This year we're starting off strong.
First and foremost, we've got some new sponsors. Our friends over at Binary_Defense and TrustedSec have helped us out tremendously lately. We'd especially like to thank HackingDave for helping the little nerds out and keeping malware cool and badass (and free) forever and ever. We'll be listing them on the website later.
Next up: we're working with our friends at TorGuard VPN to expand our infrastructure. They have a lot (and quite honestly, a disturbing) amount of computational resources. We will be working with them for 2 things.
1. Wide spread cat picture aggregation.
2. Wide spread malware ingestion
Next, next, on the other side of the autism spectrum: our in-house software engineer guessthepw is working on constructing a kitty cat photo database. All cats ingested will be available to browse, download, whatever.
People have asked: "smelly smellington, what's your end game with these cats?". The answer is very shrimple: no idea, thought of it while using the restroom.
Let's see where this whacky adventure takes us. Maybe in a few years it'll be bigger than vx-underground and we can use it to fuel our malware addiction. Or, alternatively, nothing will happen and the project will be dead in a year. Let's see what happens! Sometimes in life you gotta do just a thing, see if it fails, or succeeds, or what happens.
We've got lots of work to do in 2025.
Finally, as is tradition, we've got more malware to add, more malware papers to add, lots and lots of stuff. Very cool.
Thanks,
- smelly smellington
First and foremost, we've got some new sponsors. Our friends over at Binary_Defense and TrustedSec have helped us out tremendously lately. We'd especially like to thank HackingDave for helping the little nerds out and keeping malware cool and badass (and free) forever and ever. We'll be listing them on the website later.
Next up: we're working with our friends at TorGuard VPN to expand our infrastructure. They have a lot (and quite honestly, a disturbing) amount of computational resources. We will be working with them for 2 things.
1. Wide spread cat picture aggregation.
2. Wide spread malware ingestion
Next, next, on the other side of the autism spectrum: our in-house software engineer guessthepw is working on constructing a kitty cat photo database. All cats ingested will be available to browse, download, whatever.
People have asked: "smelly smellington, what's your end game with these cats?". The answer is very shrimple: no idea, thought of it while using the restroom.
Let's see where this whacky adventure takes us. Maybe in a few years it'll be bigger than vx-underground and we can use it to fuel our malware addiction. Or, alternatively, nothing will happen and the project will be dead in a year. Let's see what happens! Sometimes in life you gotta do just a thing, see if it fails, or succeeds, or what happens.
We've got lots of work to do in 2025.
Finally, as is tradition, we've got more malware to add, more malware papers to add, lots and lots of stuff. Very cool.
Thanks,
- smelly smellington
😁77❤🔥30🔥8❤7🎉6🤣6👍4🥰4😢2
One thing noobie scoobies don't seem to understand is that malware is literally just software. Understandably, that seems kind of obvious, it's in the name — 'malicious software'. But it seems less obvious to some that, in order to write malware, you apply the exact same principles, techniques, and structures that legitimate software uses.
Malware is regular ol' programming with some sprinkles of weird stuff. These weird things are documented and shared. Some try to find new weird things.
When people ask what language is best for malware... it's kind of like asking 'what's the best ice cream flavor?'. It's entirely subjective. Everyone will tell you something different. You'll notice a lot of people will prefer Chocolate or Vanilla, you may encounter some who like Raspberry Banana Sprinkle Jam-Blam Blast, or Minty Schminty SpongeBob Sticks Bombs, but at the end of the day it's all still ice cream.
In it's most simple form, all malware techniques are things legitimate software may do.
Ransomware?
- Step 1. Enumerate files in a directory
- Step 2. Lock and encrypt files
Information Stealers?
- Step 1. Enumerate files in a directory
- Step 2. Upload files somewhere
RATs?
- Step 1. Make program run at start
- Step 2. Execute commands (cmd, powershell, other programs)
- Step 3. Upload files somewhere
Loaders?
- Step 1. Download file from somewhere
- Step 2. Run file
Everything the malware does is just an expansion of what is explained above.
Want to find new malware techniques? Find new ways to execute a process, find new ways to enumerate files in a directory, file new ways to upload files somewhere, find new ways to download files from somewhere, find new ways to write to files or delete files, etc.
How do you do this? Read. Read everything. Blogs, Windows documentation, StackOverflow, Wikipedia, our website. Look at every DLL you find on your computer in Ida or Ghidra, just open stuff and look around. Look at other peoples work and see if you can expand on it and find something new.
tl;dr learn to code, then learn weird stuff
Malware is regular ol' programming with some sprinkles of weird stuff. These weird things are documented and shared. Some try to find new weird things.
When people ask what language is best for malware... it's kind of like asking 'what's the best ice cream flavor?'. It's entirely subjective. Everyone will tell you something different. You'll notice a lot of people will prefer Chocolate or Vanilla, you may encounter some who like Raspberry Banana Sprinkle Jam-Blam Blast, or Minty Schminty SpongeBob Sticks Bombs, but at the end of the day it's all still ice cream.
In it's most simple form, all malware techniques are things legitimate software may do.
Ransomware?
- Step 1. Enumerate files in a directory
- Step 2. Lock and encrypt files
Information Stealers?
- Step 1. Enumerate files in a directory
- Step 2. Upload files somewhere
RATs?
- Step 1. Make program run at start
- Step 2. Execute commands (cmd, powershell, other programs)
- Step 3. Upload files somewhere
Loaders?
- Step 1. Download file from somewhere
- Step 2. Run file
Everything the malware does is just an expansion of what is explained above.
Want to find new malware techniques? Find new ways to execute a process, find new ways to enumerate files in a directory, file new ways to upload files somewhere, find new ways to download files from somewhere, find new ways to write to files or delete files, etc.
How do you do this? Read. Read everything. Blogs, Windows documentation, StackOverflow, Wikipedia, our website. Look at every DLL you find on your computer in Ida or Ghidra, just open stuff and look around. Look at other peoples work and see if you can expand on it and find something new.
tl;dr learn to code, then learn weird stuff
👍125❤🔥42❤13🤯8🫡6💯4😢3🤓3🥰1😁1🤣1
per 404media — most of the southern part of the United States has been banned by PornHub (and associated companies e.g. Brazzers, RedTube, YouPorn, Reality Kings, etc) due to new legislation which requires age verification.
PornHub and associates assert it will be difficult to comply with new legislation and, to avoid legal liability, have opted to simply ban and/or block some portions of the United States from their websites.
As a result of these new age verification laws, what will happen?
A. People say, "wow, pornography is not cool anyway" and stop watching pornography
B. People begin purchasing VPNs (if they can afford it) to bypass geographical bans OR if unable to afford a VPN, people begin going to more shady and less-safe websites to watch pornography
C. Law makers in the southern part of the United States have a sudden change of heart and reverse recent legislation
D. Pornography vendors have a change of heart and decide to review thousands, possibly hundreds of thousands, of United States citizens PII (and pinky promise to not sell it), and put a target on their back from Threat Actors
PornHub and associates assert it will be difficult to comply with new legislation and, to avoid legal liability, have opted to simply ban and/or block some portions of the United States from their websites.
As a result of these new age verification laws, what will happen?
A. People say, "wow, pornography is not cool anyway" and stop watching pornography
B. People begin purchasing VPNs (if they can afford it) to bypass geographical bans OR if unable to afford a VPN, people begin going to more shady and less-safe websites to watch pornography
C. Law makers in the southern part of the United States have a sudden change of heart and reverse recent legislation
D. Pornography vendors have a change of heart and decide to review thousands, possibly hundreds of thousands, of United States citizens PII (and pinky promise to not sell it), and put a target on their back from Threat Actors
❤63🤔23👍12🤓9💯5😁2🤣2❤🔥1🎉1
The malware oopsie-doopsie paradox
The more evasive techniques introduced into your payload, the more likely it be detected
The less evasive techniques introduced into your payload, the more likely it be detected
The more evasive techniques introduced into your payload, the more likely it be detected
The less evasive techniques introduced into your payload, the more likely it be detected
🤯86🤣34🤓12👍8🙏2❤1😢1🎉1
We've had a few people contact us with something along the lines of, "CISA uses your website! They did a training course and the password to the malware was infected!"
We did not set the standard of the 'infected' password. We made it more mainstream due to our follower base, but we didn't set that standard or have anything to do with it's creation.
It's been the standard for malware related stuff for over 100 years (made up number, no idea). We don't even remember how we learned the password. It's just been like that for as long as we remember.
We did not set the standard of the 'infected' password. We made it more mainstream due to our follower base, but we didn't set that standard or have anything to do with it's creation.
It's been the standard for malware related stuff for over 100 years (made up number, no idea). We don't even remember how we learned the password. It's just been like that for as long as we remember.
❤42🤣18💯11🤓5😢1
New papers added:
- 2024-11-21 - New AMSI Bypss Technique Modifying CLRDLL in Memory
- 2024-11-22 - How To Use MSSQL CLR Assembly To Bypass EDR
- 2008-08-06 - Branchless Equivalents of Simple Functions
- 2024-06-28 - An unexpected journey into Microsoft Defender's signature world
- 2024-11-14 - ETW Forensics - Why use Event Tracing for Windows over EventLog
- 2024-12-19 - The Windows Registry Adventure 5 - The regf file format
- 2024-12-24 - Constructing a Win32 Control Handler in MASM
- 2024-12-19 - Process Injection Mapped Sections
- 2024-12-13 - Disabling EDRs by File Rename Junctions
- 2024-12-20 - Weaponizing WDAC Killing the Dreams of EDR
- 2024-11-21 - New AMSI Bypss Technique Modifying CLRDLL in Memory
- 2024-11-22 - How To Use MSSQL CLR Assembly To Bypass EDR
- 2008-08-06 - Branchless Equivalents of Simple Functions
- 2024-06-28 - An unexpected journey into Microsoft Defender's signature world
- 2024-11-14 - ETW Forensics - Why use Event Tracing for Windows over EventLog
- 2024-12-19 - The Windows Registry Adventure 5 - The regf file format
- 2024-12-24 - Constructing a Win32 Control Handler in MASM
- 2024-12-19 - Process Injection Mapped Sections
- 2024-12-13 - Disabling EDRs by File Rename Junctions
- 2024-12-20 - Weaponizing WDAC Killing the Dreams of EDR
❤🔥30👍6🔥4❤2😢2
vx-underground
In 2025 thus far we have lost 2 sponsors — potentially 3 sponsors. Chat, we are cooked
That equates to roughly $3,900 of monthly revenue.
Chat, we are absolutely cooked
Chat, we are absolutely cooked
🫡155😱46😢30🤣20🎉5❤4🔥4😁2👍1👏1
vx-underground
Shoutout to the homies at "IObit Malware Fighter". Their IMFForceDelete driver is so wildly vulnerable, and poorly written, you can have their driver arbitrarily delete any file on the machine with 0 privileges and literally 1 line of code Thanks _mmpte_software…
We're so back 🙏
But in all seriousness, this is cooked. Also, driver is signed. Throw in the pile of crappy poo poo pee pee drivers
https://gist.github.com/alfarom256/f1342f14dc6a742de7ea4004a1b6d7ed
But in all seriousness, this is cooked. Also, driver is signed. Throw in the pile of crappy poo poo pee pee drivers
https://gist.github.com/alfarom256/f1342f14dc6a742de7ea4004a1b6d7ed
Gist
Arbitrary File Delete in IOBit Malware Fighter "Pro"
Arbitrary File Delete in IOBit Malware Fighter "Pro" - IOBitStillSucks.cpp
🤣29❤27🔥3😱3👍2😢2🫡2
Hello,
We're now experimenting with the vx-underground talk show.
The show format is anyone can hop in and ask questions, make comments, or just say "Hello". Additionally, we have have featured guests that we will be speaking with.
In the following weeks we will have the following guests:
- TorGuard - Tor(rent)Guard, massive VPN provider that is competitors with vendors like NordVPN and Mullvad. They have massive infrastructure all across the globe. Their CEO will be there to speak about VPN technologies, VPN companies, potential Threat Actor-like behavior from VPNs, and more.
- HackingDave - CEO of TrustedSec, world famous hacker dude man person who appears on media outlets, has been involved in cybersecurity longer than most of you have been alive. He is a bit of lunatic for lifting up heavy stuff. He also owns, or co-founded, BinaryDefense and also a gym somewhere on Ohio.
- Gootloader - World leading expert on Gootloader botnet and initial access group. Gootloader has been following Gootloader for years, tracking, documenting, and reverse engineering their malware. He has established ties with them to several large scale ransomware groups.
- _MG_ - The one and only MG, the creator of the (in)famous OMG cable, a physical hacking tool developed for pentesters which, interestingly, is banned in several countries. His tools are sold on Hak5. He is a hardcore hardware hacker person guy thing
- RachelTobac - CEO of SocialProofSecurity, massive company which provides security training and security awareness to companies across the globe. Rachel has been on CNN, and other large media outlets, in the past for demonstrating how basic social engineering techniques can compromise large vendors. She also works closely with CISA on stuff, somewhere.
We're now experimenting with the vx-underground talk show.
The show format is anyone can hop in and ask questions, make comments, or just say "Hello". Additionally, we have have featured guests that we will be speaking with.
In the following weeks we will have the following guests:
- TorGuard - Tor(rent)Guard, massive VPN provider that is competitors with vendors like NordVPN and Mullvad. They have massive infrastructure all across the globe. Their CEO will be there to speak about VPN technologies, VPN companies, potential Threat Actor-like behavior from VPNs, and more.
- HackingDave - CEO of TrustedSec, world famous hacker dude man person who appears on media outlets, has been involved in cybersecurity longer than most of you have been alive. He is a bit of lunatic for lifting up heavy stuff. He also owns, or co-founded, BinaryDefense and also a gym somewhere on Ohio.
- Gootloader - World leading expert on Gootloader botnet and initial access group. Gootloader has been following Gootloader for years, tracking, documenting, and reverse engineering their malware. He has established ties with them to several large scale ransomware groups.
- _MG_ - The one and only MG, the creator of the (in)famous OMG cable, a physical hacking tool developed for pentesters which, interestingly, is banned in several countries. His tools are sold on Hak5. He is a hardcore hardware hacker person guy thing
- RachelTobac - CEO of SocialProofSecurity, massive company which provides security training and security awareness to companies across the globe. Rachel has been on CNN, and other large media outlets, in the past for demonstrating how basic social engineering techniques can compromise large vendors. She also works closely with CISA on stuff, somewhere.
🔥92🤓8👍5❤4🤝3😢2🤔1