vx-underground
50.4K subscribers
4.43K photos
479 videos
84 files
1.55K links
The largest collection of malware source, samples, and papers on the internet.

Password: infected

https://vx-underground.org/
Download Telegram
This media is not supported in your browser
VIEW IN TELEGRAM
Chat, we are cooking.

Previously on Dragon Ball Z, someone DM'd me a spoopy GitHub they found. They asked if it was malware. It was malware.

The GitHub contained HEAVILY obfuscated Lua. The malware payload is using Prometheus Obfuscator.

Upon review, it was determined this malware is SmartLoader. SmartLoader is a malware campaign heavily associated with Rhadamanthys Stealer and StealC Stealer.

SmartLoader is relatively new and is being tracked by AhnLabs, TrendMicro, Hexastrike, McAfee, and the GitHub security team. It first emerged around March, 2024.

SmartLoader is pretty sophisticated. It is multi-staged, uses Polygon Smart Contracts for C2 information retrieval, and despite being Lua, it is also makes usage of NTDLL makes low-level WINAPI function invocations. One interesting attribute also is it programmatically inflates or deflates its file size for pseudo-polymorphism. This is extremely cool.

I mention this, and the whole cookin' thing, because after I made a post complaining about the obfuscated Lua, a very, very, very gifted person in Lua obfuscation and de-obfuscation contacted me and successfully deobfuscated it. I don't know if they want credit or not, because they're so cool and badass, but they're extremely famous in the Roblox hacking scene.

Anyway, the de-obfuscation is so precise it borders on having the actual source code to SmartLoader. I am very happy. I will share it when I am not dealing with my baby.
🀝86❀37πŸ”₯15😁4πŸ‘2πŸ₯°2😒2
This media is not supported in your browser
VIEW IN TELEGRAM
I've almost reverse engineered the SmartLoader obfuscated code all the way down to a working source code

You can't hide behind Prometheus you little bitch
πŸ₯°110πŸ”₯25😱14😁10❀7😎5πŸ€“3❀‍πŸ”₯2πŸŽ‰2😍2🫑2
vx-underground
I've almost reverse engineered the SmartLoader obfuscated code all the way down to a working source code You can't hide behind Prometheus you little bitch
I'm sorry, SmartLoader malware campaign, I shouldn't have called you a little bitch. That is very rude of me.

I am just passionate and have spent some time working on it, so my emotions are high.

I love you.
🀣132❀31πŸ₯°16😁7❀‍πŸ”₯1πŸ‘1πŸ‘1πŸ€”1🀯1😒1πŸ˜‡1
🀣233πŸ’―30❀14πŸ‘9😁5😱2πŸŽ‰1🀩1
My deepest condolences to my colleagues in Venezuela and those impacted by the recent earthquakes.

I wish I had more to offer other than words. I hope you're all doing well and I hope you're all safe.
❀143😒30πŸ™27πŸ€“2πŸ₯°1πŸŽ‰1
> be SmartLoader
> big ass fuck off malware campaign
> tracked by dozens of anti malware companies
> heavily obfuscated lua
> bamboozles everyone
> me jimmies rustled
> team up with roblox cheater nerd
> reverse engineer it back to src
> (almost done)

https://gist.github.com/vxunderground/aaa6a88823afc83b4f8a73366694966d
πŸ‘41πŸ”₯35❀12πŸŽ‰12πŸ€“4😒1🫑1
> get dm
> "hey smelly, i work for (kind of important place)"
> "vendor sent us weird file, its sus af"
> "what do u think?"
> download file
> look inside
> ultra mega fuck off malware
> pe position independent .code is set to RWX
> multiple extra sections
> extracts .bss segment
> .bss has .exe inside it
> .exe ASPack 2 compressed
> emulate
> has anti-vm features
> pulls .bat from c2 to self-delete
> still bonking

my brother in christ, if your company ran this .exe from this vendor, you better call someone ASAP because your company is COOKED. also, this vendor is either a criminal enterprise or compromised. gl big dawg. happy monday
🀣177❀31😎16πŸ₯°2πŸ€”2😒2πŸ’―2
Okay, I'm going to bed now.

Goodnight people on X
Goodnight people on Telegram
Goodnight FBI
Goodnight NSA
Goodnight CIA
Goodnight Israel spyware
Goodnight ads tracking me
Goodnight AI scrapers

Mwah kisses
xoxo
❀197πŸ₯°51😘19😁7😍4🫑4❀‍πŸ”₯2πŸ”₯2😒2
vx-underground
Okay, I'm going to bed now. Goodnight people on X Goodnight people on Telegram Goodnight FBI Goodnight NSA Goodnight CIA Goodnight Israel spyware Goodnight ads tracking me Goodnight AI scrapers Mwah kisses xoxo
Oh, I forgot

Goodnight Chinese espionage campaigns residing in United States critical infrastructure believed to be aggregating and collecting intelligence on United States citizens

Mwah
❀150πŸ₯°31😁22🀩6❀‍πŸ”₯3😍3πŸŽ‰2πŸ‘1πŸ™1
this is the guy calling you the N word on discord
🀣203🫑28😁19❀11πŸ’―7πŸ‘4πŸ₯°3😒2πŸ™2πŸŽ‰1πŸ€“1
> get dm
> "government ppl in Colombia getting weird file"
> lolwtf
> send link
> look inside
> phishing page (looks good tho tbh)
> image 1
> i dont speak spanish, idk wtf it says
> look inside .html
> .zip hidden inside it as base64
> lol ok
> bonk with stick
> "Oficio 2231" zip file
> idk what that means still
> look inside
> .zip has .js inside of it
> look inside
> big ass fuck off obfuscated bs trying to trick u
> image 2
> utf16 bullshit
> utf16 makes another file
> ???
> extract from tiny little fragments of js
> look inside
> .dll .net file
> wtf lol
> look inside
> heavily obfuscated .net malware
> image 3
> tiny .js fragments contain powershell script
> ???

tl;dr
.html does something that triggers .js which extracts .zip. the .js from .html executes the .js inside the .zip which reads the .ps script from the .js. the .ps then executes a c# .dll which is named taskscheduler (its malware)

why would someone send government officials in Colombia this file wtf lol
πŸ₯°66🀣18πŸ‘10❀6πŸŽ‰1
vx-underground
> get dm > "government ppl in Colombia getting weird file" > lolwtf > send link > look inside > phishing page (looks good tho tbh) > image 1 > i dont speak spanish, idk wtf it says > look inside .html > .zip hidden inside it as base64 > lol ok > bonk with…
oh sorry

if youre a threat intel nerd, or anti malware nerd, who is designated to track potential state sponsored activity in south america

final payload: 5a979c309aff96456ba4482653fc213997387956c24e376645e4e0cfaa6b878a

obfuscated js payload (fragmented utf16le):
87eac5fa290387bd90d71424f8a65f2b2c7436a415f6e7f033915ef8e833ef86

file sent to colombia ppl i guess idk:
193b98595f44935e79413aeb474cd8d75e8d5ba63caf0d52470cadbeb8139c03

theyre all on VT now
❀66πŸ₯°11πŸ’―3😒1
> get more dms
> more free malware
> yay
> "smelly someone says this cheat src code is malware"
> download
> look inside
> visual studio prebuild event builds vbs script
> vbs script decrypts .ps1 script
> downloads RAT
> contains link to a YT video

https://www.youtube.com/watch?v=akoxddx6lgc
😁75😎18🀣13❀5πŸ₯°3😒1
Chat, I don't want to jump to conclusions, but I have a sneaking suspicion this malware stager was vibe coded. Historically, malware hasn't left extremely descriptive comments in their stagers.
😁97🀣77πŸ’―10❀5πŸ₯°5πŸ”₯3😒1🀝1
omg i got FREE malware from REDDIT
❀138πŸ₯°47πŸ€“11πŸŽ‰8❀‍πŸ”₯2😒1🀝1
I tried to do a write-up on X and share some de-obfuscated malware source code

I kept getting notifications on X saying something like, "sorryβ€”something has gone wrong, don't fret", blah blah blah.

If I removed the malcode it worked

I THOUGHT THIS WAS AMERICA
😱58🀣37😒9πŸ₯°6❀3πŸ”₯3🀯3
>get dm
>smelly there is MALWARE for FREE on REDDIT
>mac subreddit
>ad for some goop
>look inside
>VIBE CODED MALSLOP

YOU LEFT NOTES IN YOUR BASE64 ENCODED STAGER, WHAT THE FUCK IS ACTUALLY WRONG WITH YOU
🀣102❀8😒7πŸ₯°5