I got the payload to this malware. It is absurdly silly. This malware is killing me bro. It is so unbelievably silly.

This was 100% written using Claude or ChatGPT. I've never seen a malware payload LEAVE NOTES describing what it's doing.

The malware has a Powershell script that connects to the C2 for stinky malware stuff. This module is responsible for persistence. Thankfully their persistence script documented the entire code base and file locations.

Very cool. Thank you spoopy Russian Counter Strike scammers.

Even more silly, the C2 is hardcoded as a string (seen in attached image). The C2 address shows it has been an active malware campaign since at least January 31st, 2026 based off of data present on VirusTotal. It was initially uploaded as "9lixh".

This persistence script was from a victim machine so I've censored some data. Regardless, the botched cyrillic notes also makes me giggle.

Russian to English translations present in this silly script which documents everything for us:
# Пути для удаления
# Paths for deletion

# Завершаем процессы python и pythonw
# Terminate/finish the python and pythonw processes

# Удаляем автозапуск из реестра
# Remove autorun from the registry

# Завершаем процесс монитора
# Stop the monitoring process

# Новая функция для проверки f.json и убийства процессов
# New function for checking f.json and killing processes

# Проверяем флаг library
# Check the library flag

# Список процессов для убийства
# List of processes to kill

# Проверка флага удаления (каждые 20 секунд)
# Check the deletion flag (every 20 seconds)

# 20 секунд при интервале 2 секунды
# 20 seconds with a 2-second interval

# Проверка f.json и убийство процессов (каждые 4 секунды)
# Check f.json and kill processes (every 4 seconds)

me reverse engineering malware that targets steam

I learned quite a bit from this actually.

I didn't know Steam was a Chromium app. Hence, you can kill Steam then relaunch it with the "-cef-enable-debugging" flag.

Once you'll launched Steam with this, you can inject Javascript into Steam using Chromium "webSocketDebuggingUrl" stuff.

This malware has a whole pseudo-framework of Javascript that can do:
- Alert Bell (?)
- Block pages
- "Help page" (?)
- Inventory manipulation
- Steam library manipulation
- Profile manipulation
- Steam redirections

Basically, this malware payload switches Steam into a Chromium debug state, then sends web debug requests (kind of like Chrome Dev Tools?) to manipulate the Steam pages. It injects Javascript.

The chat window that spawns is from a remote host they control. This is really cool.

Is it AI slop? Yes

Is this code EXTREMELY easy to reverse engineer? Yes

Did they unironically document their entire code base in Russian because it was (probably) written using Claude and the authors probably speak Russian? Yes

Is this extremely creative and cool? Yes

Special thanks to "pro" from 2c44. He handed me the payload and the decompiled Python. The malware .py was Base64 encoded ... so obtaining the original source was ridiculously easy.

Hello,

If you're a person who enjoys malware and/or knows Python and wants to see malware that targets STEAM and GAMERS, I have the source code to a malware I have named "Stealer.Python.GMBA.Manipulator".

This malware was originally noted on Xitter from GMBA.

In summary, this Python malware kills the Steam process and relaunches it with the "-cef-enable-debugging" flag. Because Steam is a Chromium app, this allows the malware payload to manipulate Steam web pages with web socket gunk and Javascript gunk.

This malware can "modify" user inventories, "block users", etc. It is all a facade designed to trick and social engineer Steam users into giving their expensive Counter Strike stuff to them.

It appears to be written using AI. Regardless of that fact this malware is creative and I like it.

The malware source code to this can be found under the "/Python/" directory. It is named "Stealer.Python.GMBA.Manipulator.7z".

This malware campaign is still active and the C2 is still live. If you execute the __main__.py file you might cook yourself, so be careful. Alternatively, you can run this in a VM and send the malware campaign authors pictures of Goatse.

https://github.com/vxunderground/MalwareSourceCode

A long long time ago, when I first got into malware, I met a kid who was a little older than me who, by all standards of measurement, was significantly more intelligent and gifted than me.

He made me feel like a moron.

Very quickly he established a reputation on IRC for being "the guy", despite being like, 16. His parents were financially well off and extremely supportive and sent him to DEFCON. He had a really great PC setup. He had it all lined up. He was destined for an amazing and strong career in information security. I was extremely envious of him because he also had a super pretty girlfriend while somehow being a massive nerd. His parents bought him a car. In my eyes he had it all.

On my side, I had some old piece of crap computer. I didn't even have a computer chair, I used some ghetto dining room table chair made from janky wood. It was all beat up and yucky.

I struggled learning C. On IRC I was basically the village idiot and memed all the time (although in good jest). My friend would become frustrated with me because of how slow I learned.

I was a poor kid. I wasn't like, poor-poor like, homeless or whatever, but his parents has significantly more money than mine and were capable for providing for their son in ways my family could not.

I'm not entirely sure what happened because, despite him learning faster, retaining more information, having more resources, having amazing opportunities, ... he threw it away. I have no idea why. He lost his focus somehow and ended up working at a restaurant for a little bit as a server. He later worked at a mall kiosk.

I ended up being the successful one. I ended up having an amazing career in cybersecurity. I ended up knowing far more than him.

Sometimes I reflect on it and it blows my mind. I only surpassed him because I had endurance and was willing to continue the grind.

He had everything on a silver platter. He had so many amazing opportunities. He could have gone so far, he was so incredibly gifted and smart.

I have no idea what he was thinking to make him squander it all.

I guess the moral of the story is that turtle and the rabbit thingy has truth to it.

Hello

I have added more malware to the malware collection place. I have added 150,000 malwares and a bunch of malware reversing papers coupled with malwares.

Please download the malware.

vx-underground.org/Updates

This is beautiful.

The kids are finding FREE MALWARE and understand the beauty of free malware.

Thank you, Skinpack.

Yesterday I got a funny DM. s00pcan said some AI slop is automatically forking his Linux open-source projects and adding goofy ass ReadMe files to look all fancy. The primary difference though is the ReadMe includes a "download here" link which delivers a .zip file.

The .zip file contains cool and badass malware. The malware is also free. Yay

This is a campaign which has been identified by various AV vendors since April, 2026. It is attributed to StealC.

In this particular instance though it is very, very silly. The exact mechanic in which this StealC group is using to automagically fork projects on GitHub, insert bogus ReadMe files, etc. is unknown. Clearly it is AI generated. However, this group failed to account for all edge cases because ... this is malware developed for Windows ... but it is from a Linux audio driver fork.

This yet again however a use case of AI in malware campaigns. StealC has been around forever and clearly isn't AI slop. However, Threat Actors are using AI to generate fancy schmancy ReadMe files. Very cool. Thank you, Mr. Smart GPU-thingy.

The following GitHub I'll be linking is giving FREE malware. Visiting the page won't give you the free malware. At the top of the ReadMe is a "Download" section with a hyperlink to "pcie_dante_snd_v1.4".

If you care what this payload does:
Inside this .zip file is "Application.cmd", "dir-dot-cc", "lua51.dll", and "loader.exe".

Application.cmd is a command line file, it launches loader.exe. Loader.exe is responsible for loading the "dir" file. Loader.exe is dependent on lua51.dll because the "dir" file is a GIANT obfuscated Lua file.

I hate Lua and I hate dealing with obfuscated Lua, I refuse to be a victim of Lua, so instead of trying to bonk it with a stick I emulated it. Unsurprisingly, the malicious Lua file tries to harvest credentials from Chrome and exfiltrate them to a remote host.

Free malware: github-dot-com/mbyington67-prog/snd-dante-pcie/tree/master

tl;dr ai slopping and forking github, delivers malware that uses obfuscated lua, i like cats a lot

Silly emulation gunk: https://tria.ge/260531-gepdbsas8t/behavioral2

As I'm sure you've all seen by now, nerds have been exploiting Meta's AI agent goop to steal Instagram accounts.

The Instagram AI agent for support could be convinced to reset the credentials to other users accounts by asking nicely and do a super gnarly kickflip on a skateboard, or something, I don't know.

Everyone on social media was freaking out. The trending posts on Xitter was people being all like ERRMERGERD ME INSTAGRAM ACCNT WAS STOLEN. It also resulted in some celebrities having their accounts stolen. One stolen account showed some rapper named Lil Tracy (?) messaging 14 year olds, or something, despite being 18 at the time.

All the big cybersecurity nerds were discussing it, yelling about AI, taking the opportunity to meme Zuckerberg (as is tradition).

The AI exploit thingy has apparently existed for awhile, a few months apparently, but that is kind of just gossip. I haven't seen any solid proof of that. Meta supposedly fixed the issue, but some people are saying you can still ask nicely and do a super gnarly heelflip and Instagram goop gives you account resets.

Cool stuff bro, it's AI, it's lit

pic unrelated

Fuck Bricks and Minifigs