vx-underground
Notepad++ compromised (long pedantic version so nerds shut up) - Notepad++ update infrastructure was compromised - Notepad++ suspects it is the Chinese government - No evidence provided currently demonstrating why they suspect it was the Chinese governmentβ¦
I wrote "unknown state-sponsored actor" because Notepad++ doesn't explicitly provide WHY THEY SUSPECT CHINA other than "experts said".
I wrote "your machine is compromised" because NO DETAILS ARE PROVIDED that convey WHAT HAPPENED yet nerds want to argue one of the two:
- "ERRRM ACHTUALLY, IT SAYS ONLY SPECIFIC TARGETS, WE DONT FOR SURE IF ANYONE IS COMPROMISED"
- "oHh WeLl U ShOulD AssUme CoMprOmIse"
Then the nerds want to argue the timeline specifics
ERRR SCHMELLY, IT HE SAYS IT COULD BE AS EARLY AS JUNE, BUT HE ISNT SURE, U SHOULD HAVE SAID IT MIGHT BE JUNE, OR SEPTEMBER, NO ONE KNOWS, BUT FOR SURE SEPTEMBER
Anyway, it was kind of annoying me. Have your verbose version. I have stuff to do. Smell ya later, NERDS
-smelly smellington
I wrote "your machine is compromised" because NO DETAILS ARE PROVIDED that convey WHAT HAPPENED yet nerds want to argue one of the two:
- "ERRRM ACHTUALLY, IT SAYS ONLY SPECIFIC TARGETS, WE DONT FOR SURE IF ANYONE IS COMPROMISED"
- "oHh WeLl U ShOulD AssUme CoMprOmIse"
Then the nerds want to argue the timeline specifics
ERRR SCHMELLY, IT HE SAYS IT COULD BE AS EARLY AS JUNE, BUT HE ISNT SURE, U SHOULD HAVE SAID IT MIGHT BE JUNE, OR SEPTEMBER, NO ONE KNOWS, BUT FOR SURE SEPTEMBER
Anyway, it was kind of annoying me. Have your verbose version. I have stuff to do. Smell ya later, NERDS
-smelly smellington
π€£51β€9π₯°7π1π€1
Rapid7 did a write-up on the Notepad++ compromise. Rapid7 released the paper fast af boi
How?
1. They sat on it
or...
2. Called in all the malware analysis schizos for lock the fuck in time
tldr ya prolly China lol
https://www.rapid7.com/blog/post/tr-chrysalis-backdoor-dive-into-lotus-blossoms-toolkit/
How?
1. They sat on it
or...
2. Called in all the malware analysis schizos for lock the fuck in time
tldr ya prolly China lol
https://www.rapid7.com/blog/post/tr-chrysalis-backdoor-dive-into-lotus-blossoms-toolkit/
Rapid7
The Chrysalis Backdoor: A Deep Dive into Lotus Blossomβs toolkit
π€37β€6π₯°6
Non-malware schizos asking about why the Notepad++ malware payload was so interesting.
Okay, we'll discuss it without getting too schizo.
First, Rapid7 (and other various Cyber Threat Intelligence vendors) seem to generally attribute the Notepad++ compromise to Chinese APT group "Lotus Bloom". They attribute it to Lotus Blossom because they tend to recycle code segments to save time. Basically, fingerprints.
Lotus Blossom is the invented name intelligence organizations have assigned to a group of Chinese government sponsored hackers. Their true identity is unknown, but speculative. It is not one person, it is likely a group of unknown size, it could two people, it could 15 people.
Lotus Blossom has been active since 2009 (or so they speculate). Lotus Blossom are not noobs who do hacker noob stuff. Lotus Blossom is assigned high-profile tasks. Lotus Blossom does extremely specific targets, most notably they are instructed by the Chinese government to hack government institutions, telecom companies, aviation companies, and critical infrastructure (nuclear power plants, electrical power grids, hydroelectric dams, etc) in Southeast Asia and Central America.
When Lotus Blossom targeted Notepad++, and users in specific regions (presumably Southeast Asia and Central America) attempted to do an update it delivered "Chrysalis Backdoor". Chrysalis Backdoor is the name intelligence companies invented and now call this malware.
Chrysalis Backdoor used a lot of really common malware techniques which truthfully I won't go too much into (API hashing, custom implementations of GetProcAddress, malware nerd stuff). However, what makes this malware very special is it's usage of Microsoft Warbird.
Microsoft Warbird is a proprietary technology which is rarely discussed. It is an internal library Microsoft uses to obfuscate it's instruction set in-memory. In other words, it's Microsoft really fancy custom way of preventing people from reverse engineering what Windows is doing when it's running.
Unknown to me personally (and a lot of people apparently), in the past few years (2023) some security researchers have discovered ways to discretely use Microsoft Warbird and use it as a weapon. Basically, you can use undocumented APIs in Windows to use Warbird for your malware. This provides a way to hide what your malicious code is doing while it's running without needing any external tooling or custom implementations. They're weaponizing Microsoft's anti-tampering and/or anti-reverse engineering technology for malicious purposes. This is extremely impressive because it shows:
1. Lotus Blossom pays close attention to really talented security researchers or...
2. Lotus Blossom has really good security researchers on payroll
Both are totally possible.
The remainder of the Lotus Blossom tooling is fairly generic malware stuff and isn't too terribly impressive. Lotus Blossom (unironically) did a very good job hijacking Notepad++ update infrastructure and weaponizing Microsoft's anti-tampering technology (Warbird).
Okay, we'll discuss it without getting too schizo.
First, Rapid7 (and other various Cyber Threat Intelligence vendors) seem to generally attribute the Notepad++ compromise to Chinese APT group "Lotus Bloom". They attribute it to Lotus Blossom because they tend to recycle code segments to save time. Basically, fingerprints.
Lotus Blossom is the invented name intelligence organizations have assigned to a group of Chinese government sponsored hackers. Their true identity is unknown, but speculative. It is not one person, it is likely a group of unknown size, it could two people, it could 15 people.
Lotus Blossom has been active since 2009 (or so they speculate). Lotus Blossom are not noobs who do hacker noob stuff. Lotus Blossom is assigned high-profile tasks. Lotus Blossom does extremely specific targets, most notably they are instructed by the Chinese government to hack government institutions, telecom companies, aviation companies, and critical infrastructure (nuclear power plants, electrical power grids, hydroelectric dams, etc) in Southeast Asia and Central America.
When Lotus Blossom targeted Notepad++, and users in specific regions (presumably Southeast Asia and Central America) attempted to do an update it delivered "Chrysalis Backdoor". Chrysalis Backdoor is the name intelligence companies invented and now call this malware.
Chrysalis Backdoor used a lot of really common malware techniques which truthfully I won't go too much into (API hashing, custom implementations of GetProcAddress, malware nerd stuff). However, what makes this malware very special is it's usage of Microsoft Warbird.
Microsoft Warbird is a proprietary technology which is rarely discussed. It is an internal library Microsoft uses to obfuscate it's instruction set in-memory. In other words, it's Microsoft really fancy custom way of preventing people from reverse engineering what Windows is doing when it's running.
Unknown to me personally (and a lot of people apparently), in the past few years (2023) some security researchers have discovered ways to discretely use Microsoft Warbird and use it as a weapon. Basically, you can use undocumented APIs in Windows to use Warbird for your malware. This provides a way to hide what your malicious code is doing while it's running without needing any external tooling or custom implementations. They're weaponizing Microsoft's anti-tampering and/or anti-reverse engineering technology for malicious purposes. This is extremely impressive because it shows:
1. Lotus Blossom pays close attention to really talented security researchers or...
2. Lotus Blossom has really good security researchers on payroll
Both are totally possible.
The remainder of the Lotus Blossom tooling is fairly generic malware stuff and isn't too terribly impressive. Lotus Blossom (unironically) did a very good job hijacking Notepad++ update infrastructure and weaponizing Microsoft's anti-tampering technology (Warbird).
π₯50β€25π₯°6π€―1
vx-underground
Non-malware schizos asking about why the Notepad++ malware payload was so interesting. Okay, we'll discuss it without getting too schizo. First, Rapid7 (and other various Cyber Threat Intelligence vendors) seem to generally attribute the Notepad++ compromiseβ¦
Some people asked, "do I need to worry about this effecting my computer?".
The answer is: No.
Lotus Blossom is an extremely skilled and patient group with high-profile targets. This would be like asking, "do I need to worry about Navy Seal Team Six kidnapping me?"
This group isn't going to target some random stinky nerd on Xitter, they're not going to waste their time attacking Susie Schnarf on Facebook, they're going after serious institutions with objectives and goals in mind.
... unless you're a well-known politician located in Southeast Asia or Central America with information related to national security ... then maybe you should have more security concerns ...
The answer is: No.
Lotus Blossom is an extremely skilled and patient group with high-profile targets. This would be like asking, "do I need to worry about Navy Seal Team Six kidnapping me?"
This group isn't going to target some random stinky nerd on Xitter, they're not going to waste their time attacking Susie Schnarf on Facebook, they're going after serious institutions with objectives and goals in mind.
... unless you're a well-known politician located in Southeast Asia or Central America with information related to national security ... then maybe you should have more security concerns ...
π₯°60π19π10π―8β€6
π¨BREAKING NEWSπ¨
JEFFREY EPSTEIN KEPT A FULL COPY OF THE 2005 BASH REFERENCE MANUAL
https://www.justice.gov/epstein/files/DataSet%209/EFTA00315849.pdf
JEFFREY EPSTEIN KEPT A FULL COPY OF THE 2005 BASH REFERENCE MANUAL
https://www.justice.gov/epstein/files/DataSet%209/EFTA00315849.pdf
π107π€£31π₯20π₯°11β€6π€―3π2π€1
vx-underground
π¨BREAKING NEWSπ¨ JEFFREY EPSTEIN KEPT A FULL COPY OF THE 2005 BASH REFERENCE MANUAL https://www.justice.gov/epstein/files/DataSet%209/EFTA00315849.pdf
Okay, I'm done trying to might lighthearted jokes about the Epstein files. As I see more posts about them I become more depressed. My only cope is silly memes about it (gallows humor).
I'm going to bed now. Tomorrow we malware and post silly cat pictures.
Pic unrelated
I'm going to bed now. Tomorrow we malware and post silly cat pictures.
Pic unrelated
β€102π₯°11π€£7π4π3π1
When I was younger I had a brief stint as a general IT worker for a large company. I had a company vehicle and I would drive location to location doing support tickets.
One time I drove to a location, hopped out the car, walked in the door, told the lady behind the counter I was from corporate and I need to work on some stuff. She said, "Oh, hello! Let me open the door for you!" and let me in.
I went into the back. I got lost. I realized I was at the wrong location. My destination was the company directly next door.
I walked to the front and said, "Oh my goodness, I'm so sorry. I thought this was ____.". She laughed and said "Nope, wrong place".
We both laughed. I apologized. I walked out and went to my actual destination.
In retrospect, GOD DAMN. I could have been a fucking THREAT ACTOR. These fucking people didn't verify me AT ALL. I just walked in dressed like an IT nerd and they just fucking let me in, full access, everything. What in THE FUCK?
One time I drove to a location, hopped out the car, walked in the door, told the lady behind the counter I was from corporate and I need to work on some stuff. She said, "Oh, hello! Let me open the door for you!" and let me in.
I went into the back. I got lost. I realized I was at the wrong location. My destination was the company directly next door.
I walked to the front and said, "Oh my goodness, I'm so sorry. I thought this was ____.". She laughed and said "Nope, wrong place".
We both laughed. I apologized. I walked out and went to my actual destination.
In retrospect, GOD DAMN. I could have been a fucking THREAT ACTOR. These fucking people didn't verify me AT ALL. I just walked in dressed like an IT nerd and they just fucking let me in, full access, everything. What in THE FUCK?
β€108π€£59π±11π₯°3
> opensourcemalware.com
> community database
> collection of open source malware
> malware that targets github stuff
> malicious npm packages, etc
> "for the infosec community"
> look inside
> can't download stuff
> only lists ioc
> "Upgrade to Pro" to view more
> community database
> collection of open source malware
> malware that targets github stuff
> malicious npm packages, etc
> "for the infosec community"
> look inside
> can't download stuff
> only lists ioc
> "Upgrade to Pro" to view more
π105π€17π’10β€6π₯°6π€3
vx-underground
> opensourcemalware.com > community database > collection of open source malware > malware that targets github stuff > malicious npm packages, etc > "for the infosec community" > look inside > can't download stuff > only lists ioc > "Upgrade to Pro" to viewβ¦
Am I the only malware place that doesn't require proving your identity and paying for something?
What happened to doing shit for the love of the game? Do I need to go and pull all these samples and make my own now?
What happened to doing shit for the love of the game? Do I need to go and pull all these samples and make my own now?
β€139π₯°17π9π―5π«‘1
This media is not supported in your browser
VIEW IN TELEGRAM
Hello,
I have added more malware development papers to the malware place you sometimes visit. I have a massive queue of stuff to add and I am now slowly working through it
Info: https://vx-underground.org/Updates
Video related
I have added more malware development papers to the malware place you sometimes visit. I have a massive queue of stuff to add and I am now slowly working through it
Info: https://vx-underground.org/Updates
Video related
β€57π₯6π₯°6π’3π2
> be me
> early 2019
> like writing malware for fun
> have boring programming job
> decide to make crappy website
> save cool malware papers I like
> maybe someone will find it
> maybe someone think it's cool too
> make crappy twitter account
> decide to share updates on stuff
> doubt anyone will care
> some people notice immediately
> get 200 followers
> celebrate 200 people caring
> keep adding malware papers
> decide to also share malware
> people can download it to study
> add more
> add more everyday
> try to be super serious and cool
> use edgy dark art and stuff
> fast forward
> 2026
> website about to turn 7
> 68,000 papers
> 40,000,000 malwares
> 400,000 followers
> lost mind from malware
> act like moron on twitter
> keep adding stuff
> also post dumb pictures of cats
My magnum opus, my life's work, my legacy which I may be remembered for, will be the guy who randomly decided to start collecting malware and continuously posted pictures of cats on the internet.
> early 2019
> like writing malware for fun
> have boring programming job
> decide to make crappy website
> save cool malware papers I like
> maybe someone will find it
> maybe someone think it's cool too
> make crappy twitter account
> decide to share updates on stuff
> doubt anyone will care
> some people notice immediately
> get 200 followers
> celebrate 200 people caring
> keep adding malware papers
> decide to also share malware
> people can download it to study
> add more
> add more everyday
> try to be super serious and cool
> use edgy dark art and stuff
> fast forward
> 2026
> website about to turn 7
> 68,000 papers
> 40,000,000 malwares
> 400,000 followers
> lost mind from malware
> act like moron on twitter
> keep adding stuff
> also post dumb pictures of cats
My magnum opus, my life's work, my legacy which I may be remembered for, will be the guy who randomly decided to start collecting malware and continuously posted pictures of cats on the internet.
β€βπ₯208β€40π₯°18π«‘8π7π₯5π3
vx-underground
EmEditor was hit by a supply-chain attack. Notepad++ was hit by a supply-chain attack. Guess who wasn't?
Answer: Microsoft Copilot 365 Premium Notepad Pro Plus (ID required to comply with UK laws)
What'd you think? Sublime? WRONG.
What'd you think? Sublime? WRONG.
π€£104π±19β€5π₯5π₯°4π’1
vx-underground
Photo
I posted this silly meme because I thought it was silly. I was not aware the woman in this photo was Silvie TomΔalovΓ‘ a/k/a Silvia Saint, the Czech former pornographic actress.
Gooners are locked in. This lady was doing pornography in '96.
Gooners are locked in. This lady was doing pornography in '96.
π72π€£33π₯°11β€6π±3π€3π€©1
Meanwhile on the internet, nerds discover a handwritten note in the Epstein files where Epstein wrote down the credentials to his email.
Reddit nerds have logged into the email now.
What will happen next? Find out next time on Dragon Ball Z
Reddit nerds have logged into the email now.
What will happen next? Find out next time on Dragon Ball Z
π€£100β€24π―7π5π€1
Privacy nerds:
> Tuta email
> XMR
> Qubes OS
> Tails
> No social media
> Live in a cave
Epstein:
> "hello i am sex trafficking children"
> Attached image as proof
> Sent from iPhone
> Tuta email
> XMR
> Qubes OS
> Tails
> No social media
> Live in a cave
Epstein:
> "hello i am sex trafficking children"
> Attached image as proof
> Sent from iPhone
π€£214π20β€11π―10β€βπ₯2π’2π1π₯°1