40630
The largest collection of malware source, samples, and papers on the internet. Password: infected https://vx-underground.org/
I was reverse engineering this Grand Theft Auto V malware that targets FiveM stuff. It was a big ol' mess of obfuscated Javascript. I hate obfuscated Javascript.
I posted I hated obfuscated Javascript.
Subsequently, a very nice person named nullableVoidPtr deobfuscated the massive code base for me when I was sleeping. Thank you. I love you.
Anyway, when I began poking it with a stick I discovered the malware connects to blum-panel(.)me. It registers there. It's the C2.
When you visit via HTTPS it notifies you of their Discord server (also references to their Discord in their code?)?
When you connect to their Discord they advertise security services for Grand Theft Auto V stuff ... ?
What the fuck.
Dawg, do you NOT run a malware campaign and advertise it on Discord like this. Are you OUT OF YOUR MIND?
It's 10pm and I'm reverse engineering Javascript malware targeting FiveM.
Why are people making malware for Grand Theft Auto V roleplay servers
Poking MalwareBytes with a stick continues. I fell down a weird rabbit hole.
MalwareBytes contains a file that is packaged with it called "malwarebytes_assistant.exe". This file is written in C#.NET, it subsequently loaded malwarebytes_assistant.dll.
As the name implies, it is indeed an assistant file. It accepts commands and does things based on the commands given to it. There's a lot of commands, but here are the interesting ones.
- AddExclusion (can't find it though)
- Deactivate
- DisableWebProtection
- StopService
- LaunchProcess
- SetRegistryValue
- CreateWFCRule
- ModifyWFCRule
- DeleteWFCRule
LaunchProcess and SetRegistryValue check the parent process of the invoker. If it is not from a process that is signed by MalwareBytes, it fails. However, everything else works. It does prompt UAC, but it says its coming from MalwareBytes.
tl;dr disable MalwareBytes, modify Windows Firewall, etc. It displays as MalwareBytes doing it.
We must continue poking it with a stick.
Imagine hearing this shit ALL DAY. I'm losing my mind. I've disconnected from reality. I don't know what's real and what isn't real.
https://www.youtube.com/watch?v=bOiYN7iU-W8
Lots of drama on the internet today as TESLA announces the self-driving functionality will now require you paying a monthly subscription.
Tesla lovers are absolutely furious.
Tesla stock owners are dancing in the streets
Today I experienced something I had never imagined myself experiencing.
My 9 month old makes a big mess while eating. He is still learning coordination to self-feed. He's improving. I'm proud of him.
Today he made a gigantic mess while trying Jello for the first time. He decided to put it in his hair and also his pants. We're still not sure how he got the Jello so far down his pants ... but he did.
We had to wash him. He was sticky and stinky.
Because he's getting bigger he gets the "big boy tub". In essence, my wife or get in the bathtub with him and bathe him. We set him in the tub and we both wash him. The parent in the tub with him holds him, rotates him around to get the hard to wash spots, or keeps him distracted by playing with him. He loves splashing the water.
Anyway, today when I was holding him he took a massive shit in the tub. I'll spare you the details. I wasn't angry, ... but being a first time parent has been a unique experience none of the books or classes prepared us for.
That's all. I just wanted to share that with someone.
I was requested to poke stuff with a stick because of stuff happening in r/PiratedGames
https://malwaresourcecode.com/home/my-projects/write-ups/r-piratedgames-drama.-is-it-malware-yes.-is-it-cool-malware-no
Hi
I've added more malware and malware accessories to the website you sometimes visit.
https://vx-underground.org/Updates
A sort of small, sort of long, observation or note, or something.
tldr nerds mad, touch grass
The internet (and humans in general, I suppose) love negativity and drama. There becomes a point though where negativity goes beyond spectacle and entertainment and it bleeds over into public anger and mass hysterics.
While I don't traditionally make political commentary (or try to rather, I'm human, make mistakes, or accidentally present bias), and stray away from political banter, my curated and compartmentalized information security feed has transformed into some pretty nasty dialogue regarding the recent United States governments actions both domestic and abroad. While some of my peers engage in political banter, an upward trend being observed, whereas even the "non-political" begin discussing things, is paramount and is an indicator that a profound event has occured.
This typically results in me saying "huh?" and acting like the cat in the attached image below.
Outside of this bubble I've made, it is chaotic (I'm sure you're well aware of what I'm addressing at this moment). Historically, it is unusual for this degree of anger and frustration to bleed into my bubble, previous and noteworthy "bleeds" include Mr. Rittenhouse, the death George Floyd, Ukraine-Russia conflict (beginning), Palestine-Israel conflicts (elevated, major event occuring), the COVID19 pandemic, January 6th, the assassination of Charlie Kirk, ... and now the recent events occuring.
I think being exposed to this polarization for too long is unhealthy, it makes people angrier, and deepens a divide. It's important to remember that political commentators profit off of outrage, it boosts their engagement and advertisement revenue, thus want to continually stoke the fire and ensure you're perpetually agitated.
I unironically recommend my colleagues and peers to touch grass. Disconnecting and disengaging with the internet hate machine puts things into perspective. Hug your children, pet a kitty cat, eat some junk food, go for a walk, ... do something other than being angry on the internet. There is a difference between being informed and being drawn into the political "event horizon".
Okay, back to kitty cat posting until morale improves and also nerd stuff.
Lots of negativity on social media the past few days.
Will continually post silly cat pictures until morale improves
I haven't finished g1v3aw4ys because instead of dealing with hundreds of people I've been doing malware stuff, spending time with my baby boy (he's angry, his top teeth are coming out, he WILL bite you), and posting silly pictures of cats.
Sorry.
Discussions online today of 17,500,000 people involved in an "Instagram" leak.
This is a clarification from a previous post I made, which I've subsequently deleted, to avoid confusion and add more details.
Normally these sort of "leaks" are a result of API scraping. This has happened in the past with LinkedIn and Trello. Basically someone writes a program that communicates with Instagram and requests information on a user profile. They then loop this through as many Instagram profiles as possible.
New information has come forward, as people have provided me with feedback, suggesting this is a combination of API scraping, a giant list of known stolen Instagram accounts, blah blah blah, and content from a previous leak.
Others have speculated this is someone who is doing mass password resets to try to correlate phone numbers and emails with accounts.
Basically, nobody knows. We can only make educated guesses. Regardless, Instagram wasn't "hacked" or compromised.
These sort of "leaks" resurface and reappear every couple of months, sometimes years, and is basically just a database for scammers and extortionists to do lookups or try to do phishing campaigns.
Pic of weird looking cat riding motorcycle is me rn fr
Mr. Grygla's Department of Justice announcement:
https://www.justice.gov/usao-or/pr/recidivist-sex-offender-sentenced-21-years-federal-prison-distribution-child-pornography
I guess this goes back to 2022, I'm just blind as hell and dumb as hell.
I'm late to the outrage, but I'm still outraged gosh dangit
Good news everyone,
MS-Paint, the legacy art software which has shipped with Windows since 1985, has been dramatically IMPROVED to now include Microsoft Copilot Image Creator.
*subscription required, need Microsoft Copilot AI credits
I fucking HATE this shit. I hate dealing with this type of obfuscating. Ugh.
https://raw.githubusercontent.com/Linux123123/fivem-malware/refs/heads/main/second_stage/nulljj.js
tl;dr
"C:\Program Files\Malwarebytes\Anti-Malware\malwarebytes_assistant.exe" --disablertp
yay no more protection
I've decided to poke MalwareBytes with a stick.
Why? I'm mildly curious how it works internally and I'm curious if I can produce malware custom tailored to evade it.
Why? Because sometimes I get weird ideas and want to do weird things for literally zero reason other than "sounds kind of cool".
I setup a VM for the first time in years to poke it with a stick. I didn't want to install an AV on my main machine. Yes, I will do malware analysis on my main machine but not install an AV.
After installing MalwareBytes, skimming some of the files, poking random things and saying "wtf does this thing do", I've learned some mildly interesting things but nothing revolutionary.
1. They use Jenkins for continuous integration. Does this mean anything? No.
2. Based off my minimal testing, I don't see any DLLs injected into binaries when they're loaded into memory. However, the binaries I tested are well known and well established. It might inject DLLs into unknown binaries.
3. MalwareBytes main binary is written in C#.NET. It loads a secondary MalwareBytes.dll which then displays everything. It does the same stuff Microsoft Copilot does. That is how MalwareBytes has a fancy UI and stuff.
4. MalwareBytes stores very little in HKEY_CURRENT_USER making tampering from user mode kind of hard. It's just basic settings and stuff.
5. MalwareBytes has a custom protocol handler of "malwarebytes://". It looks like it uses this for interprocess communication between other MalwareBytes modules and binaries
6. MalwareBytes ships with a (basically) blank DLL called "Sample.dll". I have no idea why.
7. MalwareBytes has 2 mini filters in place which (presumably) are the main thing responsible for detecting malware. This is standard. MalwareBytes Chameleon (one of the minifilters) looks like it's meant to prevent tampering with the actual important MalwareBytes minifilter.
8. MalwareBytes Chameleon looks like it's responsible for communicating with user mode and kernel mode components. It looks like this is done so user mode components don't communicate directly with the minifilter responsible for actually detecting malware
9. I have a lot more poking to do
10. There is a binary called "assistant.exe" which loads "assistant.dll" (more .NET) stuff. It may possible to abuse this as a LOLBIN (maybe, need to poke more, kind of). assistant.exe does things like issuing commands for scanning, updating, and displaying things in the MalwareBytes UI. It accepts commands as "assistant.exe --uri malwarebytes://"
11. I have no idea how their scanning works, but it's labeled internally as Hyperscan
12. There is a thing called ProtectedHashes. I have no idea what this is.
13. There are tons of SQLite libraries, but I have no idea what it's for. Presumably, it's for known-good and known-bad file hashes, maybe? But I have no idea where this is stored.
14. I like cats
I need help.
My 9 month old son loves Ms. Rachel. For the past 3 days I've been subjected to cruel and unusual punishment. I'm trapped. I'm stuck listening to this lady sing "Wheels On The Bus" for, at minimum, 8 hours a day.
My home is a CIA torture black site. "thE wHeElS oN the BuS gO rOunD n RouNd" ... in the morning... in the afternoon... at night ... when he's trying to sleep or he's sleeping.
I'm at the point where I'll start confessing to crimes I've never committed to make this fucking song stop playing.
Today Spaniard authorities seized 10 tonnes (metric tons, 22,000lbs, 10,000kg) of cocaine being smuggled into the country from Brazil.
The cocaine is reportedly valued at enough to purchase 3 DDR5 RAM sticks and maybe a few Claude tokens
Watched police body cam footage of a guy who robbed a bank. He went in with a gun, a slid a piece of paper telling the bank teller to give him all the money.
He received over $1,000 in cash. He was caught moments later. He is in jail and is facing over 20 years in prison.
The ex-mayor of New York pushed a "NYC Token" cryptocurrency and rug pulled over $3,000,000. He doubled his net worth in just a few days.
Nothing will happen to him.
Person on YouTube uploads a video that is 114,115 years long (1,000,000,000 hours).
The video is (probably) a One Piece anime review.
I unironically perceive myself and you nerds as like, a bunch of old ass monks or priests or something, up on like High Hrothgar.
Shits gotta get wild down there with the normies if we can hear it
Lots of negativity on social media the past few days. Will continually post silly cat pictures until morale improves
Читать полностью…
UK and Australia discussing banning X because Grok keeps putting people in bikinis
Читать полностью…
Hi
vxdb (on Twitter, no idea if he's on Telegram), initially unrelated to vx-underground, will now be a vx-underground staffer. He isn't a malware nerd, but he is terminally online, a degenerate, and continues to help me with stuff (which I deeply appreciate).
He'll be doing some administrative work for me. It is becoming increasingly difficult to do stuff while managing full time employment, a baby boy, and a vx-underground. He won't have access to this account, or vx-underground infrastructure, but he'll be handling other stuff (read below)
In summary, one of the first things we'll be doing is making a social media profile exclusive to g1v3aw4ys. This will eliminate the g1v3aw4y spam from this profile. I have yet to finish the g1v3aw4ys from 2025. Oops.
Thanks to TorGuard, and our monthly sponsors, I am hoping to do more g1v3aw4ys on the other profile throughout 2026. Maybe like, books, or something, I don't know. It won't be big stuff. But ideally like, $200/month of free stuff. Then, during the end of the year, the account does big stuff.
ok ily ttyl bye
Abusing Microsoft Copilot: Copilot, copilot my payload
*please read limitations notes on the page. It's important you read that.
tl;dr inconsistent, needs more research, potential avenue to explore
https://malwaresourcecode.com/home/my-projects/proof-of-concepts/microsoft-copilot-copilot-my-payload
In 2003 Travis Grygla was convicted of possession of CSAM (Child Sexual Abuse Material).
In 2008 Travis Grygla was convicted of distribution of CSAM.
Following his release, in 2024 he was subject to a federal raid for possession and distribution of CSAM (again). However, when the United States Homeland Security Investigation Unit showed up to his house he ran outside and stole the federal agents car.
As you could probably assume, Homeland Security loves it when a convicted CSAM distributor steals their vehicle (which has a loaded gun in the vehicle) and leads them on a 110MPH (117KPH) police chase.
January 4th, 2026, Midwest Safety was able to get a copy of the police cam body footage as a result of a court subpoena.
If you'd like to watch United States Homeland Security Investigation Unit, Portland Oregon Police Bureau, Vancouver Oregon Police Department, Washington State Patrol, and Cowlitz County Sheriff’s Office, chase Travis Grygla I recommend watching the attached video.
https://www.youtube.com/watch?v=s_HmsifhNaw
Credit to Icesolst, she is DOG THE MICROSOFT COPILOT HUNTER
Читать полностью…
Note: It's wildly inconsistent during my testing. I'll release my code and let others experiment with it who are better with that sort of stuff.
I think it's a neat project and there is room for more growth and exploration
Sometimes it displays a consent prompt (haven't automated that), sometimes it tells me to do it myself. Sometimes it tells me to do it via voice command (???).