I'M BEING FRAMED

People who are asking for context: I frequently upload pictures of cats and cat memes and refer to them as kitty cats. The malware IoC file names are kitty and cat.

Hi

vx-underground is 7 years old, as of 2 days ago. I forgot my own website birthday.

Some of you who found vx-underground as early to mid teenagers are now adults.

Some of you who found vx-underground while attending university are now in the work force.

Some people who follow this account have unfortunately passed away.

Some followers have been arrested. Some followers have already been released from prison.

Some of you (including myself) have had children.

A lot has changed over the past 7 years.

The only thing that hasn't really changed is the website: free malware source code, samples, and papers, forever.

Thank you for letting me serve the community. It has been a pleasure. I look forward to serving all of you for another ... unknown duration of time, probably a long time, I don't know. I'm not sure how long I'll do this, but I'm already 7 years deep.

What does the future hold for vx-underground?

- More malware samples
- More malware papers
- More malware source code
- More silly pictures of kitty cats
- Sharing news I find interesting
- Commenting on news
- Sharing memes
- ???
- Remain free
- Eventually die

> get on social media
> nerds arguing about anti cheats
> nerds discuss antiviruses
> "anti viruses shouldn't be in kernel mode"

You are absolutely correct. Please have the anti-malware vendors migrate their detection engines to user-mode. Nothing bad could happen.

Chat, I'll tell you one thing right now, if end users complained so much that AV vendors were forced to migrate their detection engines to user-mode, I'd tell my wife to drop the baby off at Grandmas house.

It's Red Panty night.

The Pope is meeting up with Claude nerds to bless vibe coded slop, or something, I don't know

https://www.ncronline.org/vatican/vatican-news/pope-leo-present-his-encyclical-ai-alongside-anthropic-co-founder

Not too bad, got a C-

Someone on social media was bragging they got a CSAM website taken offline. They illustrated this by showing a CloudFlare report.

The report shows the domain this person reported. CloudFlare clearly states it is being investigated, forwarded to authorities, and thanks the person for the report.

This persons post (as of this writing) sits at over 782,000 views and, unsurprisingly, the website is not offline because it is being investigated. It has hundreds of comments and sub-comments, people are discussing the website, it's material, and explicitly noting it is not offline.

I'm speechless. This bragging was more akin to free advertisement.

I have added another 250,000 malwares to the malware collection.

Please download the malware here:
https://vx-underground.org

Thank you.

"haha you're not very underground anymore are you, vx-underground?"

IM SUFFERING FROM SUCCESS

Chat, I don't want to be that guy, but I think Microsoft has really pissed off security researchers and we're approaching the tipping point.

This Eclipse guy has really rocked the boat for Microsoft.

Microsoft Security Response Center put out a blog post today about Eclipse Nightmare guy

Basically they think he's super mean and totally not cool he's dropping zero days. They say you're a jerk if you do this stuff because it's dangerous and stuff

https://www.microsoft.com/en-us/msrc/blog/2026/05/a-shared-responsibility-protecting-customers-through-coordinated-vulnerability-disclosure

Hello,

Awhile ago some guy on Xitter was talking about his friend being scammed and losing Counter Strike stuff. I'm not a gamer, I don't understand Counter Strike markets and stuff, but the gist of everything was he purchased an item and he was (in some capacity) scammed?

He said Steam support was DMing him over Steam. People were memeing him, saying Steam doesn't communicate over Steam like an instant messenger client. People questioned the validity of the images.

I had a bunch of people DM me, tag me on the post, etc. I saw it, but I was busy with my baby boy, so I put it on the back burner. However, it peaked my interest because it was extremely unusual. I do play stuff on Steam sometimes, and I've never seen or heard of malware which is curated to specifically target Steam coupled with social engineering work.

Two things

1. I get tons of messages, DMs, and emails. I can't find the original post anymore. If you know what I'm describing please comment it below, or something, I don't know. The post itself is interesting and provides context to second part of this write-up.

2. This is malware. I was on THE STREETS DAWG (talking with stinky nerds on Telegram) passively to see if anyone knew anything about this. I was able to receive the payload as well the decompiled source code (it's written in Python). This malware was developed by some nerds in Russia determined to ... drain people on Counter Strike and steal their items? Again, I'm not a gamer or Counter Strike nerd, so I don't understand the objective of this malware or the monetary value behind this, but apparently it is enough to motivate someone to create malware which injects itself into Steam to allow them to manipulate the application and impersonate Steam support (API hooking).

I haven't had a chance to review the malware in totality yet. I've briefly skimmed it. It's got a bunch of different modules and stages. Someone seems to have put quite a bit of effort into this. I've never seen anything like this, so it's really cool.

On a side note, I've been noticing a trend of Threat Actors targeting Steam. It was initially by creating fake and malicious games. Now we are seeing malware payloads that inject themselves into the Steam application itself and manipulate it in ways to trick users into giving them valuable video game items or potentially pushing more malware to their machine.

Very cool.

Someone commented on Xitter immediately. Context for TG nerds:

https://x.com/GMBA/status/2059692291028144219

I got the payload to this malware. It is absurdly silly. This malware is killing me bro. It is so unbelievably silly.

This was 100% written using Claude or ChatGPT. I've never seen a malware payload LEAVE NOTES describing what it's doing.

The malware has a Powershell script that connects to the C2 for stinky malware stuff. This module is responsible for persistence. Thankfully their persistence script documented the entire code base and file locations.

Very cool. Thank you spoopy Russian Counter Strike scammers.

Even more silly, the C2 is hardcoded as a string (seen in attached image). The C2 address shows it has been an active malware campaign since at least January 31st, 2026 based off of data present on VirusTotal. It was initially uploaded as "9lixh".

This persistence script was from a victim machine so I've censored some data. Regardless, the botched cyrillic notes also makes me giggle.

Russian to English translations present in this silly script which documents everything for us:
# Пути для удаления
# Paths for deletion

# Завершаем процессы python и pythonw
# Terminate/finish the python and pythonw processes

# Удаляем автозапуск из реестра
# Remove autorun from the registry

# Завершаем процесс монитора
# Stop the monitoring process

# Новая функция для проверки f.json и убийства процессов
# New function for checking f.json and killing processes

# Проверяем флаг library
# Check the library flag

# Список процессов для убийства
# List of processes to kill

# Проверка флага удаления (каждые 20 секунд)
# Check the deletion flag (every 20 seconds)

# 20 секунд при интервале 2 секунды
# 20 seconds with a 2-second interval

# Проверка f.json и убийство процессов (каждые 4 секунды)
# Check f.json and kill processes (every 4 seconds)