to my posts (including kitty cat pictures).

2. ALPHV informed me that they're no longer going to use TOR for ransomware leaks or negotiations because "the FBI can fuck it". Instead everything they do will be stored on the blockchain.

Using the blockchain for malware, and malware accessories, isn't a new malware concept, however it is a relatively ... rare ... or more exotic TTP. If my memory serves me correctly (which it rarely does), the North Korean government has used cryptocurrency blockchains for malware delivery mechanisms and C2 persistence.

They told me they'll be using ICP (Internet Computer Protocol) blockchain.

I initially thought they meant "Insane Clown Posse" blockchain. For a brief moment in time I thought the Juggalos were getting involved in ransomware.

I'm not a cryptocurrency nerd, but they said they use ICP blockchain because ICP can "run smartcontract on server". I have no idea what this means.

What does all of this mean? I don't know. I've been out of the loop on cybercrime TMZ.

Yes, Dmitry Yuryevich Khoroshev, the alleged leader of Lockbit ransomware group, FBI Most Wanted, and sanctioned by the United States Department of Treasury, was attempting to contact me online.

For months I believed him to be an imposter.

This is what I kept sending him:

> be Dmitry Yuryevich Khoroshev
> bounty of $10,000,000 by FBI
> believed to possess of $4,000,000,000 as a result of criminal extortion
> linked to botnets, money laundering, the russian government, bullet proof hosting
> tries to contact me
> send weird cat videos

imagine unironically being like, a fucking cyber cartel boss and some fucking retard american just keeps sending you cats