It is worth noting this compromise contains many elements which appear assisted by AI. I am making an educated guess and am going to state I believe these Threat Actors may have used AI to assist in this compromise (to an unknown extent).

Something is fundamentally broken with Telegram. Telegram nerds have informed me they're receiving ... dating advertisements? On the vx-underground channel?

I've literally never felt the touch of a woman

omggg i made a joke about only 25 people using arch and all the fucking arch nerds appeared like UHMM ERRM SCHMELLY, ID LIKE TO INTERJECT FOR A MOMENT ,,, ASHCTULALY ARCH IS P POPULAR AND ITS USED FOR STEAM AND

holy cannoli bro, shut uppppp. its a joke. fucking hell

ERHMMM SCHMEEELY ITS USED BY ABOOT 10 PERCENT OF THE LIN...

i dont care bro, its a joke, save your factoids for someone else.

This is absolutely disgusting content.

My Mother, an angel whom'st've never used a GNU or a Linux, was a devout Windows user. She was not a Linux.

Also, I am not a larp. I own several Gay Fox masks and have visited 4channel. I used Kali Linux twice (when my Mom wasn't looking), and have only given my ID verification to Instagram and Facebook.


Oh, and by the way, I encrypt my banking information using Coinbase Bitcoin.

I'm off the grid.

Tired of noobs complaining the WINAPI for malware development is weird. It's not.

How do you create a file?
The CreateFile function.

How do you open a file for reading?
The CreateFile function.

How do you open a file for writing?
The CreateFile function.

How do you get a handle to a directory?
The CreateFile function.

How do delete a file?
The CreateFile function.

How do you get access to a physical disk?
The CreateFile function.

How do you get access to a file stream?
The CreateFile function.

How do you get access to the console buffer?
The CreateFile function.

How do you get access to pipes?
The CreateFile function.

How do you perform interprocess communication?
The CreateFile function.

Just make sure you use the appropriate version of CreateFile (CreateFileA for ANSI, or CreateFileW for wide characters).

Alternatively, you can use CreateFile2 which is the same as CreateFile except the parameters are passed as a data structure named CREATEFILE2_EXTENDED_PARAMETERS. However, be aware CreateFile2 only works on Windows 8 and above and designed more or less for programs running from the Windows app store.

Alternatively, alternatively, you could use CreateFile3 which is nearly identical to CreateFile2 except it uses the CREATEFILE3_EXTENDED_PARAMETERS structure and is more or less designed for sandboxed packaged applications. However, be aware CreateFile3 only works on Windows11 24H2 and above.

It's shrimple, honestly.

Oh, I forgot, to create a directory you cannot use CreateFile. CreateFile is only used for getting access to a directory object. If you want to create a directory you need to use CreateDirectory or CreateDirectoryEx.

There is also OpenFile, which kind of acts similar to CreateFile, and you can also call DeleteFile instead of CreateFile with the FILE_FLAG_DELETE_ON_CLOSE flag.

BobDaHacker compromised FIFA and was able to hijack their livestream cameras.

They considered replacing the FIFA cameras with the 1987 hit classic "Never Gonna Give You Up" by Rick Astley. Instead, they reported it and FIFA immediately fixed the issue

https://bobdahacker.com/blog/fifa-hack

Chrome version 150 and 151, scheduled for deployment in the next 4 weeks or so, will remove the last references to ManifestV2.

Google Chrome developers wrote it is being removed because it is old tech-debt and is littered with vulnerabilities. The real answer is much more nuanced and would result in a discussion on "privacy", speed, software optimization, and code management.

Removing ManifestV2, for the newer ManifestV3, is architecturally more difficult for ad-blockers to be effective.

This has resulted in ad-blockers stopping support for Chromium.

Of course, with the final removal of ManifestV2, a majority of Chromium browsers (meaning, a vast majority of web browsers) will drop support for ad-blockers likely including Edge and Opera.

If you want an actual explanation of ManifestV2 vs. ManifestV3

https://9to5google.com/2026/06/15/google-chromes-next-update-will-mark-the-end-of-popular-ad-blockers/

> be pakistan government
> develop custom malware
> used to target high profile targets
> used against indian military and political ppl
> named SHEETCREEP
> send indian ppl file
> UAE-India Strategic Partnership Week
> malicious .lnk file
> .lnk executes malicious c sharp code
> does a bunch of stuff for persistence
> exfiltrates data to Google Sheets
> Google Sheets can be used to control victim pcs
> pakistan gov hardcodes google c2 sheet
> PAKISTAN GOV HARDCODES GOOGLE C2 SHEET
> embed access key in payload
> EMBED ACCESS KEY IN PAYLOAD
> malware nerds find it
> look inside
> find all targets from pakistan gov
> monitoring 91 ppl they think important

THEY STARTED SO STRONG. WHY DID YOU HARDCODE EVERYTHING. YOU BURNED YOUR OPERATION

https://www.securonix.com/blog/sheetcreep-evolved-google-sheets-rat/

I had to delete and repost.

I misread the attribution part. I wrote Indian targeting Pakistan, it was Pakistan targeting India. I'm not gonna lie, I got too emotional reading the write-up. Hardcoding the key was such a poor decision.

Thank you stinky nerds who corrected me.

MiscreantsHQ will be selling vx-underground merch at DEFCON this year. It will be limited edition, cool, and badass.

However, there has been some design changes. The previous illustration showed did not have a cat on it. When I shared the t-shirt design people unironically began asking why there isn't a fucking cat on the shirt.

Those poor bastards at MiscreantsHQ had to go back and add a kitty cat to it.

Happy now?

Tired of malware development noobs complaining about the WINAPI and process creation stuff.

It's shrimple.

You simply use CreateProcess or ShellExecute. If you want to be extra specific, can you use ShellExecuteEx or CreateProcessAsUser. If you want to be a little more specific you can use CreateProcessWithLogonW. If you want to be specific, but in a slightly different way, you can use CreateProcessWithTokenW

Technically, you can use also the outdated (but still present) function from internet explorer called "OpenURL". OpenURL will treat a file path as a URL and create the process. It's inside IEFRAME.DLL. Very cool.

Also, you can use some weird library on Windows called MSHTML and use RunHTMLApplication. RunHTMLApplication can be used to execute VBS or JavaScript which then runs an executable.

Alternatively, you can use LaunchApplicationW from the PCWUTL library. This will also create a process.

Interestingly, there is a weird goof in Windows. Remember OpenURL from internet explorer? Well, it's also present in a library called shdocvw.dll. You can use OpenURL from there too.

If you don't want to use ShellExecute, or ShellExecuteEx, which comes from the SHELL32 library, you can use ShellExec_RunDLLW from SHELL32. It basically does the same thing.

I suppose if you don't like any of these you can use URL.DLL functionality, specifically FileProtocolHandlerA function. This will treat a file path like a URL and execute a file for you.

If you're not happy with FileProtocolHandlerA, URL.DLL also has OpenURL (the same function from IEFRAME.DLL! Internet explorer stuff!) so you can use OpenURL from URL.DLL too.

If none of these are sufficient, you can also use some weird function called RouteTheCall from the ZIPFLDR library. I'm not sure what's up with this function, it is Windows ZIP stuff. Regardless, RouteTheCall has three parameters. The first two are NULL and the third parameter accepts a file path to a file you want to execute.

Of course, if you're doing low-level development, or want to be more evasive, you can always do the NTDLL stuff and use NtCreateUserProcess, or ZwCreateUserProcess.

Oh, I almost forgot, you can also use RunAsNewUser_RunDLLW from SHELL32. Luckily this library exposes several different ways to create a process (although they're not documented well, no idea why).

My memory is fuzzy, I almost forgot this one, but Windows also exposes a way to create a process from the little "Help" icon thingy on GUIs. You can initialize IHxHelpPaneServer or IHxInteractiveUser from the Windows Component Object Model then invoke the "Execute" method. This method is supposed to be for URLs, but Windows will treat a URL like a file still.

Before I forget, you can also use the Windows Management Instrumentation (WMI) stuff for process creation. If you use the Windows Component Object Model and initialize IWbemLocator you can initialize Win32_ProcessStartup and use that to create a process too.

I guess I should note, if you don't want to use SHELL32 directly, you can use also the Component Object Model and initialize CLSID_ShellWindows, get the Desktop ShellView, find it's COM automation objects, and using the Shell.Application interface you invoke ShellExecuteW

Anyway, it's shrimple, just use one of these to create a process:
- CreateProcess
- ShellExecute
- ShellExecuteEx
- CreateProcessAsUser
- CreateProcessWithLogonW
- CreateProcessWithTokenW
- OpenURL (ieframe.dll)
- RunHTMLApplication
- OpenURL (shdocvw.dll)
- ShellExec_RunDLLW
- FileProtocolHandlerA
- OpenURL (URL.dll)
- RouteTheCall
- NtCreateUserProcess
- RunAsNewUser_RunDLLW
- IHxHelpPaneServer
- IHxInteractiveUser
- Win32_ProcessStartup
- CLSID_ShellWindows (Shell Automation)

I'll skip on the touch pad injection, INF section abuse, in-memory execution, or shellcode injection. That's a different topic.

Whoops, sorry it's JScript, not JavaScript (Microsoft's implementation of JavaScript which was designed for Internet Explorer)

> malware campaign
> malicious chrome extension
> fakes web traffic to websites
> fakes adsense stuff
> fakes website references
> v v silly
> 105,000 installs
> ...
> A HUNDRED AND FIVE THOUSAND INSTALLS
> look inside
> anime wallpapers for chrome

chat, we gotta get into the malicious web browser extension games. the nerds crave anime

https://socket.dev/blog/152-chrome-live-wallpaper-extensions-hid-ad-tracking

"smelly, vxug is legal in the usa, is it legal in my country?"

I haven't checked the Chinese Threat Intelligence places in awhile. I said, "Hmph, I wonder what's going on over in Mandarin city" (I don't know any cities in China, so I make up names).

I checked out Rising (瑞星), they do technical write-ups about malware hitting China, and stuff, because they're ... headquartered in China. They're a Chinese company.

Anyway:
> be me
> open rising blog
> all mandarin
> damn i wish i could read
> translate page
> supply chain attack
> wtf.jpeg?
> AutoGLM hit
> wtf.mp4?
> Chinese AI agent thingie
> made by Z ai
> (idk wtf that is)
> GitHub for AutoGLM compromised
> download link replaced with malware payload

I said, "What the fuck? You guys have premium AI slop too? You guys have nerds attacking your supply chains too?"

Wow, we have so much in common