The malware oopsie-doopsie paradox

The more evasive techniques introduced into your payload, the more likely it be detected

The less evasive techniques introduced into your payload, the more likely it be detected

We've had a few people contact us with something along the lines of, "CISA uses your website! They did a training course and the password to the malware was infected!"

We did not set the standard of the 'infected' password. We made it more mainstream due to our follower base, but we didn't set that standard or have anything to do with it's creation.

It's been the standard for malware related stuff for over 100 years (made up number, no idea). We don't even remember how we learned the password. It's just been like that for as long as we remember.

Uploading 23,023 malwares.

Unfortunately, the malware was supposed to go live yesterday but someone pushed the malware to the wrong place in prod. The issue is being corrected.

New papers going live once this issue is resolved.

New papers added:

- 2024-11-21 - New AMSI Bypss Technique Modifying CLRDLL in Memory
- 2024-11-22 - How To Use MSSQL CLR Assembly To Bypass EDR
- 2008-08-06 - Branchless Equivalents of Simple Functions
- 2024-06-28 - An unexpected journey into Microsoft Defender's signature world
- 2024-11-14 - ETW Forensics - Why use Event Tracing for Windows over EventLog
- 2024-12-19 - The Windows Registry Adventure 5 - The regf file format
- 2024-12-24 - Constructing a Win32 Control Handler in MASM
- 2024-12-19 - Process Injection Mapped Sections
- 2024-12-13 - Disabling EDRs by File Rename Junctions
- 2024-12-20 - Weaponizing WDAC Killing the Dreams of EDR

Mikko Hyppönen, Chief Research Officer of FSecure, confirms his first known siting of the password being 'infected' was March 1st, 2001.

Please note the other password was 'hot4u'. In an alternate universe the password to malware is hot4u.

> go to computer store
> computer store guy recommends norton antivirus
> tell him no thank you
> says viruses and malware is dangerous
> tell him i want the malware

his reaction

New paper additions:

- 2024-07-31 - LayeredSyscall - Abusing VEH to Bypass EDRs
- 2024-03-31 - Syscalls via Vectored Exception Handling
- 2022-02-03 - RecycledGate - Indirect Syscalls
- 2016-11-04 - Windows 10 Hooking Nirvana explained

In 2025 thus far we have lost 2 sponsors — potentially 3 sponsors.

Chat, we are cooked

That equates to roughly $3,900 of monthly revenue.

Chat, we are absolutely cooked

Shoutout to the homies at "IObit Malware Fighter".

Their IMFForceDelete driver is so wildly vulnerable, and poorly written, you can have their driver arbitrarily delete any file on the machine with 0 privileges and literally 1 line of code

Thanks _mmpte_software for sharing

We're so back 🙏

But in all seriousness, this is cooked. Also, driver is signed. Throw in the pile of crappy poo poo pee pee drivers

https://gist.github.com/alfarom256/f1342f14dc6a742de7ea4004a1b6d7ed

Hello,

We're now experimenting with the vx-underground talk show.

The show format is anyone can hop in and ask questions, make comments, or just say "Hello". Additionally, we have have featured guests that we will be speaking with.

In the following weeks we will have the following guests:

- TorGuard - Tor(rent)Guard, massive VPN provider that is competitors with vendors like NordVPN and Mullvad. They have massive infrastructure all across the globe. Their CEO will be there to speak about VPN technologies, VPN companies, potential Threat Actor-like behavior from VPNs, and more.

- HackingDave - CEO of TrustedSec, world famous hacker dude man person who appears on media outlets, has been involved in cybersecurity longer than most of you have been alive. He is a bit of lunatic for lifting up heavy stuff. He also owns, or co-founded, BinaryDefense and also a gym somewhere on Ohio.

- Gootloader - World leading expert on Gootloader botnet and initial access group. Gootloader has been following Gootloader for years, tracking, documenting, and reverse engineering their malware. He has established ties with them to several large scale ransomware groups.

- _MG_ - The one and only MG, the creator of the (in)famous OMG cable, a physical hacking tool developed for pentesters which, interestingly, is banned in several countries. His tools are sold on Hak5. He is a hardcore hardware hacker person guy thing

- RachelTobac - CEO of SocialProofSecurity, massive company which provides security training and security awareness to companies across the globe. Rachel has been on CNN, and other large media outlets, in the past for demonstrating how basic social engineering techniques can compromise large vendors. She also works closely with CISA on stuff, somewhere.

Hello,

1. Kitty cat archive is scheduled to go live soon-ish. Several million kitty cats are good to go

2. We have 241 malware reverse engineering papers in queue to be pushed to vx-underground prod.

Today Mark Zuckerberg announced the introduction of some fairly large changes to Facebook, Instagram, and Threads.

First and foremost, Mr. Zuckerberg is dressing strange and it is confusing.

Secondly, and most importantly: Mr. Zuckerberg said Meta (Facebook, Instagram, and Threads) will now make free speech a priority. They're "dialing back" content moderation systems for a majority of posts and media. They'll be removing "fact checkers" from their platform. Moving forward the websites owned under Meta will have Community Notes — acting the same as X currently does. Mr. Zuckerberg also expressed concern with bias (internally or externally) and announced employees will be relocating to Texas. Mr. Zuckerberg states he believes Texas to be non-biased and more open to free speech.

We believe this poses a significant problem because X in of itself runs rampant with misinformation and/or disinformation campaigns from not only conspiracy theorists, but state-sponsored Threat Actors. We cannot comment on the validity and/or bias of the fact-checking system under the Meta brand (we don't use any of their social media platforms), but we believe relying on community notes and user feedback reports can be difficult to work with and are often insufficient.

Or maybe it doesn't matter and we should let people do whatever they want and let them think critically for themselves

We're witnessing the evolution of ransomware.

Yesterday someone informed us of the existence of the new TTP of AWS S3 extortion. More specifically, Threat Actors abusing the Amazon Key Management Service (KMS) to encrypt company AWS buckets (or any cloud provider).

We have never heard of this until yesterday.

RhinoSecurity wrote a paper on AWS S3 extortion, the methodology in which it's deployed, and wrote a simple AWS CLI noscript to accomplish the task.

It's 25 lines of Python code.

You can read the paper here:

https://rhinosecuritylabs.com/aws/s3-ransomware-part-1-attack-vector/

2025 is not cool and it is not badass.

We're currently having a dispute with our hosting provider. We have 23TB of storage, 75TB egress, and 30TB cached from Cloudflare.

They do not like us consuming so much stuff

2025 is not cool and is not badass.

Staff member b0t is evacuating from his home in California due to wildfires. On the other side of the United States, staff member Bradley is facing tragedy. His Father has lung cancer, emphysema, and was diagnosed with acute pneumonia.

Cybersecurity classes crazy nowadays. We never learned this stuff

Hello,

When we announced we're facing potential termination from our hosting provider we received dozens of messages and overwhelming support. Thank you.

We are happy to announce we're getting our own dedicated infrastructure soon thanks to our friends over at TorGuard.

To make a long story short, thanks to them we're getting bigboi equipment and bigboi machines. Our bandwidth and resource capabilities will be exponentially better than before. Lots of exciting news coming.

tl;dr faster speeds, more malware source code, more malware samples, and more malware papers

tl;dr tl;dr we gettin big