stasi

@BreakGlassIntel @h2jazi can you share the payload source code?

Full write-up with YARA rules, MITRE ATT&CK mapping, complete 79-domain IOC list, and all recovered payload source: intel.breakglass.tech/post/kimsuky-c… Prior art: @AaboreSec documented bootservice.php endpoint names in 2024. @huntaboratory documented "Million OK" in Dec 2024. This is the first public recovery of the full payload source code. Reply or DM if you've published on this cluster — we'll credit. #Kimsuky #APT43 #DPRK #ThreatIntel

We dumped a live Kimsuky C2 and recovered every stage of the kill chain — recon, persistence, and a complete PowerShell keylogger — all source code, straight off the server. The actor left directory listing enabled. Here's everything we found before they rotate. h/t @h2jazi @smica83

Tracking a live infection of Karnataka State of Govt. of India, attackers are spreading Golang based Merlin agent. C2 address is port forwarded: lasafem240-61062.portmap.host:61062/data virustotal.com/gui/file/e63d6…

@DebugPrivilege I was going to apply but your DMs are off.

I'm looking to hire an intern who want to solve real-world cybersecurity challenges. This includes examples, such as analyzing data, identifying gaps, and driving improvements that directly impact our organization. Location: US / Poland (Krakow). DM me if you know someone.

github.com/Hulett77/VALOR… another Luajit malware distributing through github repo poisoining

github.com/Buvan7-glitch/… Found another LuaJit based malware (smartloader) impersonating GhostVEH project.

github.com/Stendrmatm This user on github is suspicious, poisoning repo to come on top of search result like Stendrmatm/Muck-Stealer. nothing suspicious found in the repos yet. cc: @RussianPanda9xx

@LeighGi66657535 but that is for development. how do i go to hunt for vulnerable programs, and look for exploitative path. I should learn binary exploitation, and fuzzing ?

@LeighGi66657535 I am well versed in x86/x64 assembly, c language and windows internals.

@LeighGi66657535 How can i learn?

@LeighGi66657535 @uwu_underground @hasherezade I have seen many of yours posts, and always wonder if someone living in different part of the world could watch them.

@chainloaded @Mythical_Amra omg

@Mythical_Amra ong

🤙

@LeighGi66657535 @uwu_underground @hasherezade teach whom ?

@vxunderground show me the current pos independent code.

Chat, I've done it. I've managed to get Windows Sockets (Winsock) functionality working by communicating directly with AFD (Ancillary Function Driver for WinSock) by IO control codes AND used it with HTTPS by using SSPI (Microsoft Security Support Provider Interface). By doing this, this completely eliminates the need for WININET or WINHTTP for malware payloads. It also removes the weird telemetry and ETW stuff present in Winsocks, WININET, and WINHTTP. My code is still in a debug state at the moment, but I'll eventually release a non-fucked-up version (no SYSCALLs, no position independence) so people can look at it, study it, or review it. Currently this is only supports GET requests for simple pages (not even file downloads...). However, I'm having so much fun with this I think I am going to expand on it to do the following: - HTTPS authentication - HTTPS upload - HTTPS download - ??? I'll make it all open source, non-crazy, in a format people can copy pasta and have fun with it. I'll also probably make a fork where it's the crazy schizo version. I hope all my malware development friends, reverse engineer friends, and anime friends, look at it and appreciate it. This is some of my favorite code I've written and I think it has a lot of applicability to Red team engagement. Conversely, it also offers insight to defenders on detecting this sort of functionality.

@J3rge unless you are admin, you can't because calc resides in system32

@sta5i when its done i will replace the real calc with my patched calc on the target machine.

I patched the github.com/microsoft/calc… with a runpe loader over http without writing to disk rootkit. w00t w00t

@J3rge what difference does it make? that's just backdooring with source code.

@sta5i i add a runpe over http into the calc code.

@vxunderground may i see the source code?

I had this idea to do HTTPS stuff in C using the Windows Sockets API (Winsocks). I did it. I got it working. I was able to verify an SSL cert, do a GET, do a POST octet binary stream thingy to upload a simple file (unironically testing using a picture of a cat). After I got it working I decided to do what I always do: make it more malware like. I decided I wanted to poke Windows with a stick, make the code position independent, and make it function as close to the metal as possible. What happened next cannot be described as a "rabbit hole". I have fallen into an infinite abyss, a fucking Windows internals chasm. I am looking at things in Windows I have never looked at before. I am scared, confused, intrigued, ... but mostly confused (and lost). ReactOS, x86matthew, some weird French Guy (can't remember his name), and random nerds on OSR, have done unholy work and really dug into it. They deserve a lot of credit for walking knee deep in Windows sludge.

@HSVSphere That is for receiving end only

Did you know you can get a linux[dot]com email alias by donating money to the Linux Foundation? In other words, email labubu@linux.com

@Octoberfest73 does process injection works against bit defender edr?

Proud of this. 2 min long GIF but: - Support for routing additional APIs through BeaconGate - All BOFs are hooked before execution so any use of a BeaconGate/ExtendedBG API will route thru BeaconGate without requiring modification/recompiling Update coming to the UDRL course!