hacking is illegal and for nerds

Yesterday Christopher Ahlberg, the CEO of RecordedFuture, shared information on an unidentified Threat Actor attempting to SMS phish employees at their organization

- This message was not sent to a Nikolas
- Who the hell is Nikolas

13-year-old Marco Liberale has created a proof-of-concept PasteBin C2 botnet in Go. Is it fully cross platform working on Windows, Linux, and Mac.

We are very happy to see such a young person contributing to this research space.

Check it out here: https://github.com/marco-liberale/PasteBomb

Half of the vx-underground roster were still not fully potty trained at 13, so we find this profoundly impressive.

feege_ spotted a billboard advertisement on the i-95 in Philadelphia, near the Wells Fargo Center, that says:

"Hackers Suck"
"Protect your business. Cover your assets."

tl;dr you're all going to prison forever (and ever)

Hello, how are you? We've updated the vx-underground malware collection. We've added 68,000 new malware samples.

Download the malware.

- Virussign.2024.04.09
- Virussign.2024.04.10
- Virussign.2024.04.11
- Virussign.2024.04.12
- Virussign.2024.04.13
- Virussign.2024.04.14
- Virussign.2024.04.15
- Virussign.2024.04.16
- Virussign.2024.04.17
- InTheWild.0118
- InTheWild.0119

Check it out here: https://vx-underground.org/Samples

17 AVs flag the newly released Team Fortress 2 64bit client as malware 😭

SHA256: 83fb94ef1accdc0071ef6221f8e5acf870a1df31ff26e04a8d58116402793911

Thank you, Hasherezade for producing these cool and badass hoodies.

PE-BEAR ATE MY MALWAREZ

Malware review:

2024-03-26 - Malware Disguised as Installer from Korean Public Institution (Kimsuky Group)

- Masquerades as installer (0 points)
- Masqueraded installer is not functional (-1 points)
- Dropper is signed (+1 points)
- Drops src.rar (-1 points)
- Password protected with "1q2w3e4r" (-1 points)
- Execution begins with command "installer" (0 points)
- Copies to %USERPROFILE% (0 points)
- Payload masquerades as svchost.exe (0 points)
- Registers itself in Task Scheduler (0 points)
- Masquerades in Task Scheduler as "Windows Backups" (0 points)
- Developed in Go (+1 points)
- Recycled code from previous malware campaign (-1 points)
- Used same signed certificate from previous malware campaign (-1 points)
- Has generic RAT functionality (0 points)
- TA pushed Mimikatz to infected machine (-2 points)
- Mimikatz masqueraded as cache.exe (0 points)
- TA used free Ngrok domain for C2 (-1 points)

We give Kimsuky Group's recent APT campaign an F.

Unoriginal, generic code, some code dependent on external applications (Winrar) which may not be present on victim machines. Password is hardcoded in payload and easily identifiable. Recycled code and recycled certificate is poor design and lazy. Masqueraded installer not working is lazy. Pushing Mimikatz is also a poor decision, this tool is heavily flagged and is a big red flag.

Researcher crocodylii found Hunters International ransomware group left their Tor domain publicly indexable 😭😭😭😭

Someone made us this

Following the return of HelloKitty ransomware group (now HelloGookie), the individuals behind HelloKitty ransomware group released more files from CD Projekt Red – the game studio behind The Witcher and Cyberpunk 2077.

Using the leaks nerds have compiled The Witcher III

Note: some binaries were already compiled from the previous leak*

MITRE was compromised

Shout out Charles Clancy for full disclosure and his transparency.