If you're an attendee of DEFCON this year: there will be a person distributing limited edition holographic vx-underground stickers.

(Half the staff roster doesn't even have them)

If you're an attendee of DEFCON this year: there will be a person distributing limited edition holographic vx-underground vx-uwu stickers. They're ultra rare.

(We didn't even know this existed)

Good morning,

tl;dr internal updates, ignore if you only care about memes or internet TMZ.

Administrative updates:

- Black Mass Volume III, our third independently published book, is currently scheduled to be released October, 2024. It is being handled primarily by b0t and h3l3n. They're being busy bees, collecting stuff, organizing, handling typos, and wrestling distributors.

- We are currently expanding our malware collection capabilities. If things go as planned we should be able to dramatically expand our malware collection set. By late August, 2024 we should be bringing in an estimated 3,165,000 samples a month. This is a large achievement for a group with a budget of $2.00, a slice of pizza, and a limewire downloaded MP3. More details on this soon.

- August, or September, 2024 we will be holding a special event fundraiser. We will auctioning away 5 limited edition vx-underground items. Proceeds will allow us to ball out (buy stuff, watch anime, whatever). This actually took us quite a bit of time to produce (it was expensive for us) but we hope it'll be cool and people will like it.

- We have a massive queue of malware research and development papers to add. Adding these sort of papers actually require a bit of effort – verification, etc, but it's on the todo list. Of course, we are also pulling data from malpedia for malware reverse engineering and detection. We're currently behind schedule on that too though. 😭

Thanks for reading and hanging around. Enjoy your Friday, your weekend, and the perpetual internet crime.

Thanks,

via verge – due to the recent CrowdStrike incident Microsoft is discussing migrating security products away from the Windows kernel and into other spaces such as VBS Enclaves or Microsoft Azure Attestation

CrowdStrike accidentally leveled the playing field for Threat Actors

Of course, forcing security vendors out of kernel space is a bit of a knee jerk reaction and nothing is certain. It appears a lot of details are up in the air, but Microsoft isn't happy about what's happening.

More information:
https://www.theverge.com/2024/7/26/24206719/microsoft-windows-changes-crowdstrike-kernel-driver

tl;dr ¯\_(ツ)_/¯

Today it's being reported multiple bulletproof hosts are being seized by law enforcement agencies. Also today, on various forums, users noted issues with other bulletproof hosts such as zServers-dot-ru believing it to be under 'cyber attack'.

Earlier in the week we were notified zServer-dot-ru had been compromised. We are currently unable to 100% verify the authenticity of the claims. However, the images we have received, as well as the individual offering to provide us more evidence, is pretty damning.

The timing is pretty strange. Multiple bulletproof hosts taken down, another allegedly compromised, and users reporting issues with it.

Note: we've censored the image sent to us.

🚨BREAKING NEWS🚨

This year Gojira became the first metal band to perform at the Opening Ceremony of the Olympics.

This is incredibly cool and badass. France will now forever be labeled as cool and badass.

This isn't breaking news. But when we saw this we lost our minds.

France is cool and badass.

vX-uNdErGroUnD hOw cOuLd u LiKE THiZ tRaSg muSiC it"s SaTanIC

> Logo is a 16bit computer with a pentagram.
> Website, artwork posted – all 'edgy' and 'dark'.
> Malware
> Half of us are weirdo hottopic mall goths
> Other half looks homeless

What did you seriously expect?

We're witnessing people complain in droves because of us praising the recent appearance of Gojira at the Olympics.

Unapproved:
Praising Gojira for their performance at the Olympics

Approved:
Communicating with internationally wanted criminals

Never imagined so many angry people because of a type of music. It's extremely confusing.

We got a DMCA strike for sharing footage of the Gojira performance.

Lame.

Anyway, back to malware stuff

Thank you for the kind words

It's been 5 years and this is still an on-going gag.

Good morning, afternoon, or night.

Today is the day of the rest. It's been quite a week, lots of crazy stuff happening. We hope all of you had a good week, weekend, and are enjoying your Sunday:)

Love you, see you tomorrow:)

Every Sunday all vx-underground staff members meet up in a discrete location and play the all-time American video game classic: Burger King: Sneak King

Updates to vx-underground:

Papers:
- 2023-12-11 - Mustang Panda’s PlugX new variant targetting Taiwanese government and diplomats
- 2024-01-05 - AsyncRAT loader: Obfuscation, DGAs, decoys and Govno
- 2024-03-22 - Large-Scale StrelaStealer Campaign in Early 2024
- 2024-04-02 - Updated StrelaStealer Targeting European Countries
- 2024-06-21 - AmberAmethystDaisy to QuartzBegonia to LummaStealer
- 2024-06-24 - StrelaStealer Resurgence: Tracking a JavaScript-Driven Credential Stealer Targeting Europe
- 2024-07-10 - DodgeBox: A deep dive into the updated arsenal of APT41 (Part I)
- 2024-07-11 - Brief technical analysis of the Poseidon Stealer
- 2024-07-11 - ClickFix Deception: A Social Engineering Tactic to Deploy Malware

Families:
- ZeroT
- FlokiBot
- PlugX
- RockLoader
- StealC
- Vidar
- SmokeLoader
- Socks5Systemz
- Redline
- Enigma
- DowneksLoader
- BabadedaLoader
- BartRansomware
- Amadey
- ATMitch

A few days ago we were alerted to Roblox 'cheaters' (we're using that term loosely) being impacted by malicious code in their 'cheat tool'.

tl;dr malicious noscript is malicious

The tool being used by Roblox nerds, Wave Executor, executes noscripts. In the event a user intentionally, or accidentally, executes a malicious payload, then of course it is going to be malicious.

If you ran a malicious powershell noscript would you be surprised it was malicious? If you copy-pasted a malicious Python noscript into IDLE and executed it, would you be surprised it's malicious?

The screenshot circulating is not indicative of some ultra-1337 Roblox cheat exploit – the user, or proof-of-concept developer, detonated a malicious noscript. The primary security threat posed to Roblox nerds is, as previously stated, nerds accidentally detonating malicious noscripts. We don't expect a noscript-runner tool designed for Roblox to attempt to determine whether or not something is malicious.

Just be careful copy-pasting code into your noscript-thingy – or don't, whatever.

In September we will be doing a fundraiser. We will be auctioning away 5 limited-edition holographic vx-underground Yu-Gi-Oh cards.

We only have 5.

HELP

A few days ago Fortune magazine did an article about Ferrari disclosing an attempted cybersecurity breach via social engineering.

tl;dr social engineering using ai / deepfake voice

Sometime earlier this month (July, 2024) a Ferrari executive began receiving unusual text messages from an individual impersonating Ferrari Chief Executive Officer Benedetto Vigna.

Interesting, the impersonator called the (unidentified, target's name was not disclosed publicly) executive. The caller is suspected to have used AI and/or deepfake technology to mimick Benedetto Vigna. The unidentified executive stated the tone, the language, and the accent were perfect. However, some of the language seemed unusual. The executive then asked the impersonator: "Sorry, Benedetto, but I need to identify you. What was the noscript of the book you had just recommended to me a few days earlier?"

The individual, unable to answer the question, terminated the phone call.

This is one of the first major, and publicly disclosed, social engineering attempts via AI / deepfake technology that we're aware of. The Threat landscape is slowly shifting (as is tradition).