vx-underground
Two members of the infamous Scattered Spider group (a sub-group of ALPHV ransomware group) have plead guilty to the attack on TfL (Transport for London). Thalha Jubair, 20 (image 1) and Owen Flowers, 18 (image 2). Flowers was initially released from custodyβ¦
More information: https://www.nationalcrimeagency.gov.uk/news/cyber-criminals-who-hacked-into-transport-for-londons-computer-network-are-convicted
www.nationalcrimeagency.gov.uk
Cyber criminals who hacked into Transport for London's computer network are convicted
Two young men have admitted mounting a cyber attack on Transport for London (TfL), which cost tens of millions of pounds...
β€11π’3
Hello
1. If you're reading this, that means you live inside my computer. Please leave my computer. You are stinking the place up.
2. I am syncing 150,000+ malwares to the internet. Please download the malware.
3. I now possess 14TB (7z ultra compressed) of malware
1. If you're reading this, that means you live inside my computer. Please leave my computer. You are stinking the place up.
2. I am syncing 150,000+ malwares to the internet. Please download the malware.
3. I now possess 14TB (7z ultra compressed) of malware
π₯129β€31π±12π€£11π7π’6π«‘5β€βπ₯2π₯°1
A person operating under the moniker "mizanthropiaz" compromised the Brazilian governments Emergency Alert System in Sao Paulo, Rio, and Brasilia. The Threat Actor sent a notification to hundreds of thousands of people which read "misanthropi4".
More details have emerged regarding the compromise, and truthfully, it is terrifying. The Brazilian government is extremely secure and it is quite remarkable any living person could have gotten past their enhanced security measures.
"mizanthropiaz" found a username and password login to the Brazilian governments Emergency Alert System. The username and password was present because an employee working there accidentally infected themselves with malware in 2016.
The employee there did not change the password in over 10 years.
But, after the employee accidentally infected their computer with malware, did they change their password? No.
But, did the Brazilian government do IP address blacklisting which would prevent unauthorized devices from accessing the Emergency Alert System? No.
But, did the Brazilian government require a VPN connection to authenticate to the Emergency Alert System because it's a government network? No.
But, did the Brazilian government require MFA (e-mail, text, or Authenticator Code)? No.
But, did the Brazilian government send notifications on new devices connecting? No.
But, did the Brazilian government issue alerts on password changes or password change requests? No.
But, did the Brazilian government require e-mail verification prior to changing or resetting passwords? No.
But, did the Brazilian government have rate-limiting to prevent brute-force attacks? No.
But, did the Brazilian government introduce a CAPTCHA to prevent brute-force attacks? Yes, but it was 2+2 and it never changed. It always asked "2+2="
But, did the Brazilian government require password complexity to make brute-forcing difficult? No, the password to the Brazilian government employee was the same as their username.
More details have emerged regarding the compromise, and truthfully, it is terrifying. The Brazilian government is extremely secure and it is quite remarkable any living person could have gotten past their enhanced security measures.
"mizanthropiaz" found a username and password login to the Brazilian governments Emergency Alert System. The username and password was present because an employee working there accidentally infected themselves with malware in 2016.
The employee there did not change the password in over 10 years.
But, after the employee accidentally infected their computer with malware, did they change their password? No.
But, did the Brazilian government do IP address blacklisting which would prevent unauthorized devices from accessing the Emergency Alert System? No.
But, did the Brazilian government require a VPN connection to authenticate to the Emergency Alert System because it's a government network? No.
But, did the Brazilian government require MFA (e-mail, text, or Authenticator Code)? No.
But, did the Brazilian government send notifications on new devices connecting? No.
But, did the Brazilian government issue alerts on password changes or password change requests? No.
But, did the Brazilian government require e-mail verification prior to changing or resetting passwords? No.
But, did the Brazilian government have rate-limiting to prevent brute-force attacks? No.
But, did the Brazilian government introduce a CAPTCHA to prevent brute-force attacks? Yes, but it was 2+2 and it never changed. It always asked "2+2="
But, did the Brazilian government require password complexity to make brute-forcing difficult? No, the password to the Brazilian government employee was the same as their username.
π143π€£58β€26π₯°16π6π4β€βπ₯2π₯2π1π€1
This media is not supported in your browser
VIEW IN TELEGRAM
> be spaceX employee
> be rustled
> say spaceX sucks
> go on dread
> advertise being an insider threat
> verified by dread as being legit spaceX employee
> offer access to ransomware groups
> everyone see it
> everyone on telegram talking about it
> be rustled
> say spaceX sucks
> go on dread
> advertise being an insider threat
> verified by dread as being legit spaceX employee
> offer access to ransomware groups
> everyone see it
> everyone on telegram talking about it
π₯100π±20β€11π₯°11π9β€βπ₯4π€£3π€―2π’2π―2
Hello, I have a lot to say. However, I have come to discover many of you dislike long posts. To make this easier for some of you I will speak like a caveman to convey this information.
1. lots malware on internet. me collect malware. me put malware on website. download malware. malware good. you like malware.
2. me add papers. read papers. ooga booga. read good for brain.
3. people ask for all papers in 7z. this many papers. me no think people want lots of papers. me do later. this many papers
Click linky for list of malware and papers. Me no want to list all here
https://vx-underground.org/Updates
1. lots malware on internet. me collect malware. me put malware on website. download malware. malware good. you like malware.
2. me add papers. read papers. ooga booga. read good for brain.
3. people ask for all papers in 7z. this many papers. me no think people want lots of papers. me do later. this many papers
Click linky for list of malware and papers. Me no want to list all here
https://vx-underground.org/Updates
β€99π€£36π€14π13π₯6π₯°6π2π€2π2
> "hey smelly, is this malware?"
> sends url
> look inside (image 1)
> base64 encoded string installer
> obviously malware
> decode
> look inside
> obviously malware (image 2)
> decode the gunky stuff
> verse-57(.)com
> curl request to gunky url (image 3)
> gives 3.143mb file
> look inside
> CA FE BA BE
> ???
> CA FE BA BE
> ???
> java file?
> hash file
> 5a897367792b56d8c8b3fe624937ea97
> never seen before on vt
> closest match to static signature is amos stealer
> legit macOS malware
> i dont do macOS malware
> i dont know how to use a mac (image 4)
> sends url
> look inside (image 1)
> base64 encoded string installer
> obviously malware
> decode
> look inside
> obviously malware (image 2)
> decode the gunky stuff
> verse-57(.)com
> curl request to gunky url (image 3)
> gives 3.143mb file
> look inside
> CA FE BA BE
> ???
> CA FE BA BE
> ???
> java file?
> hash file
> 5a897367792b56d8c8b3fe624937ea97
> never seen before on vt
> closest match to static signature is amos stealer
> legit macOS malware
> i dont do macOS malware
> i dont know how to use a mac (image 4)
π€£145π₯°28β€11π«‘5π₯2β€βπ₯1π1π’1π―1
Telegram nerds, you've missed the whole drama on X, so I'll just paste the final message. In summary, I'm crashing out because this nerd got sent a payload on Discord, but it was legit malware but vibe coded and it irritated me
π€£66β€4π’1
vx-underground
Telegram nerds, you've missed the whole drama on X, so I'll just paste the final message. In summary, I'm crashing out because this nerd got sent a payload on Discord, but it was legit malware but vibe coded and it irritated me
I am absolutely flabbergasted
Okay, so this nerd DMs me saying he thinks he got sent malware. He said I should check it out. I said "I'm in my undies, I'll do it later when I'm on my PC" (Image 1)
This malware has so many twists and turns bro, this shit is all vibe coded too. I don't know what AI agent wrote it, but I know it's vibe coded because THE NOTES FROM THE AI AGENT ARE PRESENT.
I think the Threat Actor who wrote this didn't understand how reverse engineering works, so they didn't know the AI agent notes would be present.
This malware wasn't super sophisticated, it didn't contain any extreme logic or anything, but it was a convoluted fucking MESS and it a colossal pain in the ass.
A normal malware developer could have written this too, but it's got so many stages this would be more akin to a well-established Threat Actor. This was written by someone who doesn't understand how reverse engineering works and someone who is willing to target GAMERS OVER DISCORD with malware that is actually pretty decent.
In fairness, it could be MaaS, but this doesn't line up with anything I've seen from my peers (yet). It's possible I've missed it. But, this is a bitch of a payload and I unironically enjoyed it.
Here is the silly meme summary
> get sent rivals_toolkit.exe
> electron app goop
> masquerades as legit toolkit
> electron app contains resource called "Discord.exe"
> Discord.exe is a malware loader
> Discord creates a Java VM
> Loads obfuscated Java payload
> I can't find where it the JVM payload
> JVM payload hidden in different file from Electron app
> Annoying.jpg
> Electron App also has spoopy secondary functionality
> Displays legit HTML stuff
> Secondary thread executes, executes Ira.JS stager
> f91a7efa0d476811455271e023dfb3be
> Decodes and executes initial stager, Ira.jsc
> c286ad4c51128266e10ad0a49da9cb3f
> Decodes and drops secondary payload stage
> 816bfabbb3408ad2114ba351690410c3
> Decodes and drops third payload stage
> 7364f758b4b8623c0beb020a74ff09b5
> Decodes and drops fourth payload stage
> 7b9627f07f7fb604f5edfb23c706b22a
> Final payloads syncs and does IPC with Java payload
> Contains AI notes (Image 2)
Holy Christ, all of this for fucking gamers on Discord? Multi-staged masquerading payload with cross-language IPC? What the fuck?
Okay, so this nerd DMs me saying he thinks he got sent malware. He said I should check it out. I said "I'm in my undies, I'll do it later when I'm on my PC" (Image 1)
This malware has so many twists and turns bro, this shit is all vibe coded too. I don't know what AI agent wrote it, but I know it's vibe coded because THE NOTES FROM THE AI AGENT ARE PRESENT.
I think the Threat Actor who wrote this didn't understand how reverse engineering works, so they didn't know the AI agent notes would be present.
This malware wasn't super sophisticated, it didn't contain any extreme logic or anything, but it was a convoluted fucking MESS and it a colossal pain in the ass.
A normal malware developer could have written this too, but it's got so many stages this would be more akin to a well-established Threat Actor. This was written by someone who doesn't understand how reverse engineering works and someone who is willing to target GAMERS OVER DISCORD with malware that is actually pretty decent.
In fairness, it could be MaaS, but this doesn't line up with anything I've seen from my peers (yet). It's possible I've missed it. But, this is a bitch of a payload and I unironically enjoyed it.
Here is the silly meme summary
> get sent rivals_toolkit.exe
> electron app goop
> masquerades as legit toolkit
> electron app contains resource called "Discord.exe"
> Discord.exe is a malware loader
> Discord creates a Java VM
> Loads obfuscated Java payload
> I can't find where it the JVM payload
> JVM payload hidden in different file from Electron app
> Annoying.jpg
> Electron App also has spoopy secondary functionality
> Displays legit HTML stuff
> Secondary thread executes, executes Ira.JS stager
> f91a7efa0d476811455271e023dfb3be
> Decodes and executes initial stager, Ira.jsc
> c286ad4c51128266e10ad0a49da9cb3f
> Decodes and drops secondary payload stage
> 816bfabbb3408ad2114ba351690410c3
> Decodes and drops third payload stage
> 7364f758b4b8623c0beb020a74ff09b5
> Decodes and drops fourth payload stage
> 7b9627f07f7fb604f5edfb23c706b22a
> Final payloads syncs and does IPC with Java payload
> Contains AI notes (Image 2)
Holy Christ, all of this for fucking gamers on Discord? Multi-staged masquerading payload with cross-language IPC? What the fuck?
π€£95β€9π₯9π«‘4π―2π₯°1π1π’1π€1
WHO WROTE THIS GHOST LAUNCHER THINGIE
I know you're somewhere on this Telegram, or the COM, or something. There is no way you're not hanging around here somewhere. I demand to know what AI agent was used and why you decided to targets gamers
I know you're somewhere on this Telegram, or the COM, or something. There is no way you're not hanging around here somewhere. I demand to know what AI agent was used and why you decided to targets gamers
π€£125π€11π8β€4π2π€2π2π’1π«‘1
Someone sent me a file and it's confusing my little brain. It was a .exe and I disassembled it back to approx. source.
This code programmatically makes Epic games accounts and uses it to get Discord nitro somehow? I don't understand.
https://gist.github.com/vxunderground/4616b6249dc47a87647b746882652687
This code programmatically makes Epic games accounts and uses it to get Discord nitro somehow? I don't understand.
https://gist.github.com/vxunderground/4616b6249dc47a87647b746882652687
Gist
decompiled goopies
decompiled goopies. GitHub Gist: instantly share code, notes, and snippets.
π₯°54β€11π€10π€―6π’1
vx-underground
Someone sent me a file and it's confusing my little brain. It was a .exe and I disassembled it back to approx. source. This code programmatically makes Epic games accounts and uses it to get Discord nitro somehow? I don't understand. https://gist.githubβ¦
Oh, Discord and Epic games ran some promotion where Epic games gave you Discord Nitro if you were new to Epic Games. This code automated the process. Spammers used it to harvest Discord Nitro codes and then sell them online.
π―79π€£41π11β€5π4π₯°4π1
vx-underground
Someone sent me a file and it's confusing my little brain. It was a .exe and I disassembled it back to approx. source. This code programmatically makes Epic games accounts and uses it to get Discord nitro somehow? I don't understand. https://gist.githubβ¦
my bad bro :(
π€£332π’40β€9π7π€6π€―4π2β€βπ₯1π₯°1π€1
I love when I meet nerds with who are deep in the trenches in esoteric concepts in esoteric things
I met a guy who has dedicated the past couple years of his life to Batch file obfuscation and deobfuscation
He has completely lost his mind. I like it. I respect it.
I met a guy who has dedicated the past couple years of his life to Batch file obfuscation and deobfuscation
He has completely lost his mind. I like it. I respect it.
π₯°117π«‘41π€£28β€11π7β€βπ₯4π€―2π’1π―1
Literally shaking, screaming, crying, throwing up right now. I thought I found a silly malware loader, but the person who wrote this bamboozled themselves.
Their obfuscation toolkit failed somewhere, and Windows WScript can't parse the VBS correctly, resulting in it imploding into itself.
It could have given me more free malware, instead this goof ball didn't test his malware (testing is for nerds, I can't blame them).
I think they may have copied the obfuscation definition thingies at the top too many times, but I don't feel like unironically debugging their obfuscated malicious VBS code to make it work, that is ridiculous.
Anyway, look at this piece of shit:
https://gist.github.com/vxunderground/dc225d9180d8da7285e911372f99c527
Their obfuscation toolkit failed somewhere, and Windows WScript can't parse the VBS correctly, resulting in it imploding into itself.
It could have given me more free malware, instead this goof ball didn't test his malware (testing is for nerds, I can't blame them).
I think they may have copied the obfuscation definition thingies at the top too many times, but I don't feel like unironically debugging their obfuscated malicious VBS code to make it work, that is ridiculous.
Anyway, look at this piece of shit:
https://gist.github.com/vxunderground/dc225d9180d8da7285e911372f99c527
Gist
so_close_gunk
so_close_gunk. GitHub Gist: instantly share code, notes, and snippets.
π€£76β€8π₯°6π€―4π₯2π1π1π’1