vx-underground
February 23rd, 2025, an unknown Threat Actor(s) compromised a North Korean ... whois record (maybe?), not entirely sure what we're looking at.
More information: https://whois.ipip.net/AS131279
whois.ipip.net
AS131279 STAR-KP - Star Joint Venture Co. Ltd., KP | IPIP.NET
AS131279 STAR-KP - Star Joint Venture Co. Ltd., KP Network Information, IP Address Ranges and Whois Details
🤓32🤝9😢2
winrt_async.cpp
7.2 KB
Copy pasta from X-article so you don't need to use Xitter.
Title: Creating "Ransomware" Using WinRT
This isn't "ransomware".
This is the blueprint for a ransomware testing payload for a "Purple Team" scenario. I am curious of EDR visibility into WinRT (Universal Windows Platform (UWP) apps) — so I crafted a C++ application, which strictly uses WinRT functionality from WINAPI-like-C++, compiled as a WIN32 app, to see how it looks.
This proof-of-concept is essentially a glorified asynchronous file string console printer. What makes it unique is it relying entirely on WinRT from a Win32 app.
WinRT possesses the ability to encrypt files. I opted to not introduce file encryption functionality (although it would be bare-bones, plain password protected) into this proof-of-concept because I think ransomware in general is highly susceptible to abuse even in its most basic forms.
Regardless, I think this code is interesting and I wanted to share it. Maybe it'll inspire someone else to review WinRT more, or someone will pick up this code and experiment with it in an enterprise environment.
- smelly smellington
Title: Creating "Ransomware" Using WinRT
This isn't "ransomware".
This is the blueprint for a ransomware testing payload for a "Purple Team" scenario. I am curious of EDR visibility into WinRT (Universal Windows Platform (UWP) apps) — so I crafted a C++ application, which strictly uses WinRT functionality from WINAPI-like-C++, compiled as a WIN32 app, to see how it looks.
This proof-of-concept is essentially a glorified asynchronous file string console printer. What makes it unique is it relying entirely on WinRT from a Win32 app.
WinRT possesses the ability to encrypt files. I opted to not introduce file encryption functionality (although it would be bare-bones, plain password protected) into this proof-of-concept because I think ransomware in general is highly susceptible to abuse even in its most basic forms.
Regardless, I think this code is interesting and I wanted to share it. Maybe it'll inspire someone else to review WinRT more, or someone will pick up this code and experiment with it in an enterprise environment.
- smelly smellington
❤53🤓20👍8💯4😢2🤝2
Today Mikhail Matveev a/k/a "Wazawaka" a/k/a "RansomBoris" was sentenced today for ransomware-like cybercrime charges in Russia.
Previously, Mr. Matveev acted as the leader of Babuk ransomware group (before shutting down the operation), was a member of Lockbit ransomware group, Conti ransomware group, HIVE ransomware group, and BlackMatter ransomware group. Mr. Matveev was prolific in the ransomware ecosystem and is believed to be behind several high profile ransomware attacks, including ransoming police departments and critical infrastructure in the United States (and abroad, to other European allies of the United States government).
The infamous Wazawaka, FBI Most Wanted, was sentenced to 18 months of "limited freedom". "ограничение свободы" in the Russian Federation penal code is a lesser form of criminal punishment which acts similar to house arrest in the United States.
Restrictions:
- Curfew
- Travel restrictions (cannot leave city or region)
- Contact with probationary officer for check-ins
- Social and/or employment restrictions — prohibited from visiting places such as bars, nightclubs, protests, gambling establishments
Special thanks to ddd1ms for sharing updates on the court case and providing information on the final verdict
Previously, Mr. Matveev acted as the leader of Babuk ransomware group (before shutting down the operation), was a member of Lockbit ransomware group, Conti ransomware group, HIVE ransomware group, and BlackMatter ransomware group. Mr. Matveev was prolific in the ransomware ecosystem and is believed to be behind several high profile ransomware attacks, including ransoming police departments and critical infrastructure in the United States (and abroad, to other European allies of the United States government).
The infamous Wazawaka, FBI Most Wanted, was sentenced to 18 months of "limited freedom". "ограничение свободы" in the Russian Federation penal code is a lesser form of criminal punishment which acts similar to house arrest in the United States.
Restrictions:
- Curfew
- Travel restrictions (cannot leave city or region)
- Contact with probationary officer for check-ins
- Social and/or employment restrictions — prohibited from visiting places such as bars, nightclubs, protests, gambling establishments
Special thanks to ddd1ms for sharing updates on the court case and providing information on the final verdict
😁51❤12😢7👏6❤🔥3👍3🫡3
vx-underground
Today Mikhail Matveev a/k/a "Wazawaka" a/k/a "RansomBoris" was sentenced today for ransomware-like cybercrime charges in Russia. Previously, Mr. Matveev acted as the leader of Babuk ransomware group (before shutting down the operation), was a member of Lockbit…
tl;dr makes hundreds of millions, fbi most wanted, europol most wanted, was sentenced by russian gov to 18 months of probation, cant go to bars and has to be home by 8pm
😁78🤣39🔥14❤9🤝5🥰4😢2😘2🤓1
vx-underground
Employees going onto social media to express confusion over their network being hit by Qilin ransomware Indeed, "Fun day at the office"
After this post we received a follow-up with the individual who posted this image on social media.
This person works at a small US-based car dealership. They don't have an IT department. They don't know how it happened. They were told to remain at home until otherwise specified
This person works at a small US-based car dealership. They don't have an IT department. They don't know how it happened. They were told to remain at home until otherwise specified
🤣63😢11❤1🎉1
Today Citigroup, the 3rd largest bank in the United States, made the largest oopsie-doopsie banking typographical error in history.
Citigroup was supposed to credit a customer with $280
Citigroup instead accidentally sent the customer $81,000,000,000,000
Citigroup was supposed to credit a customer with $280
Citigroup instead accidentally sent the customer $81,000,000,000,000
🤣194🎉18😱10🔥9😁9🤝8❤2👏2👍1😢1
vx-underground
Today Citigroup, the 3rd largest bank in the United States, made the largest oopsie-doopsie banking typographical error in history. Citigroup was supposed to credit a customer with $280 Citigroup instead accidentally sent the customer $81,000,000,000,000
Yes, that's 81 TRILLION dollars — more than double the entire United States debt.
❤65👏15🔥9🤝4👍2😢1
vx-underground
RIP to the homie Skype 🙏 Skype is on life-support. Microsoft confirmed they're pulling the plug May 5th, 2025. August 29th, 2003 - May 5th, 2025
We missed the Skype hype. When Skype was popular, we were still arguing on Freenode, but we are told many noobies got their introduction to nerd shit from Skype.
Go'bless
Go'bless
😢61👍14❤🔥8🤣4🫡3❤2
Congratulations to Mr. Elon Musk on the birth of his 14th child.
He now has more kids than the number of people I talk to in real life.
He now has more kids than the number of people I talk to in real life.
🤣275😎22😢8🤓8❤🔥6👍5❤4😁2
Hi, administrative updates.
1. We're still migrating the virus-dot-exchange database. It has taken us over 30 days. Why? I don't feel like explaining, but believe it or not this is the fastest we can move malware for the time being. It needs to be made clear that this is individual malwares, this is not the bulk downloads people prefer. All those giant .7z files you pull are already moved, live, and available for download.
What we're doing now is moving every single malware individually.
We've moved 9,415,637 malwares. We still have quite a bit to go. We're moving probably 500,000 - 1,000,000 a day from one backend to another.
2. We've got a lot of papers and malwares in queue. We haven't added it yet because I REALLY want to finish this fuckin' database migration. I am allocating 100% of resources to moving this malware so it's done and I can forget about this nightmare.
3. Despite our constant growth (on social media and our malware library), we've lost a considerable amount of monthly donors and sponsors. We've lost 2 sponsors and probably 30+ individual monthly donors. Every person has cited they simply do not have the financial means to donate to us for the time being. We have money to keep our heads above water, but if you'd like to help us, please consider throwing us some money. I strongly dislike begging for money on social media.
Have a nice morning, noon, or night
-smelly smellington
1. We're still migrating the virus-dot-exchange database. It has taken us over 30 days. Why? I don't feel like explaining, but believe it or not this is the fastest we can move malware for the time being. It needs to be made clear that this is individual malwares, this is not the bulk downloads people prefer. All those giant .7z files you pull are already moved, live, and available for download.
What we're doing now is moving every single malware individually.
We've moved 9,415,637 malwares. We still have quite a bit to go. We're moving probably 500,000 - 1,000,000 a day from one backend to another.
2. We've got a lot of papers and malwares in queue. We haven't added it yet because I REALLY want to finish this fuckin' database migration. I am allocating 100% of resources to moving this malware so it's done and I can forget about this nightmare.
3. Despite our constant growth (on social media and our malware library), we've lost a considerable amount of monthly donors and sponsors. We've lost 2 sponsors and probably 30+ individual monthly donors. Every person has cited they simply do not have the financial means to donate to us for the time being. We have money to keep our heads above water, but if you'd like to help us, please consider throwing us some money. I strongly dislike begging for money on social media.
Have a nice morning, noon, or night
-smelly smellington
😘55❤16👍15🔥5👏2😢2💯2🤓1
As we've been exploring Discord cybersecurity servers here is what we've learned:
- Every Discord is the BEST server for {HACKER_THING}
- Every Discord does {THING} weekly
- Every Discord is noob friendly (as opposed to openly discriminating against uneducated people)
- Every Discord tagged "cybersecurity" will NOT discuss malware (it's illegal and for nerds)
- Highest displayed people must have weird font in their display names, making them difficult to read or impossible to tag
- Everyone is "extremely busy" but on Discord all day, everyday, nonstop, and providing updates on how extremely busy they are
- Everyone who is a "hacker" has a flashy and cool Discord profile (they paid $15.99 for it)
- Everyone is an OSINT expert
- Everyone is a programming expert
- Everyone is a Linux expert
- Everyone is an omnipotent being, capable of bending space and time
- Everyone is top 1% of HTB
- Every Discord is the BEST server for {HACKER_THING}
- Every Discord does {THING} weekly
- Every Discord is noob friendly (as opposed to openly discriminating against uneducated people)
- Every Discord tagged "cybersecurity" will NOT discuss malware (it's illegal and for nerds)
- Highest displayed people must have weird font in their display names, making them difficult to read or impossible to tag
- Everyone is "extremely busy" but on Discord all day, everyday, nonstop, and providing updates on how extremely busy they are
- Everyone who is a "hacker" has a flashy and cool Discord profile (they paid $15.99 for it)
- Everyone is an OSINT expert
- Everyone is a programming expert
- Everyone is a Linux expert
- Everyone is an omnipotent being, capable of bending space and time
- Everyone is top 1% of HTB
🤣238🔥63🤓21❤9👏6👍4💯4🤝4❤🔥2🫡2🤯1
"WE TEACH OFFENSIVE SECURITY: MASTER THE DARK ARTS AND BECOME 1337 HACKER (except malware, malware is pure evil, a dark art that should not be taught)" — hacker courses
🙏68😁38🤣21❤8🔥4❤🔥3😢3💯1🤓1