vx-underground
Telegram nerds, you've missed the whole drama on X, so I'll just paste the final message. In summary, I'm crashing out because this nerd got sent a payload on Discord, but it was legit malware but vibe coded and it irritated me
I am absolutely flabbergasted
Okay, so this nerd DMs me saying he thinks he got sent malware. He said I should check it out. I said "I'm in my undies, I'll do it later when I'm on my PC" (Image 1)
This malware has so many twists and turns bro, this shit is all vibe coded too. I don't know what AI agent wrote it, but I know it's vibe coded because THE NOTES FROM THE AI AGENT ARE PRESENT.
I think the Threat Actor who wrote this didn't understand how reverse engineering works, so they didn't know the AI agent notes would be present.
This malware wasn't super sophisticated, it didn't contain any extreme logic or anything, but it was a convoluted fucking MESS and it a colossal pain in the ass.
A normal malware developer could have written this too, but it's got so many stages this would be more akin to a well-established Threat Actor. This was written by someone who doesn't understand how reverse engineering works and someone who is willing to target GAMERS OVER DISCORD with malware that is actually pretty decent.
In fairness, it could be MaaS, but this doesn't line up with anything I've seen from my peers (yet). It's possible I've missed it. But, this is a bitch of a payload and I unironically enjoyed it.
Here is the silly meme summary
> get sent rivals_toolkit.exe
> electron app goop
> masquerades as legit toolkit
> electron app contains resource called "Discord.exe"
> Discord.exe is a malware loader
> Discord creates a Java VM
> Loads obfuscated Java payload
> I can't find where it the JVM payload
> JVM payload hidden in different file from Electron app
> Annoying.jpg
> Electron App also has spoopy secondary functionality
> Displays legit HTML stuff
> Secondary thread executes, executes Ira.JS stager
> f91a7efa0d476811455271e023dfb3be
> Decodes and executes initial stager, Ira.jsc
> c286ad4c51128266e10ad0a49da9cb3f
> Decodes and drops secondary payload stage
> 816bfabbb3408ad2114ba351690410c3
> Decodes and drops third payload stage
> 7364f758b4b8623c0beb020a74ff09b5
> Decodes and drops fourth payload stage
> 7b9627f07f7fb604f5edfb23c706b22a
> Final payloads syncs and does IPC with Java payload
> Contains AI notes (Image 2)
Holy Christ, all of this for fucking gamers on Discord? Multi-staged masquerading payload with cross-language IPC? What the fuck?
Okay, so this nerd DMs me saying he thinks he got sent malware. He said I should check it out. I said "I'm in my undies, I'll do it later when I'm on my PC" (Image 1)
This malware has so many twists and turns bro, this shit is all vibe coded too. I don't know what AI agent wrote it, but I know it's vibe coded because THE NOTES FROM THE AI AGENT ARE PRESENT.
I think the Threat Actor who wrote this didn't understand how reverse engineering works, so they didn't know the AI agent notes would be present.
This malware wasn't super sophisticated, it didn't contain any extreme logic or anything, but it was a convoluted fucking MESS and it a colossal pain in the ass.
A normal malware developer could have written this too, but it's got so many stages this would be more akin to a well-established Threat Actor. This was written by someone who doesn't understand how reverse engineering works and someone who is willing to target GAMERS OVER DISCORD with malware that is actually pretty decent.
In fairness, it could be MaaS, but this doesn't line up with anything I've seen from my peers (yet). It's possible I've missed it. But, this is a bitch of a payload and I unironically enjoyed it.
Here is the silly meme summary
> get sent rivals_toolkit.exe
> electron app goop
> masquerades as legit toolkit
> electron app contains resource called "Discord.exe"
> Discord.exe is a malware loader
> Discord creates a Java VM
> Loads obfuscated Java payload
> I can't find where it the JVM payload
> JVM payload hidden in different file from Electron app
> Annoying.jpg
> Electron App also has spoopy secondary functionality
> Displays legit HTML stuff
> Secondary thread executes, executes Ira.JS stager
> f91a7efa0d476811455271e023dfb3be
> Decodes and executes initial stager, Ira.jsc
> c286ad4c51128266e10ad0a49da9cb3f
> Decodes and drops secondary payload stage
> 816bfabbb3408ad2114ba351690410c3
> Decodes and drops third payload stage
> 7364f758b4b8623c0beb020a74ff09b5
> Decodes and drops fourth payload stage
> 7b9627f07f7fb604f5edfb23c706b22a
> Final payloads syncs and does IPC with Java payload
> Contains AI notes (Image 2)
Holy Christ, all of this for fucking gamers on Discord? Multi-staged masquerading payload with cross-language IPC? What the fuck?
π€£94β€9π₯9π«‘4π―2π₯°1π1π’1π€1
WHO WROTE THIS GHOST LAUNCHER THINGIE
I know you're somewhere on this Telegram, or the COM, or something. There is no way you're not hanging around here somewhere. I demand to know what AI agent was used and why you decided to targets gamers
I know you're somewhere on this Telegram, or the COM, or something. There is no way you're not hanging around here somewhere. I demand to know what AI agent was used and why you decided to targets gamers
π€£125π€11π8β€4π2π€2π2π’1π«‘1
Someone sent me a file and it's confusing my little brain. It was a .exe and I disassembled it back to approx. source.
This code programmatically makes Epic games accounts and uses it to get Discord nitro somehow? I don't understand.
https://gist.github.com/vxunderground/4616b6249dc47a87647b746882652687
This code programmatically makes Epic games accounts and uses it to get Discord nitro somehow? I don't understand.
https://gist.github.com/vxunderground/4616b6249dc47a87647b746882652687
Gist
decompiled goopies
decompiled goopies. GitHub Gist: instantly share code, notes, and snippets.
π₯°54β€10π€10π€―6π’1
vx-underground
Someone sent me a file and it's confusing my little brain. It was a .exe and I disassembled it back to approx. source. This code programmatically makes Epic games accounts and uses it to get Discord nitro somehow? I don't understand. https://gist.githubβ¦
Oh, Discord and Epic games ran some promotion where Epic games gave you Discord Nitro if you were new to Epic Games. This code automated the process. Spammers used it to harvest Discord Nitro codes and then sell them online.
π―78π€£41π11β€5π₯°4π3π1
vx-underground
Someone sent me a file and it's confusing my little brain. It was a .exe and I disassembled it back to approx. source. This code programmatically makes Epic games accounts and uses it to get Discord nitro somehow? I don't understand. https://gist.githubβ¦
my bad bro :(
π€£330π’39β€9π7π€6π€―3π2β€βπ₯1π₯°1π€1
I love when I meet nerds with who are deep in the trenches in esoteric concepts in esoteric things
I met a guy who has dedicated the past couple years of his life to Batch file obfuscation and deobfuscation
He has completely lost his mind. I like it. I respect it.
I met a guy who has dedicated the past couple years of his life to Batch file obfuscation and deobfuscation
He has completely lost his mind. I like it. I respect it.
π₯°116π«‘40π€£27β€11π7β€βπ₯3π€―2π’1π―1
Literally shaking, screaming, crying, throwing up right now. I thought I found a silly malware loader, but the person who wrote this bamboozled themselves.
Their obfuscation toolkit failed somewhere, and Windows WScript can't parse the VBS correctly, resulting in it imploding into itself.
It could have given me more free malware, instead this goof ball didn't test his malware (testing is for nerds, I can't blame them).
I think they may have copied the obfuscation definition thingies at the top too many times, but I don't feel like unironically debugging their obfuscated malicious VBS code to make it work, that is ridiculous.
Anyway, look at this piece of shit:
https://gist.github.com/vxunderground/dc225d9180d8da7285e911372f99c527
Their obfuscation toolkit failed somewhere, and Windows WScript can't parse the VBS correctly, resulting in it imploding into itself.
It could have given me more free malware, instead this goof ball didn't test his malware (testing is for nerds, I can't blame them).
I think they may have copied the obfuscation definition thingies at the top too many times, but I don't feel like unironically debugging their obfuscated malicious VBS code to make it work, that is ridiculous.
Anyway, look at this piece of shit:
https://gist.github.com/vxunderground/dc225d9180d8da7285e911372f99c527
Gist
so_close_gunk
so_close_gunk. GitHub Gist: instantly share code, notes, and snippets.
π€£76β€8π₯°6π€―3π₯2π1π1π’1
> "hey smelly check out nmssaveeditor(.)com"
> no mans save editor?
> AI generated website?
> "downloaded file is password protected"
> "password is goatfungus"
> lolwtf
> download file
> .zip protected with goatfungus
> extract with the power of goatfungus
> .msi installer file
> look inside
> random generated file names
> look inside silly names
> random ass goopie file (encrypted file)
> obfuscated .vbs file
> big ass fuck off .exe
> mystery java file
> big ass fuck off javascript file
> ???
> deobfuscate vbs file
> runs big ass fuck off .exe
> bonk .exe
> no idea wtf this thing is
> node.js, but weird, weird stuff, bonk with big stick
> not normal node.js .exe
> brain confused
> emulate
> emulate fails, .exe has anti-vm stuff
> wtf is this shit? all for no mans sky?
> get big stick and manually carve out weird .js
> super obfuscated goop
> WTF AM I LOOKING AT
> yara rule match
> GACHI LOADER AND KIDKADI LOADER
> double check
> perfect match
> original research from eversinc33 and JaromirHorejsi
> ihbnibYYhwenfw!!2345glerp schmmermies
> RHAD STEALER
> NEXE
This thing is a bitch. You're both heroes for bonking this with a stick and saving me a lot of time and energy.
pic unrelated
> no mans save editor?
> AI generated website?
> "downloaded file is password protected"
> "password is goatfungus"
> lolwtf
> download file
> .zip protected with goatfungus
> extract with the power of goatfungus
> .msi installer file
> look inside
> random generated file names
> look inside silly names
> random ass goopie file (encrypted file)
> obfuscated .vbs file
> big ass fuck off .exe
> mystery java file
> big ass fuck off javascript file
> ???
> deobfuscate vbs file
> runs big ass fuck off .exe
> bonk .exe
> no idea wtf this thing is
> node.js, but weird, weird stuff, bonk with big stick
> not normal node.js .exe
> brain confused
> emulate
> emulate fails, .exe has anti-vm stuff
> wtf is this shit? all for no mans sky?
> get big stick and manually carve out weird .js
> super obfuscated goop
> WTF AM I LOOKING AT
> yara rule match
> GACHI LOADER AND KIDKADI LOADER
> double check
> perfect match
> original research from eversinc33 and JaromirHorejsi
> ihbnibYYhwenfw!!2345glerp schmmermies
> RHAD STEALER
> NEXE
This thing is a bitch. You're both heroes for bonking this with a stick and saving me a lot of time and energy.
pic unrelated
π₯99β€20π’1π1
Chat, someone sent me a message. It has a very silly payload.
I cannot figure out this Lua code. I hate obfuscated Lua. Look at this fucking piece of shit (warning: is a piece of shit).
https://gist.github.com/vxunderground/91da9c50e400a6742bbacd1548a255d8
I cannot figure out this Lua code. I hate obfuscated Lua. Look at this fucking piece of shit (warning: is a piece of shit).
https://gist.github.com/vxunderground/91da9c50e400a6742bbacd1548a255d8
π±47β€12π€3π2π’1π―1
vx-underground
Holy shit, the homeless guy outside the gas station literally said the same thing to me last week
If she goes on to say in the next couple of posts Barack Obama was created in a CIA test tube and Donald Trump is being controlled from nanobots then this lady might be onto something, I don't know
π€£76π₯°8π5π₯4β€βπ₯2β€1π’1π€1
> be United States government
> 1985
> have a bunch of people they want arrested
> idea.jpeg
> make fake company
> Flagship International Sports Television
> send invites to a bunch of people
> tickets to Washington Redskins FOR FREE!!!
> name it Operation Flagship
> mail tickets
> now_we_wait.mp4
> over 100 people show up for free tickets
> arrest them
> ez gg get rekt nerd
> pause
> fast forward
> 2026
> Drake doing concert tour thingy
> free tickets for women named "Janice"
> only in specific cities at specific times
> when Janice arrives must show government id
> Janice must be their legal first name
Probably not a United States government operation trying to identify and locate a fugitive or person they label an enemy of the United States. It is probably Drake just being silly and meme-y and wanting to ONLY INVITE women named Janice in New York, Los Angeles, Miami, Toronto, or Houston because of that oddly specific "Janice STFU" song he released previously this year.
> 1985
> have a bunch of people they want arrested
> idea.jpeg
> make fake company
> Flagship International Sports Television
> send invites to a bunch of people
> tickets to Washington Redskins FOR FREE!!!
> name it Operation Flagship
> mail tickets
> now_we_wait.mp4
> over 100 people show up for free tickets
> arrest them
> ez gg get rekt nerd
> pause
> fast forward
> 2026
> Drake doing concert tour thingy
> free tickets for women named "Janice"
> only in specific cities at specific times
> when Janice arrives must show government id
> Janice must be their legal first name
Probably not a United States government operation trying to identify and locate a fugitive or person they label an enemy of the United States. It is probably Drake just being silly and meme-y and wanting to ONLY INVITE women named Janice in New York, Los Angeles, Miami, Toronto, or Houston because of that oddly specific "Janice STFU" song he released previously this year.
π87π€£36β€11π±4π2π1π₯°1π’1
vx-underground
> be United States government > 1985 > have a bunch of people they want arrested > idea.jpeg > make fake company > Flagship International Sports Television > send invites to a bunch of people > tickets to Washington Redskins FOR FREE!!! > name it Operationβ¦
This media is not supported in your browser
VIEW IN TELEGRAM
inb4 "nah its just because of that oddly specific song he released, its just a meme"
π€£89π₯°9π6β€4π’1
This media is not supported in your browser
VIEW IN TELEGRAM
"HoW CaN yOu bE aN eXpErT iF yoU rAn maLwaRe oN YouR PC???"
It's very shrimple.
1. I'm comfortable admitting my mistakes publicly in front of hundreds of thousands of people. If I make a mistake, small or catastrophic, I will admit it. I feel comfortable with my skill set. I open myself to criticism from everyone. No, obviously it does not feel good being called "retarded", "jackass", "skid", "moron", etc by people, but it is what it is. If I do not open myself to criticism I will not improve. My success and failure also demonstrates what to do and what not to do. But seriously, sometimes I read some of these comments and I'm like, "dayum, theyre cookin me fr"
2. I am desensitized to malware. I am around it nonstop (writing, collecting, reversing) so I do things in a way I would not advise someone else to do. I feel comfortable doing really dangerous things with malware because I am familiar with how they work. Additionally, in the spirit of full-disclosure, sometimes I don't like dealing with VMs because I feel like they slow me down.
video: when i make a mistake in front of 500,000 people and get called a retard by a bunch of ppl
It's very shrimple.
1. I'm comfortable admitting my mistakes publicly in front of hundreds of thousands of people. If I make a mistake, small or catastrophic, I will admit it. I feel comfortable with my skill set. I open myself to criticism from everyone. No, obviously it does not feel good being called "retarded", "jackass", "skid", "moron", etc by people, but it is what it is. If I do not open myself to criticism I will not improve. My success and failure also demonstrates what to do and what not to do. But seriously, sometimes I read some of these comments and I'm like, "dayum, theyre cookin me fr"
2. I am desensitized to malware. I am around it nonstop (writing, collecting, reversing) so I do things in a way I would not advise someone else to do. I feel comfortable doing really dangerous things with malware because I am familiar with how they work. Additionally, in the spirit of full-disclosure, sometimes I don't like dealing with VMs because I feel like they slow me down.
video: when i make a mistake in front of 500,000 people and get called a retard by a bunch of ppl
β€112π₯°15π6π«‘6π’3π―3
vx-underground
"HoW CaN yOu bE aN eXpErT iF yoU rAn maLwaRe oN YouR PC???" It's very shrimple. 1. I'm comfortable admitting my mistakes publicly in front of hundreds of thousands of people. If I make a mistake, small or catastrophic, I will admit it. I feel comfortableβ¦
439,000 people on X and 50,000 on Telegram, almost 500,000, whatever. Close enough.
β€80π₯°14π’6π2π2
This media is not supported in your browser
VIEW IN TELEGRAM
Chat, we are cooking.
Previously on Dragon Ball Z, someone DM'd me a spoopy GitHub they found. They asked if it was malware. It was malware.
The GitHub contained HEAVILY obfuscated Lua. The malware payload is using Prometheus Obfuscator.
Upon review, it was determined this malware is SmartLoader. SmartLoader is a malware campaign heavily associated with Rhadamanthys Stealer and StealC Stealer.
SmartLoader is relatively new and is being tracked by AhnLabs, TrendMicro, Hexastrike, McAfee, and the GitHub security team. It first emerged around March, 2024.
SmartLoader is pretty sophisticated. It is multi-staged, uses Polygon Smart Contracts for C2 information retrieval, and despite being Lua, it is also makes usage of NTDLL makes low-level WINAPI function invocations. One interesting attribute also is it programmatically inflates or deflates its file size for pseudo-polymorphism. This is extremely cool.
I mention this, and the whole cookin' thing, because after I made a post complaining about the obfuscated Lua, a very, very, very gifted person in Lua obfuscation and de-obfuscation contacted me and successfully deobfuscated it. I don't know if they want credit or not, because they're so cool and badass, but they're extremely famous in the Roblox hacking scene.
Anyway, the de-obfuscation is so precise it borders on having the actual source code to SmartLoader. I am very happy. I will share it when I am not dealing with my baby.
Previously on Dragon Ball Z, someone DM'd me a spoopy GitHub they found. They asked if it was malware. It was malware.
The GitHub contained HEAVILY obfuscated Lua. The malware payload is using Prometheus Obfuscator.
Upon review, it was determined this malware is SmartLoader. SmartLoader is a malware campaign heavily associated with Rhadamanthys Stealer and StealC Stealer.
SmartLoader is relatively new and is being tracked by AhnLabs, TrendMicro, Hexastrike, McAfee, and the GitHub security team. It first emerged around March, 2024.
SmartLoader is pretty sophisticated. It is multi-staged, uses Polygon Smart Contracts for C2 information retrieval, and despite being Lua, it is also makes usage of NTDLL makes low-level WINAPI function invocations. One interesting attribute also is it programmatically inflates or deflates its file size for pseudo-polymorphism. This is extremely cool.
I mention this, and the whole cookin' thing, because after I made a post complaining about the obfuscated Lua, a very, very, very gifted person in Lua obfuscation and de-obfuscation contacted me and successfully deobfuscated it. I don't know if they want credit or not, because they're so cool and badass, but they're extremely famous in the Roblox hacking scene.
Anyway, the de-obfuscation is so precise it borders on having the actual source code to SmartLoader. I am very happy. I will share it when I am not dealing with my baby.
π€75β€35π₯13π3π2π₯°1π’1
This media is not supported in your browser
VIEW IN TELEGRAM
I've almost reverse engineered the SmartLoader obfuscated code all the way down to a working source code
You can't hide behind Prometheus you little bitch
You can't hide behind Prometheus you little bitch
π₯°91π₯21π±12π7β€5π3β€βπ₯2π2π€2π«‘2π1
vx-underground
I've almost reverse engineered the SmartLoader obfuscated code all the way down to a working source code You can't hide behind Prometheus you little bitch
I'm sorry, SmartLoader malware campaign, I shouldn't have called you a little bitch. That is very rude of me.
I am just passionate and have spent some time working on it, so my emotions are high.
I love you.
I am just passionate and have spent some time working on it, so my emotions are high.
I love you.
π€£103β€27π₯°16π7β€βπ₯1π1π1π€1π€―1π1