> be pakistan government
> develop custom malware
> used to target high profile targets
> used against indian military and political ppl
> named SHEETCREEP
> send indian ppl file
> UAE-India Strategic Partnership Week
> malicious .lnk file
> .lnk executes malicious c sharp code
> does a bunch of stuff for persistence
> exfiltrates data to Google Sheets
> Google Sheets can be used to control victim pcs
> pakistan gov hardcodes google c2 sheet
> PAKISTAN GOV HARDCODES GOOGLE C2 SHEET
> embed access key in payload
> EMBED ACCESS KEY IN PAYLOAD
> malware nerds find it
> look inside
> find all targets from pakistan gov
> monitoring 91 ppl they think important

THEY STARTED SO STRONG. WHY DID YOU HARDCODE EVERYTHING. YOU BURNED YOUR OPERATION

https://www.securonix.com/blog/sheetcreep-evolved-google-sheets-rat/

I had to delete and repost.

I misread the attribution part. I wrote Indian targeting Pakistan, it was Pakistan targeting India. I'm not gonna lie, I got too emotional reading the write-up. Hardcoding the key was such a poor decision.

Thank you stinky nerds who corrected me.

MiscreantsHQ will be selling vx-underground merch at DEFCON this year. It will be limited edition, cool, and badass.

However, there has been some design changes. The previous illustration showed did not have a cat on it. When I shared the t-shirt design people unironically began asking why there isn't a fucking cat on the shirt.

Those poor bastards at MiscreantsHQ had to go back and add a kitty cat to it.

Happy now?

Tired of malware development noobs complaining about the WINAPI and process creation stuff.

It's shrimple.

You simply use CreateProcess or ShellExecute. If you want to be extra specific, can you use ShellExecuteEx or CreateProcessAsUser. If you want to be a little more specific you can use CreateProcessWithLogonW. If you want to be specific, but in a slightly different way, you can use CreateProcessWithTokenW

Technically, you can use also the outdated (but still present) function from internet explorer called "OpenURL". OpenURL will treat a file path as a URL and create the process. It's inside IEFRAME.DLL. Very cool.

Also, you can use some weird library on Windows called MSHTML and use RunHTMLApplication. RunHTMLApplication can be used to execute VBS or JavaScript which then runs an executable.

Alternatively, you can use LaunchApplicationW from the PCWUTL library. This will also create a process.

Interestingly, there is a weird goof in Windows. Remember OpenURL from internet explorer? Well, it's also present in a library called shdocvw.dll. You can use OpenURL from there too.

If you don't want to use ShellExecute, or ShellExecuteEx, which comes from the SHELL32 library, you can use ShellExec_RunDLLW from SHELL32. It basically does the same thing.

I suppose if you don't like any of these you can use URL.DLL functionality, specifically FileProtocolHandlerA function. This will treat a file path like a URL and execute a file for you.

If you're not happy with FileProtocolHandlerA, URL.DLL also has OpenURL (the same function from IEFRAME.DLL! Internet explorer stuff!) so you can use OpenURL from URL.DLL too.

If none of these are sufficient, you can also use some weird function called RouteTheCall from the ZIPFLDR library. I'm not sure what's up with this function, it is Windows ZIP stuff. Regardless, RouteTheCall has three parameters. The first two are NULL and the third parameter accepts a file path to a file you want to execute.

Of course, if you're doing low-level development, or want to be more evasive, you can always do the NTDLL stuff and use NtCreateUserProcess, or ZwCreateUserProcess.

Oh, I almost forgot, you can also use RunAsNewUser_RunDLLW from SHELL32. Luckily this library exposes several different ways to create a process (although they're not documented well, no idea why).

My memory is fuzzy, I almost forgot this one, but Windows also exposes a way to create a process from the little "Help" icon thingy on GUIs. You can initialize IHxHelpPaneServer or IHxInteractiveUser from the Windows Component Object Model then invoke the "Execute" method. This method is supposed to be for URLs, but Windows will treat a URL like a file still.

Before I forget, you can also use the Windows Management Instrumentation (WMI) stuff for process creation. If you use the Windows Component Object Model and initialize IWbemLocator you can initialize Win32_ProcessStartup and use that to create a process too.

I guess I should note, if you don't want to use SHELL32 directly, you can use also the Component Object Model and initialize CLSID_ShellWindows, get the Desktop ShellView, find it's COM automation objects, and using the Shell.Application interface you invoke ShellExecuteW

Anyway, it's shrimple, just use one of these to create a process:
- CreateProcess
- ShellExecute
- ShellExecuteEx
- CreateProcessAsUser
- CreateProcessWithLogonW
- CreateProcessWithTokenW
- OpenURL (ieframe.dll)
- RunHTMLApplication
- OpenURL (shdocvw.dll)
- ShellExec_RunDLLW
- FileProtocolHandlerA
- OpenURL (URL.dll)
- RouteTheCall
- NtCreateUserProcess
- RunAsNewUser_RunDLLW
- IHxHelpPaneServer
- IHxInteractiveUser
- Win32_ProcessStartup
- CLSID_ShellWindows (Shell Automation)

I'll skip on the touch pad injection, INF section abuse, in-memory execution, or shellcode injection. That's a different topic.

Whoops, sorry it's JScript, not JavaScript (Microsoft's implementation of JavaScript which was designed for Internet Explorer)

> malware campaign
> malicious chrome extension
> fakes web traffic to websites
> fakes adsense stuff
> fakes website references
> v v silly
> 105,000 installs
> ...
> A HUNDRED AND FIVE THOUSAND INSTALLS
> look inside
> anime wallpapers for chrome

chat, we gotta get into the malicious web browser extension games. the nerds crave anime

https://socket.dev/blog/152-chrome-live-wallpaper-extensions-hid-ad-tracking

"smelly, vxug is legal in the usa, is it legal in my country?"

I haven't checked the Chinese Threat Intelligence places in awhile. I said, "Hmph, I wonder what's going on over in Mandarin city" (I don't know any cities in China, so I make up names).

I checked out Rising (瑞星), they do technical write-ups about malware hitting China, and stuff, because they're ... headquartered in China. They're a Chinese company.

Anyway:
> be me
> open rising blog
> all mandarin
> damn i wish i could read
> translate page
> supply chain attack
> wtf.jpeg?
> AutoGLM hit
> wtf.mp4?
> Chinese AI agent thingie
> made by Z ai
> (idk wtf that is)
> GitHub for AutoGLM compromised
> download link replaced with malware payload

I said, "What the fuck? You guys have premium AI slop too? You guys have nerds attacking your supply chains too?"

Wow, we have so much in common

More information:

(the link is cooked, it's in Mandarin so it's really, really, really long)

https://rayblog.rising.com.cn/2026/06/%E4%BE%9B%E5%BA%94%E9%93%BE%E6%94%BB%E5%87%BB%E7%9B%AF%E4%B8%8Aai%E5%85%AC%E5%8F%B8%ef%bc%9a%E6%99%BA%E8%B0%B1ai%E8%BE%93%E5%85%A5%E6%B3%95%E5%AE%98%E7%BD%91%E4%B8%8B%E8%BD%BD%E9%93%BE%E6%8E%A5/

> steam malware stuff
> all the click bait places screaming
> malware from wallpaper engine
> don't cite original article
> from Kaspersky

Dawg, these Threat Actors targeted true degenerates. Look at this malware payload. This is seriously one of the malicious wallpapers

Telegram nerds missed it, but some dumb fucks on X were discussing malware on Steam wallpaper engine, but no one cited the fucking source, provided images, or malware sample goopies. I looked into it, and it's legit, it's from Kaspersky. I called them mean words (I wasn't mad, I'm just passionate and at the time I was hungry).

https://securelist.com/dozens-of-malicious-wallpapers-found-on-steam-workshop/120186/

> be gamers
> "I DONT TRUST KERNEL MODE ANTI CHEATS!11"
> "ILL NEVER TRUST A VIDEO GAME COMPANY"
> runs anime_waifu_wallpaper.exe as admin

I'm being CYBER BULLIED on the INTERNET

The United Kingdom is ran by a bunch of fucking morons. I mean that wholeheartedly. These stupid fucks think you can "ban" VPNs and think "banning" VPNs will "protect the children".

"Ban" VPNs and watch what happens next.

One of my favorite people in the world is petikvx.

He randomly showed up one day and was like, "Bonjour, j'ai beaucoup de logiciels malveillants."

I said, "I don't speak German, pal".

Then he started giving me a bunch of malware. He is the primary person who does our bulk malware stuff. Everyday he sends me malware. I receive it, sync it with the malware place, and go on about my business.

I checked my chat logs, I haven't spoken to the guy since February, 2026. Before that it was like, July, 2025, yet EVERY SINGLE DAY he is sending me malware.

I barely know the guy. He shows up, he says, "J'aime beaucoup les logiciels malveillants. S'il vous plaît, partagez ce logiciel malveillant avec d'autres personnes.", and that's it.

I don't know his name, I don't know where he works, I don't know how old he is, I literally know almost nothing about the guy.

He doesn't even speak English that well

I fucking love this guy. He is my best friend.

Was thinking about online age verification stuff today

It dawned on me that I've got underwear that is probably 18 years old

Yeah, I'm killing myself tonight

Someone DMd me something they received on Discord. They thought it could potentially be malware.

It was malware.

However, it was Electron JS AI slop malware. You can tell because it was easily disassembled and the AI notes were present.

I'm so god damn tired of malware slop

Interesting, it was undetected virtually everywhere. It was also undetected in a sandbox because it's a bloated piece of shit and has too many dependencies.

The only AVs that detected it from static analysis was Rise and MalwareBytes

Just cancelled my Codex Claude Slop subscription.

I'm running my own AI thingie at home. It'll be cheaper in the long run, it just required a few hardware purchases.