As is tradition, I've become bored with my WinSock stuff. I accomplished what I wanted. I don't even feel like writing about it. I am now poking other stuff with a stick and I am very interested in it.
https://malwaresourcecode.com/home/my-projects/proof-of-concepts/https-tls-with-afd.sys-winsocks-not-necessary
https://malwaresourcecode.com/home/my-projects/proof-of-concepts/https-tls-with-afd.sys-winsocks-not-necessary
Malwaresourcecode
HTTPS TLS with AFD.sys, WinSocks not necessary | malware source code
β€40π₯°8π1
This media is not supported in your browser
VIEW IN TELEGRAM
> be me
> find something interesting
> poke with stick
> interesting
> google
> find website that describes exactly what im doing
> x86matthew
HOW TF THIS MFER BEAT ME TO IT TWICE IN A ROW
> find something interesting
> poke with stick
> interesting
> find website that describes exactly what im doing
> x86matthew
HOW TF THIS MFER BEAT ME TO IT TWICE IN A ROW
π€£116π₯°20β€10π₯6π€5π1π―1
This media is not supported in your browser
VIEW IN TELEGRAM
> wake up
> take a shit
> get out of bed
> check xitter
> ultra wealthy arguing
> accusing each other of beings PDF files
> splendid
> take a shit
> get out of bed
> check xitter
> ultra wealthy arguing
> accusing each other of beings PDF files
> splendid
π112β€25π€£18π₯°7β€βπ₯2π€2π€1
Malware allegedly targeting "People's Playground", a popular game on Steam, from the mods workshop (as is tradition).
The game developer didn't have the common courtesy to share the malware. MAKES ME SICK.
https://store.steampowered.com/news/app/1118200/view/534373847137256681
The game developer didn't have the common courtesy to share the malware. MAKES ME SICK.
https://store.steampowered.com/news/app/1118200/view/534373847137256681
Steampowered
People Playground - Urgent PSA - Steam News
I have temporarily disabled the Workshop for People Playground.
π46π«‘10π₯3π₯°2β€1π±1
vx-underground
In 2014 Epstein advised someone hire Hector Monsegur a/k/a Sabu of LulzSec for something. EFTA01922639 Pic unrelated
For the record, I'm not implying Sabu worked with Epstein. This is just me highlighting yet another instance of Epstein keeping tabs on the information security ecosystem.
π₯°41β€1
Notepad++ compromised (long pedantic version so nerds shut up)
- Notepad++ update infrastructure was compromised
- Notepad++ suspects it is the Chinese government
- No evidence provided currently demonstrating why they suspect it was the Chinese government
- Only "select targets" were delivered malicious Notepad++ from update infrastructure
- No information is provided who "select targets" were
- No information provided why they believe it was selective
- No information on what was delivered to "selective targets"
- Compromise timeline blurry
- "Incident began" JUNE, 2025
- Hosting infrastructure says "September 2, 2025"
- Attackers maintained access until "December 2nd, 2025"
- Notepad++ states they believe compromise was JUNE THROUGH DECEMBER, conflicting with hosting provider
- No analysis released yet on "exact technical mechanism"
- No IoCs (Indicator of compromise) released
- Notepad++ update infrastructure was compromised
- Notepad++ suspects it is the Chinese government
- No evidence provided currently demonstrating why they suspect it was the Chinese government
- Only "select targets" were delivered malicious Notepad++ from update infrastructure
- No information is provided who "select targets" were
- No information provided why they believe it was selective
- No information on what was delivered to "selective targets"
- Compromise timeline blurry
- "Incident began" JUNE, 2025
- Hosting infrastructure says "September 2, 2025"
- Attackers maintained access until "December 2nd, 2025"
- Notepad++ states they believe compromise was JUNE THROUGH DECEMBER, conflicting with hosting provider
- No analysis released yet on "exact technical mechanism"
- No IoCs (Indicator of compromise) released
π€£67β€14π₯°4π«‘3β€βπ₯1π1
vx-underground
Notepad++ compromised (long pedantic version so nerds shut up) - Notepad++ update infrastructure was compromised - Notepad++ suspects it is the Chinese government - No evidence provided currently demonstrating why they suspect it was the Chinese governmentβ¦
My initial post wasn't precise enough and didn't provide EXACT SPECIFICATIONS covering every potential edge case for the readers. Nerds began arguing in the comment section, arguing any specific edge case I didn't cover in my post, and blowing up my notifications as a result.
Holy cow, dude. Have this extremely verbose version.
Thanks,
Holy cow, dude. Have this extremely verbose version.
Thanks,
β€41π₯°4
vx-underground
Notepad++ compromised (long pedantic version so nerds shut up) - Notepad++ update infrastructure was compromised - Notepad++ suspects it is the Chinese government - No evidence provided currently demonstrating why they suspect it was the Chinese governmentβ¦
I wrote "unknown state-sponsored actor" because Notepad++ doesn't explicitly provide WHY THEY SUSPECT CHINA other than "experts said".
I wrote "your machine is compromised" because NO DETAILS ARE PROVIDED that convey WHAT HAPPENED yet nerds want to argue one of the two:
- "ERRRM ACHTUALLY, IT SAYS ONLY SPECIFIC TARGETS, WE DONT FOR SURE IF ANYONE IS COMPROMISED"
- "oHh WeLl U ShOulD AssUme CoMprOmIse"
Then the nerds want to argue the timeline specifics
ERRR SCHMELLY, IT HE SAYS IT COULD BE AS EARLY AS JUNE, BUT HE ISNT SURE, U SHOULD HAVE SAID IT MIGHT BE JUNE, OR SEPTEMBER, NO ONE KNOWS, BUT FOR SURE SEPTEMBER
Anyway, it was kind of annoying me. Have your verbose version. I have stuff to do. Smell ya later, NERDS
-smelly smellington
I wrote "your machine is compromised" because NO DETAILS ARE PROVIDED that convey WHAT HAPPENED yet nerds want to argue one of the two:
- "ERRRM ACHTUALLY, IT SAYS ONLY SPECIFIC TARGETS, WE DONT FOR SURE IF ANYONE IS COMPROMISED"
- "oHh WeLl U ShOulD AssUme CoMprOmIse"
Then the nerds want to argue the timeline specifics
ERRR SCHMELLY, IT HE SAYS IT COULD BE AS EARLY AS JUNE, BUT HE ISNT SURE, U SHOULD HAVE SAID IT MIGHT BE JUNE, OR SEPTEMBER, NO ONE KNOWS, BUT FOR SURE SEPTEMBER
Anyway, it was kind of annoying me. Have your verbose version. I have stuff to do. Smell ya later, NERDS
-smelly smellington
π€£51β€9π₯°7π1π€1
Rapid7 did a write-up on the Notepad++ compromise. Rapid7 released the paper fast af boi
How?
1. They sat on it
or...
2. Called in all the malware analysis schizos for lock the fuck in time
tldr ya prolly China lol
https://www.rapid7.com/blog/post/tr-chrysalis-backdoor-dive-into-lotus-blossoms-toolkit/
How?
1. They sat on it
or...
2. Called in all the malware analysis schizos for lock the fuck in time
tldr ya prolly China lol
https://www.rapid7.com/blog/post/tr-chrysalis-backdoor-dive-into-lotus-blossoms-toolkit/
Rapid7
The Chrysalis Backdoor: A Deep Dive into Lotus Blossomβs toolkit
π€36β€6π₯°6
Non-malware schizos asking about why the Notepad++ malware payload was so interesting.
Okay, we'll discuss it without getting too schizo.
First, Rapid7 (and other various Cyber Threat Intelligence vendors) seem to generally attribute the Notepad++ compromise to Chinese APT group "Lotus Bloom". They attribute it to Lotus Blossom because they tend to recycle code segments to save time. Basically, fingerprints.
Lotus Blossom is the invented name intelligence organizations have assigned to a group of Chinese government sponsored hackers. Their true identity is unknown, but speculative. It is not one person, it is likely a group of unknown size, it could two people, it could 15 people.
Lotus Blossom has been active since 2009 (or so they speculate). Lotus Blossom are not noobs who do hacker noob stuff. Lotus Blossom is assigned high-profile tasks. Lotus Blossom does extremely specific targets, most notably they are instructed by the Chinese government to hack government institutions, telecom companies, aviation companies, and critical infrastructure (nuclear power plants, electrical power grids, hydroelectric dams, etc) in Southeast Asia and Central America.
When Lotus Blossom targeted Notepad++, and users in specific regions (presumably Southeast Asia and Central America) attempted to do an update it delivered "Chrysalis Backdoor". Chrysalis Backdoor is the name intelligence companies invented and now call this malware.
Chrysalis Backdoor used a lot of really common malware techniques which truthfully I won't go too much into (API hashing, custom implementations of GetProcAddress, malware nerd stuff). However, what makes this malware very special is it's usage of Microsoft Warbird.
Microsoft Warbird is a proprietary technology which is rarely discussed. It is an internal library Microsoft uses to obfuscate it's instruction set in-memory. In other words, it's Microsoft really fancy custom way of preventing people from reverse engineering what Windows is doing when it's running.
Unknown to me personally (and a lot of people apparently), in the past few years (2023) some security researchers have discovered ways to discretely use Microsoft Warbird and use it as a weapon. Basically, you can use undocumented APIs in Windows to use Warbird for your malware. This provides a way to hide what your malicious code is doing while it's running without needing any external tooling or custom implementations. They're weaponizing Microsoft's anti-tampering and/or anti-reverse engineering technology for malicious purposes. This is extremely impressive because it shows:
1. Lotus Blossom pays close attention to really talented security researchers or...
2. Lotus Blossom has really good security researchers on payroll
Both are totally possible.
The remainder of the Lotus Blossom tooling is fairly generic malware stuff and isn't too terribly impressive. Lotus Blossom (unironically) did a very good job hijacking Notepad++ update infrastructure and weaponizing Microsoft's anti-tampering technology (Warbird).
Okay, we'll discuss it without getting too schizo.
First, Rapid7 (and other various Cyber Threat Intelligence vendors) seem to generally attribute the Notepad++ compromise to Chinese APT group "Lotus Bloom". They attribute it to Lotus Blossom because they tend to recycle code segments to save time. Basically, fingerprints.
Lotus Blossom is the invented name intelligence organizations have assigned to a group of Chinese government sponsored hackers. Their true identity is unknown, but speculative. It is not one person, it is likely a group of unknown size, it could two people, it could 15 people.
Lotus Blossom has been active since 2009 (or so they speculate). Lotus Blossom are not noobs who do hacker noob stuff. Lotus Blossom is assigned high-profile tasks. Lotus Blossom does extremely specific targets, most notably they are instructed by the Chinese government to hack government institutions, telecom companies, aviation companies, and critical infrastructure (nuclear power plants, electrical power grids, hydroelectric dams, etc) in Southeast Asia and Central America.
When Lotus Blossom targeted Notepad++, and users in specific regions (presumably Southeast Asia and Central America) attempted to do an update it delivered "Chrysalis Backdoor". Chrysalis Backdoor is the name intelligence companies invented and now call this malware.
Chrysalis Backdoor used a lot of really common malware techniques which truthfully I won't go too much into (API hashing, custom implementations of GetProcAddress, malware nerd stuff). However, what makes this malware very special is it's usage of Microsoft Warbird.
Microsoft Warbird is a proprietary technology which is rarely discussed. It is an internal library Microsoft uses to obfuscate it's instruction set in-memory. In other words, it's Microsoft really fancy custom way of preventing people from reverse engineering what Windows is doing when it's running.
Unknown to me personally (and a lot of people apparently), in the past few years (2023) some security researchers have discovered ways to discretely use Microsoft Warbird and use it as a weapon. Basically, you can use undocumented APIs in Windows to use Warbird for your malware. This provides a way to hide what your malicious code is doing while it's running without needing any external tooling or custom implementations. They're weaponizing Microsoft's anti-tampering and/or anti-reverse engineering technology for malicious purposes. This is extremely impressive because it shows:
1. Lotus Blossom pays close attention to really talented security researchers or...
2. Lotus Blossom has really good security researchers on payroll
Both are totally possible.
The remainder of the Lotus Blossom tooling is fairly generic malware stuff and isn't too terribly impressive. Lotus Blossom (unironically) did a very good job hijacking Notepad++ update infrastructure and weaponizing Microsoft's anti-tampering technology (Warbird).
π₯46β€24π₯°6π€―1
vx-underground
Non-malware schizos asking about why the Notepad++ malware payload was so interesting. Okay, we'll discuss it without getting too schizo. First, Rapid7 (and other various Cyber Threat Intelligence vendors) seem to generally attribute the Notepad++ compromiseβ¦
Some people asked, "do I need to worry about this effecting my computer?".
The answer is: No.
Lotus Blossom is an extremely skilled and patient group with high-profile targets. This would be like asking, "do I need to worry about Navy Seal Team Six kidnapping me?"
This group isn't going to target some random stinky nerd on Xitter, they're not going to waste their time attacking Susie Schnarf on Facebook, they're going after serious institutions with objectives and goals in mind.
... unless you're a well-known politician located in Southeast Asia or Central America with information related to national security ... then maybe you should have more security concerns ...
The answer is: No.
Lotus Blossom is an extremely skilled and patient group with high-profile targets. This would be like asking, "do I need to worry about Navy Seal Team Six kidnapping me?"
This group isn't going to target some random stinky nerd on Xitter, they're not going to waste their time attacking Susie Schnarf on Facebook, they're going after serious institutions with objectives and goals in mind.
... unless you're a well-known politician located in Southeast Asia or Central America with information related to national security ... then maybe you should have more security concerns ...
π₯°56π19π10π―8β€6
π¨BREAKING NEWSπ¨
JEFFREY EPSTEIN KEPT A FULL COPY OF THE 2005 BASH REFERENCE MANUAL
https://www.justice.gov/epstein/files/DataSet%209/EFTA00315849.pdf
JEFFREY EPSTEIN KEPT A FULL COPY OF THE 2005 BASH REFERENCE MANUAL
https://www.justice.gov/epstein/files/DataSet%209/EFTA00315849.pdf
π99π€£29π₯19π₯°11β€6π€―3π2π€1