Microsoft Security Response Center put out a blog post today about Eclipse Nightmare guy

Basically they think he's super mean and totally not cool he's dropping zero days. They say you're a jerk if you do this stuff because it's dangerous and stuff

https://www.microsoft.com/en-us/msrc/blog/2026/05/a-shared-responsibility-protecting-customers-through-coordinated-vulnerability-disclosure

Hello,

Awhile ago some guy on Xitter was talking about his friend being scammed and losing Counter Strike stuff. I'm not a gamer, I don't understand Counter Strike markets and stuff, but the gist of everything was he purchased an item and he was (in some capacity) scammed?

He said Steam support was DMing him over Steam. People were memeing him, saying Steam doesn't communicate over Steam like an instant messenger client. People questioned the validity of the images.

I had a bunch of people DM me, tag me on the post, etc. I saw it, but I was busy with my baby boy, so I put it on the back burner. However, it peaked my interest because it was extremely unusual. I do play stuff on Steam sometimes, and I've never seen or heard of malware which is curated to specifically target Steam coupled with social engineering work.

Two things

1. I get tons of messages, DMs, and emails. I can't find the original post anymore. If you know what I'm describing please comment it below, or something, I don't know. The post itself is interesting and provides context to second part of this write-up.

2. This is malware. I was on THE STREETS DAWG (talking with stinky nerds on Telegram) passively to see if anyone knew anything about this. I was able to receive the payload as well the decompiled source code (it's written in Python). This malware was developed by some nerds in Russia determined to ... drain people on Counter Strike and steal their items? Again, I'm not a gamer or Counter Strike nerd, so I don't understand the objective of this malware or the monetary value behind this, but apparently it is enough to motivate someone to create malware which injects itself into Steam to allow them to manipulate the application and impersonate Steam support (API hooking).

I haven't had a chance to review the malware in totality yet. I've briefly skimmed it. It's got a bunch of different modules and stages. Someone seems to have put quite a bit of effort into this. I've never seen anything like this, so it's really cool.

On a side note, I've been noticing a trend of Threat Actors targeting Steam. It was initially by creating fake and malicious games. Now we are seeing malware payloads that inject themselves into the Steam application itself and manipulate it in ways to trick users into giving them valuable video game items or potentially pushing more malware to their machine.

Very cool.

Someone commented on Xitter immediately. Context for TG nerds:

https://x.com/GMBA/status/2059692291028144219

I got the payload to this malware. It is absurdly silly. This malware is killing me bro. It is so unbelievably silly.

This was 100% written using Claude or ChatGPT. I've never seen a malware payload LEAVE NOTES describing what it's doing.

The malware has a Powershell script that connects to the C2 for stinky malware stuff. This module is responsible for persistence. Thankfully their persistence script documented the entire code base and file locations.

Very cool. Thank you spoopy Russian Counter Strike scammers.

Even more silly, the C2 is hardcoded as a string (seen in attached image). The C2 address shows it has been an active malware campaign since at least January 31st, 2026 based off of data present on VirusTotal. It was initially uploaded as "9lixh".

This persistence script was from a victim machine so I've censored some data. Regardless, the botched cyrillic notes also makes me giggle.

Russian to English translations present in this silly script which documents everything for us:
# Пути для удаления
# Paths for deletion

# Завершаем процессы python и pythonw
# Terminate/finish the python and pythonw processes

# Удаляем автозапуск из реестра
# Remove autorun from the registry

# Завершаем процесс монитора
# Stop the monitoring process

# Новая функция для проверки f.json и убийства процессов
# New function for checking f.json and killing processes

# Проверяем флаг library
# Check the library flag

# Список процессов для убийства
# List of processes to kill

# Проверка флага удаления (каждые 20 секунд)
# Check the deletion flag (every 20 seconds)

# 20 секунд при интервале 2 секунды
# 20 seconds with a 2-second interval

# Проверка f.json и убийство процессов (каждые 4 секунды)
# Check f.json and kill processes (every 4 seconds)

me reverse engineering malware that targets steam

I learned quite a bit from this actually.

I didn't know Steam was a Chromium app. Hence, you can kill Steam then relaunch it with the "-cef-enable-debugging" flag.

Once you'll launched Steam with this, you can inject Javascript into Steam using Chromium "webSocketDebuggingUrl" stuff.

This malware has a whole pseudo-framework of Javascript that can do:
- Alert Bell (?)
- Block pages
- "Help page" (?)
- Inventory manipulation
- Steam library manipulation
- Profile manipulation
- Steam redirections

Basically, this malware payload switches Steam into a Chromium debug state, then sends web debug requests (kind of like Chrome Dev Tools?) to manipulate the Steam pages. It injects Javascript.

The chat window that spawns is from a remote host they control. This is really cool.

Is it AI slop? Yes

Is this code EXTREMELY easy to reverse engineer? Yes

Did they unironically document their entire code base in Russian because it was (probably) written using Claude and the authors probably speak Russian? Yes

Is this extremely creative and cool? Yes

Special thanks to "pro" from 2c44. He handed me the payload and the decompiled Python. The malware .py was Base64 encoded ... so obtaining the original source was ridiculously easy.

Hello,

If you're a person who enjoys malware and/or knows Python and wants to see malware that targets STEAM and GAMERS, I have the source code to a malware I have named "Stealer.Python.GMBA.Manipulator".

This malware was originally noted on Xitter from GMBA.

In summary, this Python malware kills the Steam process and relaunches it with the "-cef-enable-debugging" flag. Because Steam is a Chromium app, this allows the malware payload to manipulate Steam web pages with web socket gunk and Javascript gunk.

This malware can "modify" user inventories, "block users", etc. It is all a facade designed to trick and social engineer Steam users into giving their expensive Counter Strike stuff to them.

It appears to be written using AI. Regardless of that fact this malware is creative and I like it.

The malware source code to this can be found under the "/Python/" directory. It is named "Stealer.Python.GMBA.Manipulator.7z".

This malware campaign is still active and the C2 is still live. If you execute the __main__.py file you might cook yourself, so be careful. Alternatively, you can run this in a VM and send the malware campaign authors pictures of Goatse.

https://github.com/vxunderground/MalwareSourceCode

A long long time ago, when I first got into malware, I met a kid who was a little older than me who, by all standards of measurement, was significantly more intelligent and gifted than me.

He made me feel like a moron.

Very quickly he established a reputation on IRC for being "the guy", despite being like, 16. His parents were financially well off and extremely supportive and sent him to DEFCON. He had a really great PC setup. He had it all lined up. He was destined for an amazing and strong career in information security. I was extremely envious of him because he also had a super pretty girlfriend while somehow being a massive nerd. His parents bought him a car. In my eyes he had it all.

On my side, I had some old piece of crap computer. I didn't even have a computer chair, I used some ghetto dining room table chair made from janky wood. It was all beat up and yucky.

I struggled learning C. On IRC I was basically the village idiot and memed all the time (although in good jest). My friend would become frustrated with me because of how slow I learned.

I was a poor kid. I wasn't like, poor-poor like, homeless or whatever, but his parents has significantly more money than mine and were capable for providing for their son in ways my family could not.

I'm not entirely sure what happened because, despite him learning faster, retaining more information, having more resources, having amazing opportunities, ... he threw it away. I have no idea why. He lost his focus somehow and ended up working at a restaurant for a little bit as a server. He later worked at a mall kiosk.

I ended up being the successful one. I ended up having an amazing career in cybersecurity. I ended up knowing far more than him.

Sometimes I reflect on it and it blows my mind. I only surpassed him because I had endurance and was willing to continue the grind.

He had everything on a silver platter. He had so many amazing opportunities. He could have gone so far, he was so incredibly gifted and smart.

I have no idea what he was thinking to make him squander it all.

I guess the moral of the story is that turtle and the rabbit thingy has truth to it.

Hello

I have added more malware to the malware collection place. I have added 150,000 malwares and a bunch of malware reversing papers coupled with malwares.

Please download the malware.

vx-underground.org/Updates

This is beautiful.

The kids are finding FREE MALWARE and understand the beauty of free malware.

Thank you, Skinpack.

Yesterday I got a funny DM. s00pcan said some AI slop is automatically forking his Linux open-source projects and adding goofy ass ReadMe files to look all fancy. The primary difference though is the ReadMe includes a "download here" link which delivers a .zip file.

The .zip file contains cool and badass malware. The malware is also free. Yay

This is a campaign which has been identified by various AV vendors since April, 2026. It is attributed to StealC.

In this particular instance though it is very, very silly. The exact mechanic in which this StealC group is using to automagically fork projects on GitHub, insert bogus ReadMe files, etc. is unknown. Clearly it is AI generated. However, this group failed to account for all edge cases because ... this is malware developed for Windows ... but it is from a Linux audio driver fork.

This yet again however a use case of AI in malware campaigns. StealC has been around forever and clearly isn't AI slop. However, Threat Actors are using AI to generate fancy schmancy ReadMe files. Very cool. Thank you, Mr. Smart GPU-thingy.

The following GitHub I'll be linking is giving FREE malware. Visiting the page won't give you the free malware. At the top of the ReadMe is a "Download" section with a hyperlink to "pcie_dante_snd_v1.4".

If you care what this payload does:
Inside this .zip file is "Application.cmd", "dir-dot-cc", "lua51.dll", and "loader.exe".

Application.cmd is a command line file, it launches loader.exe. Loader.exe is responsible for loading the "dir" file. Loader.exe is dependent on lua51.dll because the "dir" file is a GIANT obfuscated Lua file.

I hate Lua and I hate dealing with obfuscated Lua, I refuse to be a victim of Lua, so instead of trying to bonk it with a stick I emulated it. Unsurprisingly, the malicious Lua file tries to harvest credentials from Chrome and exfiltrate them to a remote host.

Free malware: github-dot-com/mbyington67-prog/snd-dante-pcie/tree/master

tl;dr ai slopping and forking github, delivers malware that uses obfuscated lua, i like cats a lot

Silly emulation gunk: https://tria.ge/260531-gepdbsas8t/behavioral2

As I'm sure you've all seen by now, nerds have been exploiting Meta's AI agent goop to steal Instagram accounts.

The Instagram AI agent for support could be convinced to reset the credentials to other users accounts by asking nicely and do a super gnarly kickflip on a skateboard, or something, I don't know.

Everyone on social media was freaking out. The trending posts on Xitter was people being all like ERRMERGERD ME INSTAGRAM ACCNT WAS STOLEN. It also resulted in some celebrities having their accounts stolen. One stolen account showed some rapper named Lil Tracy (?) messaging 14 year olds, or something, despite being 18 at the time.

All the big cybersecurity nerds were discussing it, yelling about AI, taking the opportunity to meme Zuckerberg (as is tradition).

The AI exploit thingy has apparently existed for awhile, a few months apparently, but that is kind of just gossip. I haven't seen any solid proof of that. Meta supposedly fixed the issue, but some people are saying you can still ask nicely and do a super gnarly heelflip and Instagram goop gives you account resets.

Cool stuff bro, it's AI, it's lit

pic unrelated

Fuck Bricks and Minifigs

Instagram still hasn't (correctly) patched their AI goop account reset thingy. Accounts are still being stolen and Instagram hasn't said anything about it. Nerds continue to find ways to convince AI to reset accounts for them.

People on social media are freaking out because some of these profiles apparently are big sources of revenue for them.

Meanwhile, rumors are floating around that a few weeks ago Instagram laid off a large percentage of their Trust & Safety department and had it replaced with AI.

Very cool

This is a very silly photo.

WeezerOSINT shared a photo of someone speaking with Instagram Trust & Safety. They told him what he is describing is "impossible" and denied the existence of the AI bug thing

"It doesn't exist, nerd. AI is never wrong" - Zuckerberg, probably