Europol has announced on November 4th they arrested 2 affiliates of REvil in Romania and an additional affiliate in Kuwait. They've also introduced the ANTI-REVIL Team.

Read the press release here:
https://www.europol.europa.eu/newsroom/news/five-affiliates-to-sodinokibi/revil-unplugged

We've updated the vx-underground APT collection:

-Zebra2104 samples
-Godzilla webshell, NGLite Trojan
-New TA2722 samples

https://vx-underground.org/apts

* Unable to locate KdcSponge samples

We have aggregated a sample of Lazarus Groups trojanized IDA Pro installer.

Download: https://vx-underground.org/apts
More info: https://mobile.twitter.com/ESETresearch/status/1458438155149922312

Total malware samples in the vx-underground malware collection: 6,121,742

Goal: 26,000,000

We have re-indexed the Conti ransomware group content leak.

-"Crack 2019"
-"Metasploit US/RU"
-"Network Pentesting"
-"Cobalt Strike"
-"Powershell for Pentesters"
and more...

You can check it out here: https://vx-underground.org/archive

Leaked footage of the GRU (Главное Разведывательное Управление) successfully backtracking an attackers IP address using IPCONFIG and Windows XP.

Yes, it is the Internet Café.

We've added a new proof-of-concept to the vx-underground paper collection: Keylogging using NtUserGetRawInputData by smelly__vx


-Resolves NTDLL / WIN32U APIs on load
-Function hashing
-Random string generation
-No outbound connectivity

https://github.com/vxunderground/VXUG-Papers/blob/main/NtUserGetRawInputDataKeylogger.cpp

We've renamed the WINAPI-Tricks GitHub repository to VX-API.

Adds:
-Templates, demonstrating various entry points and using a custom entry point on Windows in C/C++
-STDIO directory is now StringsAndData. New functions have been added.

More to come...
https://github.com/vxunderground/VX-API

We've added a new paper to the vx-underground paper collection: "Protecting your malware with BlockDLL.B" by smelly__vx


This is an pseudo-functionless adaptation of _xpn_'s "Protecting Your Malware with blockdlls and ACG"

You can check it out here: https://github.com/vxunderground/VXUG-Papers/blob/main/BlockDlls.b.cpp

I apologize - we are behind schedule on APT additions. Lots of stuff happening behind the scenes.

Paper + samples:

2021.11.10(1) - Lazarus Nukesped
2021.11.17 - Alert (AA21-321A) Iranian Government-Sponsored APT Cyber Actors Exploiting Microsoft Exchange and Fortinet Vulnerabilities in Furtherance of Malicious Activities

We've added a new paper to the vx-underground paper collection: "Persistence via the Recycle Bin" by ethereal__vx

This is a programmatic implementation of Hexacorn's "Beyond good ol’ Run key, Part 78".

You can check out the proof-of-concept here: https://cutt.ly/bTEEGZ7

We've made some updates to vx-underground:

APT Papers + Samples added
-2021.11.10 Lazarus Nukesped
-2021.11.17 Alert (AA21-321A) Iranian Government-Sponsored APT Cyber Actors

https://vx-underground.org/apts

We've re-indexed the Conti leak: https://conti.vx-underground.org

Notes from UG Vol. 3 we're interviewing ATW (AgainstTheWest) group.

ATW is a hacktivist group primarily focusing on the Chinese government. ATW has breached the People's Bank of China, Alibaba, Tencent and more.

Join our Discord and ask your question in the AMA channel.

Google has released a report noscriptd "Analyzing a watering hole campaign using macOS exploits" November 11th. We have aggregated the samples + paper.

We will be offline for a few days.

BRB

We have released Notes from UG Volume 2: XOPALEHA.

Xopaleha is a blackmarket exploit dealer. We allowed members of our Discord to ask him anything.

You can check it out here: https://papers.vx-underground.org/papers/VXUG/Exclusive/Interviews/InterviewWithXopaleha.pdf