Every single time a Threat Actor compromises a large Twitter account they drop the ball.

Best usage we've seen thus far has been "North Korea is Best Korea" (a silly message), followed by goofy crypto-drainers.

tl;dr 1 shot, 1 opportunity, doesn't seize the moment, slips

We are in the process of deploying 150,000 new malware samples.

This should have occurred earlier. However, a Threat Actor conducted a sophisticated cyberattack and compromised our infrastructure (my puppy decided to chew on the cables connecting to my local backup NAS).

Threat Actor using advanced evasion techniques (if he can't see you, you can't see him).

A 20 year old United States soldier worked with Threat Actors and, following the arrest of his associates, threatened to leak telephone logs from Kamala Harris and Donald Trump.

This was a very, very, very bad decision.

https://krebsonsecurity.com/2024/12/u-s-army-soldier-arrested-in-att-verizon-extortions/

We've never personally encountered an active United States military personnel doing something like this.

It is difficult to assess if they'll go to trial as a civilian or as a soldier (United States military court) or both (which is possible, a rare double whammy)

Happy New Year

In celebration of the 2025, you will all be given one (1) limited edition kitty cat.

Cheers,

2025

She a 18,446,744,073,709,551,615 but she 32bit

Congratulations to everyone who survived 2024.

2025 is double elimination round.

This year we're starting off strong.

First and foremost, we've got some new sponsors. Our friends over at Binary_Defense and TrustedSec have helped us out tremendously lately. We'd especially like to thank HackingDave for helping the little nerds out and keeping malware cool and badass (and free) forever and ever. We'll be listing them on the website later.

Next up: we're working with our friends at TorGuard VPN to expand our infrastructure. They have a lot (and quite honestly, a disturbing) amount of computational resources. We will be working with them for 2 things.

1. Wide spread cat picture aggregation.
2. Wide spread malware ingestion

Next, next, on the other side of the autism spectrum: our in-house software engineer guessthepw is working on constructing a kitty cat photo database. All cats ingested will be available to browse, download, whatever.

People have asked: "smelly smellington, what's your end game with these cats?". The answer is very shrimple: no idea, thought of it while using the restroom.

Let's see where this whacky adventure takes us. Maybe in a few years it'll be bigger than vx-underground and we can use it to fuel our malware addiction. Or, alternatively, nothing will happen and the project will be dead in a year. Let's see what happens! Sometimes in life you gotta do just a thing, see if it fails, or succeeds, or what happens.

We've got lots of work to do in 2025.

Finally, as is tradition, we've got more malware to add, more malware papers to add, lots and lots of stuff. Very cool.

Thanks,
- smelly smellington

One thing noobie scoobies don't seem to understand is that malware is literally just software. Understandably, that seems kind of obvious, it's in the name — 'malicious software'. But it seems less obvious to some that, in order to write malware, you apply the exact same principles, techniques, and structures that legitimate software uses.

Malware is regular ol' programming with some sprinkles of weird stuff. These weird things are documented and shared. Some try to find new weird things.

When people ask what language is best for malware... it's kind of like asking 'what's the best ice cream flavor?'. It's entirely subjective. Everyone will tell you something different. You'll notice a lot of people will prefer Chocolate or Vanilla, you may encounter some who like Raspberry Banana Sprinkle Jam-Blam Blast, or Minty Schminty SpongeBob Sticks Bombs, but at the end of the day it's all still ice cream.

In it's most simple form, all malware techniques are things legitimate software may do.

Ransomware?
- Step 1. Enumerate files in a directory
- Step 2. Lock and encrypt files

Information Stealers?
- Step 1. Enumerate files in a directory
- Step 2. Upload files somewhere

RATs?
- Step 1. Make program run at start
- Step 2. Execute commands (cmd, powershell, other programs)
- Step 3. Upload files somewhere

Loaders?
- Step 1. Download file from somewhere
- Step 2. Run file

Everything the malware does is just an expansion of what is explained above.

Want to find new malware techniques? Find new ways to execute a process, find new ways to enumerate files in a directory, file new ways to upload files somewhere, find new ways to download files from somewhere, find new ways to write to files or delete files, etc.

How do you do this? Read. Read everything. Blogs, Windows documentation, StackOverflow, Wikipedia, our website. Look at every DLL you find on your computer in Ida or Ghidra, just open stuff and look around. Look at other peoples work and see if you can expand on it and find something new.

tl;dr learn to code, then learn weird stuff

per 404media — most of the southern part of the United States has been banned by PornHub (and associated companies e.g. Brazzers, RedTube, YouPorn, Reality Kings, etc) due to new legislation which requires age verification.

PornHub and associates assert it will be difficult to comply with new legislation and, to avoid legal liability, have opted to simply ban and/or block some portions of the United States from their websites.

As a result of these new age verification laws, what will happen?

A. People say, "wow, pornography is not cool anyway" and stop watching pornography

B. People begin purchasing VPNs (if they can afford it) to bypass geographical bans OR if unable to afford a VPN, people begin going to more shady and less-safe websites to watch pornography

C. Law makers in the southern part of the United States have a sudden change of heart and reverse recent legislation

D. Pornography vendors have a change of heart and decide to review thousands, possibly hundreds of thousands, of United States citizens PII (and pinky promise to not sell it), and put a target on their back from Threat Actors

The malware oopsie-doopsie paradox

The more evasive techniques introduced into your payload, the more likely it be detected

The less evasive techniques introduced into your payload, the more likely it be detected

We've had a few people contact us with something along the lines of, "CISA uses your website! They did a training course and the password to the malware was infected!"

We did not set the standard of the 'infected' password. We made it more mainstream due to our follower base, but we didn't set that standard or have anything to do with it's creation.

It's been the standard for malware related stuff for over 100 years (made up number, no idea). We don't even remember how we learned the password. It's just been like that for as long as we remember.

Uploading 23,023 malwares.

Unfortunately, the malware was supposed to go live yesterday but someone pushed the malware to the wrong place in prod. The issue is being corrected.

New papers going live once this issue is resolved.

New papers added:

- 2024-11-21 - New AMSI Bypss Technique Modifying CLRDLL in Memory
- 2024-11-22 - How To Use MSSQL CLR Assembly To Bypass EDR
- 2008-08-06 - Branchless Equivalents of Simple Functions
- 2024-06-28 - An unexpected journey into Microsoft Defender's signature world
- 2024-11-14 - ETW Forensics - Why use Event Tracing for Windows over EventLog
- 2024-12-19 - The Windows Registry Adventure 5 - The regf file format
- 2024-12-24 - Constructing a Win32 Control Handler in MASM
- 2024-12-19 - Process Injection Mapped Sections
- 2024-12-13 - Disabling EDRs by File Rename Junctions
- 2024-12-20 - Weaponizing WDAC Killing the Dreams of EDR

Mikko Hyppönen, Chief Research Officer of FSecure, confirms his first known siting of the password being 'infected' was March 1st, 2001.

Please note the other password was 'hot4u'. In an alternate universe the password to malware is hot4u.