> be me
> find something interesting
> poke with stick
> interesting
> google
> find website that describes exactly what im doing
> x86matthew

HOW TF THIS MFER BEAT ME TO IT TWICE IN A ROW

Bill Gates was friends with Jeffrey Epstein.

Guess who wasn't?

> wake up
> take a shit
> get out of bed
> check xitter
> ultra wealthy arguing
> accusing each other of beings PDF files
> splendid

Guess who wasn't in the Epstein files?

Coca Cola cat wasn't.

Guess who wasn't in the Epstein files?

Malware allegedly targeting "People's Playground", a popular game on Steam, from the mods workshop (as is tradition).

The game developer didn't have the common courtesy to share the malware. MAKES ME SICK.

https://store.steampowered.com/news/app/1118200/view/534373847137256681

In 2014 Epstein advised someone hire Hector Monsegur a/k/a Sabu of LulzSec for something.

EFTA01922639

Pic unrelated

For the record, I'm not implying Sabu worked with Epstein. This is just me highlighting yet another instance of Epstein keeping tabs on the information security ecosystem.

> Notepad++ says infra compromised
> Suspects Chinese state-sponsored hackers
> "Why would China hate Notepad++????"
> Look inside

Notepad++ compromised (long pedantic version so nerds shut up)

- Notepad++ update infrastructure was compromised
- Notepad++ suspects it is the Chinese government
- No evidence provided currently demonstrating why they suspect it was the Chinese government
- Only "select targets" were delivered malicious Notepad++ from update infrastructure
- No information is provided who "select targets" were
- No information provided why they believe it was selective
- No information on what was delivered to "selective targets"
- Compromise timeline blurry
- "Incident began" JUNE, 2025
- Hosting infrastructure says "September 2, 2025"
- Attackers maintained access until "December 2nd, 2025"
- Notepad++ states they believe compromise was JUNE THROUGH DECEMBER, conflicting with hosting provider
- No analysis released yet on "exact technical mechanism"
- No IoCs (Indicator of compromise) released

My initial post wasn't precise enough and didn't provide EXACT SPECIFICATIONS covering every potential edge case for the readers. Nerds began arguing in the comment section, arguing any specific edge case I didn't cover in my post, and blowing up my notifications as a result.

Holy cow, dude. Have this extremely verbose version.

Thanks,

I wrote "unknown state-sponsored actor" because Notepad++ doesn't explicitly provide WHY THEY SUSPECT CHINA other than "experts said".

I wrote "your machine is compromised" because NO DETAILS ARE PROVIDED that convey WHAT HAPPENED yet nerds want to argue one of the two:

- "ERRRM ACHTUALLY, IT SAYS ONLY SPECIFIC TARGETS, WE DONT FOR SURE IF ANYONE IS COMPROMISED"
- "oHh WeLl U ShOulD AssUme CoMprOmIse"

Then the nerds want to argue the timeline specifics

ERRR SCHMELLY, IT HE SAYS IT COULD BE AS EARLY AS JUNE, BUT HE ISNT SURE, U SHOULD HAVE SAID IT MIGHT BE JUNE, OR SEPTEMBER, NO ONE KNOWS, BUT FOR SURE SEPTEMBER

Anyway, it was kind of annoying me. Have your verbose version. I have stuff to do. Smell ya later, NERDS
-smelly smellington

Rapid7 did a write-up on the Notepad++ compromise. Rapid7 released the paper fast af boi

How?
1. They sat on it
or...
2. Called in all the malware analysis schizos for lock the fuck in time

tldr ya prolly China lol

https://www.rapid7.com/blog/post/tr-chrysalis-backdoor-dive-into-lotus-blossoms-toolkit/

THE CHINESE GOVERNMENT USED MICROSOFT WARBIRD APIS FOR OBFUSCATION

> proof-of-concept by DownWithUpSec in 2023
> 30 stars on GitHub
> 62 likes on Xitter

This is fucking FIRE research. Insanely slept on research. I am FLABBERGASTED.

This is fucking amazing work

https://downwithup.github.io/blog/post/2023/04/23/post9.html

Non-malware schizos asking about why the Notepad++ malware payload was so interesting.

Okay, we'll discuss it without getting too schizo.

First, Rapid7 (and other various Cyber Threat Intelligence vendors) seem to generally attribute the Notepad++ compromise to Chinese APT group "Lotus Bloom". They attribute it to Lotus Blossom because they tend to recycle code segments to save time. Basically, fingerprints.

Lotus Blossom is the invented name intelligence organizations have assigned to a group of Chinese government sponsored hackers. Their true identity is unknown, but speculative. It is not one person, it is likely a group of unknown size, it could two people, it could 15 people.

Lotus Blossom has been active since 2009 (or so they speculate). Lotus Blossom are not noobs who do hacker noob stuff. Lotus Blossom is assigned high-profile tasks. Lotus Blossom does extremely specific targets, most notably they are instructed by the Chinese government to hack government institutions, telecom companies, aviation companies, and critical infrastructure (nuclear power plants, electrical power grids, hydroelectric dams, etc) in Southeast Asia and Central America.

When Lotus Blossom targeted Notepad++, and users in specific regions (presumably Southeast Asia and Central America) attempted to do an update it delivered "Chrysalis Backdoor". Chrysalis Backdoor is the name intelligence companies invented and now call this malware.

Chrysalis Backdoor used a lot of really common malware techniques which truthfully I won't go too much into (API hashing, custom implementations of GetProcAddress, malware nerd stuff). However, what makes this malware very special is it's usage of Microsoft Warbird.

Microsoft Warbird is a proprietary technology which is rarely discussed. It is an internal library Microsoft uses to obfuscate it's instruction set in-memory. In other words, it's Microsoft really fancy custom way of preventing people from reverse engineering what Windows is doing when it's running.

Unknown to me personally (and a lot of people apparently), in the past few years (2023) some security researchers have discovered ways to discretely use Microsoft Warbird and use it as a weapon. Basically, you can use undocumented APIs in Windows to use Warbird for your malware. This provides a way to hide what your malicious code is doing while it's running without needing any external tooling or custom implementations. They're weaponizing Microsoft's anti-tampering and/or anti-reverse engineering technology for malicious purposes. This is extremely impressive because it shows:

1. Lotus Blossom pays close attention to really talented security researchers or...
2. Lotus Blossom has really good security researchers on payroll

Both are totally possible.

The remainder of the Lotus Blossom tooling is fairly generic malware stuff and isn't too terribly impressive. Lotus Blossom (unironically) did a very good job hijacking Notepad++ update infrastructure and weaponizing Microsoft's anti-tampering technology (Warbird).

Some people asked, "do I need to worry about this effecting my computer?".

The answer is: No.

Lotus Blossom is an extremely skilled and patient group with high-profile targets. This would be like asking, "do I need to worry about Navy Seal Team Six kidnapping me?"

This group isn't going to target some random stinky nerd on Xitter, they're not going to waste their time attacking Susie Schnarf on Facebook, they're going after serious institutions with objectives and goals in mind.

... unless you're a well-known politician located in Southeast Asia or Central America with information related to national security ... then maybe you should have more security concerns ...

🚨BREAKING NEWS🚨

JEFFREY EPSTEIN KEPT A FULL COPY OF THE 2005 BASH REFERENCE MANUAL

https://www.justice.gov/epstein/files/DataSet%209/EFTA00315849.pdf

Okay, I'm done trying to might lighthearted jokes about the Epstein files. As I see more posts about them I become more depressed. My only cope is silly memes about it (gallows humor).

I'm going to bed now. Tomorrow we malware and post silly cat pictures.

Pic unrelated

When I was younger I had a brief stint as a general IT worker for a large company. I had a company vehicle and I would drive location to location doing support tickets.

One time I drove to a location, hopped out the car, walked in the door, told the lady behind the counter I was from corporate and I need to work on some stuff. She said, "Oh, hello! Let me open the door for you!" and let me in.

I went into the back. I got lost. I realized I was at the wrong location. My destination was the company directly next door.

I walked to the front and said, "Oh my goodness, I'm so sorry. I thought this was ____.". She laughed and said "Nope, wrong place".

We both laughed. I apologized. I walked out and went to my actual destination.

In retrospect, GOD DAMN. I could have been a fucking THREAT ACTOR. These fucking people didn't verify me AT ALL. I just walked in dressed like an IT nerd and they just fucking let me in, full access, everything. What in THE FUCK?

> opensourcemalware.com
> community database
> collection of open source malware
> malware that targets github stuff
> malicious npm packages, etc
> "for the infosec community"
> look inside
> can't download stuff
> only lists ioc
> "Upgrade to Pro" to view more