What does the future hold for vx-underground?

- More malware samples
- More malware papers
- More malware source code
- More silly pictures of kitty cats
- Sharing news I find interesting
- Commenting on news
- Sharing memes
- ???
- Remain free
- Eventually die

> get on social media
> nerds arguing about anti cheats
> nerds discuss antiviruses
> "anti viruses shouldn't be in kernel mode"

You are absolutely correct. Please have the anti-malware vendors migrate their detection engines to user-mode. Nothing bad could happen.

Chat, I'll tell you one thing right now, if end users complained so much that AV vendors were forced to migrate their detection engines to user-mode, I'd tell my wife to drop the baby off at Grandmas house.

It's Red Panty night.

The Pope is meeting up with Claude nerds to bless vibe coded slop, or something, I don't know

https://www.ncronline.org/vatican/vatican-news/pope-leo-present-his-encyclical-ai-alongside-anthropic-co-founder

Not too bad, got a C-

Someone on social media was bragging they got a CSAM website taken offline. They illustrated this by showing a CloudFlare report.

The report shows the domain this person reported. CloudFlare clearly states it is being investigated, forwarded to authorities, and thanks the person for the report.

This persons post (as of this writing) sits at over 782,000 views and, unsurprisingly, the website is not offline because it is being investigated. It has hundreds of comments and sub-comments, people are discussing the website, it's material, and explicitly noting it is not offline.

I'm speechless. This bragging was more akin to free advertisement.

I have added another 250,000 malwares to the malware collection.

Please download the malware here:
https://vx-underground.org

Thank you.

"haha you're not very underground anymore are you, vx-underground?"

IM SUFFERING FROM SUCCESS

Chat, I don't want to be that guy, but I think Microsoft has really pissed off security researchers and we're approaching the tipping point.

This Eclipse guy has really rocked the boat for Microsoft.

Microsoft Security Response Center put out a blog post today about Eclipse Nightmare guy

Basically they think he's super mean and totally not cool he's dropping zero days. They say you're a jerk if you do this stuff because it's dangerous and stuff

https://www.microsoft.com/en-us/msrc/blog/2026/05/a-shared-responsibility-protecting-customers-through-coordinated-vulnerability-disclosure

Hello,

Awhile ago some guy on Xitter was talking about his friend being scammed and losing Counter Strike stuff. I'm not a gamer, I don't understand Counter Strike markets and stuff, but the gist of everything was he purchased an item and he was (in some capacity) scammed?

He said Steam support was DMing him over Steam. People were memeing him, saying Steam doesn't communicate over Steam like an instant messenger client. People questioned the validity of the images.

I had a bunch of people DM me, tag me on the post, etc. I saw it, but I was busy with my baby boy, so I put it on the back burner. However, it peaked my interest because it was extremely unusual. I do play stuff on Steam sometimes, and I've never seen or heard of malware which is curated to specifically target Steam coupled with social engineering work.

Two things

1. I get tons of messages, DMs, and emails. I can't find the original post anymore. If you know what I'm describing please comment it below, or something, I don't know. The post itself is interesting and provides context to second part of this write-up.

2. This is malware. I was on THE STREETS DAWG (talking with stinky nerds on Telegram) passively to see if anyone knew anything about this. I was able to receive the payload as well the decompiled source code (it's written in Python). This malware was developed by some nerds in Russia determined to ... drain people on Counter Strike and steal their items? Again, I'm not a gamer or Counter Strike nerd, so I don't understand the objective of this malware or the monetary value behind this, but apparently it is enough to motivate someone to create malware which injects itself into Steam to allow them to manipulate the application and impersonate Steam support (API hooking).

I haven't had a chance to review the malware in totality yet. I've briefly skimmed it. It's got a bunch of different modules and stages. Someone seems to have put quite a bit of effort into this. I've never seen anything like this, so it's really cool.

On a side note, I've been noticing a trend of Threat Actors targeting Steam. It was initially by creating fake and malicious games. Now we are seeing malware payloads that inject themselves into the Steam application itself and manipulate it in ways to trick users into giving them valuable video game items or potentially pushing more malware to their machine.

Very cool.

Someone commented on Xitter immediately. Context for TG nerds:

https://x.com/GMBA/status/2059692291028144219

I got the payload to this malware. It is absurdly silly. This malware is killing me bro. It is so unbelievably silly.

This was 100% written using Claude or ChatGPT. I've never seen a malware payload LEAVE NOTES describing what it's doing.

The malware has a Powershell script that connects to the C2 for stinky malware stuff. This module is responsible for persistence. Thankfully their persistence script documented the entire code base and file locations.

Very cool. Thank you spoopy Russian Counter Strike scammers.

Even more silly, the C2 is hardcoded as a string (seen in attached image). The C2 address shows it has been an active malware campaign since at least January 31st, 2026 based off of data present on VirusTotal. It was initially uploaded as "9lixh".

This persistence script was from a victim machine so I've censored some data. Regardless, the botched cyrillic notes also makes me giggle.

Russian to English translations present in this silly script which documents everything for us:
# Пути для удаления
# Paths for deletion

# Завершаем процессы python и pythonw
# Terminate/finish the python and pythonw processes

# Удаляем автозапуск из реестра
# Remove autorun from the registry

# Завершаем процесс монитора
# Stop the monitoring process

# Новая функция для проверки f.json и убийства процессов
# New function for checking f.json and killing processes

# Проверяем флаг library
# Check the library flag

# Список процессов для убийства
# List of processes to kill

# Проверка флага удаления (каждые 20 секунд)
# Check the deletion flag (every 20 seconds)

# 20 секунд при интервале 2 секунды
# 20 seconds with a 2-second interval

# Проверка f.json и убийство процессов (каждые 4 секунды)
# Check f.json and kill processes (every 4 seconds)

me reverse engineering malware that targets steam

I learned quite a bit from this actually.

I didn't know Steam was a Chromium app. Hence, you can kill Steam then relaunch it with the "-cef-enable-debugging" flag.

Once you'll launched Steam with this, you can inject Javascript into Steam using Chromium "webSocketDebuggingUrl" stuff.

This malware has a whole pseudo-framework of Javascript that can do:
- Alert Bell (?)
- Block pages
- "Help page" (?)
- Inventory manipulation
- Steam library manipulation
- Profile manipulation
- Steam redirections

Basically, this malware payload switches Steam into a Chromium debug state, then sends web debug requests (kind of like Chrome Dev Tools?) to manipulate the Steam pages. It injects Javascript.

The chat window that spawns is from a remote host they control. This is really cool.

Is it AI slop? Yes

Is this code EXTREMELY easy to reverse engineer? Yes

Did they unironically document their entire code base in Russian because it was (probably) written using Claude and the authors probably speak Russian? Yes

Is this extremely creative and cool? Yes

Special thanks to "pro" from 2c44. He handed me the payload and the decompiled Python. The malware .py was Base64 encoded ... so obtaining the original source was ridiculously easy.

Hello,

If you're a person who enjoys malware and/or knows Python and wants to see malware that targets STEAM and GAMERS, I have the source code to a malware I have named "Stealer.Python.GMBA.Manipulator".

This malware was originally noted on Xitter from GMBA.

In summary, this Python malware kills the Steam process and relaunches it with the "-cef-enable-debugging" flag. Because Steam is a Chromium app, this allows the malware payload to manipulate Steam web pages with web socket gunk and Javascript gunk.

This malware can "modify" user inventories, "block users", etc. It is all a facade designed to trick and social engineer Steam users into giving their expensive Counter Strike stuff to them.

It appears to be written using AI. Regardless of that fact this malware is creative and I like it.

The malware source code to this can be found under the "/Python/" directory. It is named "Stealer.Python.GMBA.Manipulator.7z".

This malware campaign is still active and the C2 is still live. If you execute the __main__.py file you might cook yourself, so be careful. Alternatively, you can run this in a VM and send the malware campaign authors pictures of Goatse.

https://github.com/vxunderground/MalwareSourceCode

A long long time ago, when I first got into malware, I met a kid who was a little older than me who, by all standards of measurement, was significantly more intelligent and gifted than me.

He made me feel like a moron.

Very quickly he established a reputation on IRC for being "the guy", despite being like, 16. His parents were financially well off and extremely supportive and sent him to DEFCON. He had a really great PC setup. He had it all lined up. He was destined for an amazing and strong career in information security. I was extremely envious of him because he also had a super pretty girlfriend while somehow being a massive nerd. His parents bought him a car. In my eyes he had it all.

On my side, I had some old piece of crap computer. I didn't even have a computer chair, I used some ghetto dining room table chair made from janky wood. It was all beat up and yucky.

I struggled learning C. On IRC I was basically the village idiot and memed all the time (although in good jest). My friend would become frustrated with me because of how slow I learned.

I was a poor kid. I wasn't like, poor-poor like, homeless or whatever, but his parents has significantly more money than mine and were capable for providing for their son in ways my family could not.

I'm not entirely sure what happened because, despite him learning faster, retaining more information, having more resources, having amazing opportunities, ... he threw it away. I have no idea why. He lost his focus somehow and ended up working at a restaurant for a little bit as a server. He later worked at a mall kiosk.

I ended up being the successful one. I ended up having an amazing career in cybersecurity. I ended up knowing far more than him.

Sometimes I reflect on it and it blows my mind. I only surpassed him because I had endurance and was willing to continue the grind.

He had everything on a silver platter. He had so many amazing opportunities. He could have gone so far, he was so incredibly gifted and smart.

I have no idea what he was thinking to make him squander it all.

I guess the moral of the story is that turtle and the rabbit thingy has truth to it.