throwaway_account_67

@shotgunner101 @EricParker virustotal.com/gui/file/1b569… here is the DLL uploaded to VT. Please look at the behavior catalog and tell me that's normal. 😉

@67_throwaway @EricParker Send me DMs or post the screenshots here of what you found that was malicious in the code. Ill buy the game for the 2$ if it looks like it might be malicious and then analyze it 👀

PSA: Beyond The Dark (APPID: 3393800) on Steam is malware. Hidden in the unitydll is a dropper which then downloads more malware from a C2 based on what programs and chrome extensions you have (targeting crypto / defi wallets).

@shotgunner101 @EricParker yeah I decompiled the code, should I dm the analysis done on that or what would you want?

@67_throwaway @EricParker Got any evidence of that 👀

@akaclandestine How does someone make a RAT with that many features yet the UI looks worse than Dark Comet which is like 2 decades old at this point. 😞

🚨 CTI ALERT – HIGH-RISK THREAT Threat Intelligence confirms the April 2026 launch of a highly sophisticated new private Windows Remote Access Trojan: FALKONc2 (ROTEMELLI stubs). Developed entirely from scratch in C++ + MASM64, 100% fileless (operates exclusively in memory), with ultra-lightweight stubs of 23-35 KB and zero third-party code. Full focus on advanced evasion and long-term persistence. 1/5 Two strategic variants: • ROTEMELLI1 (Consumer targets) – €249/month
Bypasses 50+ AVs | HTTP + custom encryption (mm4/ChaCha20) | Weekly C2 domain rotation • ROTEMELLI2 (Corporate targets) – €1,499/month
Bypasses 50+ EDR/XDR | DNS + HTTP (+ ICMP on legacy systems) | C2 rotation every 72 hours 2/5 Critical confirmed capabilities: •Silent HVNC/RMM + remote shell •Advanced local network reconnaissance (SMB, FTP/SSH/RDP) •Active Directory, QuickBooks & Sage50 detection •Automatic privilege escalation + kernel-mode BSOD •Synchronous 1080p screen capture + GPS tracking •Resident loader + custom Builder/Morpher (latest MM12 version) •x86/x64/ARM64 support + custom icon No public samples or IOCs available — the seller explicitly prohibits uploads to any public scanners. 3/5 Professional MaaS sales model: Sold exclusively via Telegram and select underground forums after rigorous buyer verification. Geographic restrictions apply (no CIS countries or Japan). Elevated risk to corporate environments due to next-generation EDR/XDR evasion and long-term stealth persistence. 4/5 Immediate recommendation for SOC and Threat Hunting teams: •Prioritize behavioral detection of fileless execution and memory injection •Monitor anomalous low-footprint DNS/HTTP/ICMP traffic •Keep EDR/XDR behavioral analytics rules fully updated Stay vigilant. Full technical report and deep-dive analysis available upon request. 5/5 #CyberSecurity #ThreatIntelligence #Malware #RAT #EDR #XDR #FilelessMalware #InfoSec #CyberThreat #APT #DarkWeb #C2 #CyberDefense #WindowsSecurity

@At0mXploit @cc_s_training @wetw0rk7 They are hosted on YouTube, and referenced on corelan.be The first 2 are out

🚨 Critical Linux Kernel Vulnerability Alert Qualys has disclosed ssh-keysign-pwn: a 6-year race condition in __ptrace_may_access() that lets unprivileged local users read root-owned files. A privileged process (e.g. ssh-keysign or chage) opens sensitive FDs. During do_exit(), after exit_mm() (mm=NULL) but before exit_files(), pidfd_getfd() can steal those FDs. Impact: • Theft of host SSH private keys → real impersonation & MitM risk until keys are rotated
• Full read access to /etc/shadow → offline password cracking Affected: All kernels before 31e62c2ebbfd (May 14, 2026) — Ubuntu, Debian, Arch, CentOS, Raspberry Pi OS and more. Immediate action required: Apply the kernel patch NOW. 🔗 PoC: github.com/0xdeadbeefnetw…
🔗 Patch: git.kernel.org…/31e62c2ebbfd
🔗 Full analysis: Phoronix & Qualys oss-security #LinuxSecurity #KernelVulnerability #CyberSecurity #InfoSec #OpenSSH #PrivilegeEscalation #ThreatIntelligence #Linux #CyberThreat #PatchNow

@weezerOSINT Yeah AMD drivers are crazy full of bugs/perfect for LoL. I was shocked to see how much they can do when REing one earlier.

So the AMD response came in. They're not issuing a CVE or any kind of advisory for it. A driver with 18 entry points into your hardware, physical memory read/write, complete machine control, signed by both AMD and Microsoft, sitting on Razer's public website for who knows how long. And they don't want a tracking number on it because "it's not customer-facing." It was literally on the download page for the Razer Blade 16. AMD paid Microsoft to certify it safe for consumer PCs. That's what WHQL means. You go through a whole certification process specifically to run on customer machines. But sure. Not "customer-facing". Their entire fix was asking Razer to delete the link. Driver's still signed. Still works. I put it on the LOLDrivers blocklist myself because somebody had to.

New blog post on reverse engineering and modifying HDD firmware. In this part I cover obtaining, analyzing, and modifying firmware, using backdoor commands to hot patch code in RAM, and using JTAG to debug a live HDD icode4.coffee/?p=1465

@busslighte @ChaoticEclipse0 I think alot in cybersec are paying that price tbh, either from imposter syndrome, or the anxiety of how AI may take their jobs etc. I wish there was some solution or advice I could give them. 😞 You are 100% right though, in case I am sounding disagreeing.

@67_throwaway @ChaoticEclipse0 Fair point. But it’s a heavy price to pay for a perspective. Most want the knowledge, few are willing to become an exile for it. In the end, I admire him. Takes massive guts to go that far.

Two more zerodays - deadeclipse666.blogspot.com/2026/05/two-mo…

@chompie1337 Proving doubters wrong is 1000% more inspiring than the fake encouragement most give off. Crazy how many in cybersec are just like that AI model.

Claude helped me with this bug too but in a different way... Tried to gaslight me saying it wasn’t ~exploitable in practice~ and I got obsessed with proving it wrong 😩

@calif_io amazing work, I hope you don't stop learning and working. The passion/effort is inspiring

Early this week, we had a meeting at Apple Park in Cupertino. While there, we also shared with Apple our latest vulnerability research report: the first public macOS kernel memory corruption exploit on M5 silicon, surviving MIE. It was laser printed, in honor of our hacker friends. Full story: open.substack.com/pub/calif/p/fi…

@deadvolvo If you need anyone to test the payloads feel free to send em over. I got no WAF to test but I'd enjoy the research. 😇

Guys... stop with all the heap-spray bugs already attacking 80/443. I have to triage all of these. 😜Over the last two days I have re-created multiple Critical Severity CVEs without a public working PoC just to verify our WAF blocks it.

@busslighte @ChaoticEclipse0 It depends on what your goals are, what may seem petty, dumb, or dangerous to some may seem like the obvious choice for others.

@67_throwaway @ChaoticEclipse0 Sure, but is following that path worth it? People like him are vital, they’re the only ones holding corps accountable, but agencies must be fuming, YellowKey feels like a Golden Key hidden in WinRE for years. Burning a backdoor like that has a high price.

@C2IRIS That's because they know this isn't a circus you need to dress like a clown, and perform in. "Eyes on the Prize" mentality. That and the last thing you want is the attention of APTs/other Countries etc

@busslighte @ChaoticEclipse0 I think to even want to be in cybersec for what it means, you already have to have really strong feelings about the world and wanting to make it a better place. Having to deal with Corpo's etc directly isn't something that would positively contribute to that, imo.

@67_throwaway @ChaoticEclipse0 This is total madness, I can imagine how paranoid he must be feeling, like SandboxEscaper 2.0, damn, they should have just given him what he deserved, a genius who will now be persecuted for the rest of his career.

@0xocdsec I've heard some fun rumors on who has their hands in systemD and SeLinux. But that's just gossip 😌 The rest of that sounds solid af tho

@0xocdsec Apple is pretty good at patching, especially in the summer of '24, man that fried alot of good research

@bl4sty I am feeling really quirky rn to mention the jscript engine in MSHTA is easy to overflow 🤣

I feel the traditional "responsible disclosure" concept has been broken since its inception. you can argue that forcing everyone's hand by dropping (weaponized) bugs/exploits is reckless/harmful behavior or blablabla but I feel you have to keep in mind everyone's stakes/motivation in the game are different. one thing I guess we can agree on: people sit on bugs/exploits all the time. sometimes because ZDI promises a big bag of money at the end of the rainbow that magically evaporates and sometimes because they don't want to disclose these things and use them tactfully for their own advantage/goals. I've always felt forcing this acceleration will (hopefully) get the software landscape in better shape, faster. albeit in a messy way. the noise it creates however could be a good signal for people to get an idea of the overall security posture of a piece of software, as well as get a good idea of how a vendor handles disclosures that don't follow their made up fairytale non-enforceable policies. (that typically don't come with any kind of silver lining) back then, you could be damn sure that another horde of teenagers grep'd the same src tree for memcpy and was probably also sitting on an exploit. today the same applies, anyone can out-slop you producing the next linux LPE after brad tweets out a commit ID remember: as a researcher you don't own the vendor anything. you don't own the public anything either. if you did this work for free its yours to publish in whatever way suits your needs, agenda or overall quirkiness. :)

@deadvolvo how many 100k's or millions of LLMs are probably being blasted with the same code you mentioned, skids yelling "NOW FIND ME OTHERS LIKE THIS, NO FAKES NO SIMULATION NO DEMO" 🥲

It seems some people are dumping 0days to avoid some dork from blind finding it with AI eventually. 🤣 We are living in very interesting times.