14365
The largest collection of malware source, samples, and papers on the internet. Password: infected Website: https://www.vx-underground.org/ vx-underground Telegram chatroom link: https://t.me/+njfLzUrqos01ZWNh
One of my fondest memories of Lockbit ransomware group was when Lockbit ransomed a small nonprofit healthcare clinic in South America.
They begged him to decrypt the machines so they can provide treatment to people in need. They primarily provided healthcare to people in remote areas who have little to no money, education, or work.
Lockbit said: "If you have money for computers, you have money to pay me"
Wow, truly a heartwarming moment. Very cool.
Removed weird balloon thing from car. Now can safely store beer in car
Читать полностью…
They also called us an embarrassment and said our post is borderline malicious because it is misleading because (or the researchers, whoever), did not read the security guidelines.
Читать полностью…
After we made this post several companies listed here contacted us (or rather, employees).
Every single one who contacted us correctly identified Bubble and were able to assess what we would release
Some of these big companies do NOT play games with security 😂
In 2024, 2 security researchers discovered a flaw in Bubble-dot-io, a self-described AI-based app development and publishing service.
Upon discovering the vulnerability, these 2 researchers notified Bubble. Unfortunately, for whatever reason, this fell on deaf ears.
These individuals subsequently did a talk on the vulnerability, published a proof-of-concept, and even wrote a paper on it. The code and paper show how easy it is to compromise websites and/or applications on Bubble. Despite all of this, Bubble still did nothing.
These 2 individuals then contacted me to request I relay the message loud and clear: you need to fix your software immediately.
In essence, this exploit allows the execution of arbitrary requests to the applications Elastic search which allows data dumping and/or exfiltration.
The applications encryption workflow is performed in the front-end, because Bubble-dot-io uses fixed IV's (shared between ALL clients), exploiting Bubble-dot-io is possible due to the creation of arbitrary payloads by abusing the recovery keys.
All tables can be dumped, including custom tables defined as "custom.(table_name)".
Furthermore, it's possible to attack other clients from Bubble-dot-io because the application does all hosting internally (shared).
- Cryptography keys do not rotate, hence an attacker can reuse the same keys in new Elastic searches
- Timestamps are not verified
- Attackers can enumerate customer subdomains by fuzzing *.bubbleapps-dot-io domain, making identification of targets easier
- If domain doesn't match target, response header will return correct target in 'X-BUBBLEAPP-NAME'
Please note the time date stamp in the attached images.
See subsequent post for link to paper and proof-of-concept.
We've got a 0day exploit.
The 0day impacts an organization which provides managed services for Danone, SeaGate, Unity, Shopify, Paramount Pictures, HubSpot, Amazon, PWC, Yamaha, L'Oreal
The exploit was reported, but the vendor ignored it.
Chat, do we drop a 0day on a Friday?
Someone found this in an antique store today.
Before us there was another vx-underground (apparently) and they were also cool and badass
Hello, how are you?
tl;dr doing stuff
Right now we've got 250GB+ of new malwares we need to push. We're in the process of syncing it, making local backups, etc. We also temporarily stopped migrating virus-dot-exchange, but it's still on the todo list.
As many of you have noticed, updates on things have been volatile and shakey. I greatly miscalculated the difficulty of preparation and deployment of mini-human. I had thought, to some degree, it was an exaggeration that it would require a great deal of effort — it turns out the entire planet (past, and present) was not lying.
Despite the deployment of Smelly Smellington Jr, the general plan will be as follows:
- Continue daily ingests and malware sample distribution from petikvx, JaffaCakes118, and Neiki__. These 3 act as the back bone of our malware ingestion cycle.
- If or when _BradleyVX returns from his family duties: continual archival of The Old New Thing, cat picture collection (semi-joking), and his work on malware collection. Bradley has primarily been responsible for the malware family collection and he will continual doing so.
- Cryakl will continue working on the malware builder collection. Cryakl has done an excellent job ensuring we're up-to-date on malware builders historically and present...ly (?)
- f0wlsec will continue his work on the APT malware samples and papers collection. If you do not see an update in a significant period of time, feel free to poke him with a stick.
My request to anyone who reads this: PLEASE do not hesitate to contact me (or whoever) regarding malware papers (reverse engineering, development, history, whatever). Even if the paper doesn't make it into the collection it is super-duper appreciated when someone notifies us of a potential paper. It makes my life so much easier. If you've written a paper for yourself, or your group, or your company — DON'T hesitate to notify me (or whoever in our group) so it can be archived.
How to send us a paper: literally just send the link on Discord, Twitter, Telegram, e-mail. That's all you have to do. If you send me enough cool stuff maybe you can take my job and be given a pretty staff sticker and I can focus more on other administrative tasks.
Anyway, i'll be AFK. You'll see a spike in silly posts and cat pictures. If this upsets you, I don't know bro, we're busy and this is all for free. You gotta deal with it for awhile.
Love you
- smelly smellington
People who are 18 years old, as of 2025, were born the same year as the release of Halo 3 — the same year the original iPhone was released when Steve Jobs was alive.
The people you will be interviewing in the next couple of years do not know a world without smart phones.
X employees shared online they're rewriting the X DM system and naming it 'XChat' — which is strange because I recall using XChat sometime in the late 90's, or early 2000's
Читать полностью…
If we had $1,000,000/yr, Bradley and I would travel to Russia to physically meet Lockbit in person and challenge him to a Yu-Gi-Oh duel to end his operations
Читать полностью…
We've been surviving for almost 6 years by begging nerds for spare change, sucking the dicks (and clits) of small business owners, and praying X payouts give us more than $50/month
For $500,000/yr we'd be a fuckin' MALWARE REPO MACHINE (3,000 years to spend $1,500,000,000)
Hi,
We've archived the MITRE CVE database. The CVE DB is free and open source on GitHub. However, we're providing a backup location for the data. We doubt it'll magically disintegrate in ash, but if it does we have a copy.
https://vx-underground.org/Archive/CVE
MoistCritical will probably name it, "The 4Chan situation is crazy". He'll open the video with a weird reference to semen, erections, or anime, then say "I'm not an expert on the subject". It'll conclude with "That's pretty much it, see ya".
Читать полностью…
what do u mean a website historically used for memeing and trolling forked and the memesters and trollsters decided to meme and troll?? how could this have happened???
Читать полностью…
Hello,
We've removed the post on the Bubble zero day. The purpose of the post was to draw attention to the issue — which was indeed addressed.
As a recap, 2 researchers published a paper on Bubble-dot-io and how to exploit it. Bubble ignored them. We were requested to relay the issue loudly so it was addressed. It was addressed. Bubble asserts they do not consider this an exploit because this is the result of users failing to RTM and follow the Bubble security guidelines.
I will personally take the L that it was a stretch to classify this as zero day when this is the result of users not following the Bubble best practices guide. It does not impact Bubble in totality.
tl;dr 2 guys 1 bubble
Bubble-dot-io employees have responded.
Bubble (or individuals representing the company) assert the code we shared yesterday is not a zero day exploit and we (or the researchers mentioned) failed to take appropriate measures to read the documentation provided by Bubble
In summary, they state each user is responsible for the security of their data and users must follow the appropriate Bubble-dot-io security guidelines. The issues we relayed yesterday do not impact Bubble-dot-io in totality, rather these are customers who failed to follow the guidelines
Oh, it's UK underground, the font is just weird.
Font is illegal and for nerds
Use TorGuard VPN.
I didn't have to append this is this post, but they're our hosting provider and the owner uses his company resources and time to collect cat pictures with us.
Anyway, let that echo in your head tonight when you're trying to sleep. 2007 was 18 years ago.
Читать полностью…
For those young ones reading this: XChat is an IRC client
For those young ones reading this: IRC is kind of like Discord, except way slimmed down, way less features but way more flexible and you can host a server yourself
If we got $1,000,000/yr (never will happen), vx-underground would transcend space and time, pull malware from the 4th dimension — we'd be producing malware content like we were in the Dragon Ball Z hyperbolic time chamber
Читать полностью…
According to USASpending, MITRE has received approx. $1,500,000,000 since 2008 from the United States government.
We could survive approx. 30,000 years with that much money 😂😂😂
Hold up — let 4chan speak. They're onto something here
Читать полностью…
Here is what's going to happen
SoyJak nerds will meme 4chan mods for awhile. In the midst of it YouTubers will make videos discussing it (MoistCritical, MeatCanyon, TurkeyTom, etc).
Then in like, a year, it'll kind of be back to normal
This random document fell off the back of a bus. Weird.
This random document which randomly fell off the back of a bus (randomly) says MITRE is no longer supporting the CVE program as of April 16th, 2025. Which is crazy, because this random document is dated April 15th, 2025.