Kali

@vxunderground ugh, im taking a look at it, but its just a really ugly ugly virtualized code with integrity checks

@Kali3ndo Have at it. I don't feel like sandboxing it. I've got too many tummy problems gist.github.com/vxunderground/…

> Find malware campaign > Check VT > (Looks) New > Currently undetected > Look inside > Obfuscated Lua Seriously? Lua? You guys are a bunch of sick fucks

We've solved the mystery. Who's That Pokemon? It's CastleRAT a/k/a TAG-150! Okay, here is the drama and scoop, or whatever. I don't know if anyone cares, but this has been a really interesting puzzle with lots of twists and turns. Previously @malwrhunterteam discovered an unusual malicious .MSI file called "TopWebComics". It dropped an obfuscated .JS file. @nullableVoidPtr deobfuscated the malicious .JS, I reverse engineered it and named it "Smokest Stealer". However, @Kali3ndo went off my research notes and discovered that Smokest drops an additional malicious .PS1 file when Smokest connects to the C2. The malicious .PS1 file drops a malicious .PY file, encoded with PyArmor. The Python script extracts a payload from a .JPEG. After reviewing it, poking it with a stick, and having all sorts of fun, it turns out this payload was first noted by @YungBinary in August, 2025. This payload is CastleRAT (and tracked as TAG-150 by @RecordedFuture). CastleRAT payload found January, 18th: 8d2e77912e2e1d9d8cafb76d4562686cfaad556ca1df1919bfba304b31193402 "Smokest Stealer" MSI: 5a1c14335d0a8b007ff2813e6ef738e8836be38257cc82fe03c02b71d71e1b01 "Smokest Stealer" JS: 29e13df9547d4e85e7ca3fc5b95eab90f56a233aabc406638bee2ded368acd3d Thank you to my peers and colleagues for reversing this with me throughout the day and having fun with it. This was a very silly malware sample.

@NotNordgaren @vxunderground @malwrhunterteam not really stego, they just appended the data at a fixed offset (1585904, size 1649152) and then obfuscated it with a byte transform enc[i] = (encrypted[i] + 120) & 0xFF in the unpacked py file they also had some rc4 routines and this key "KeyKakaPupu" but they were never used

@vxunderground @malwrhunterteam What kind of stego did they use on the jpeg?

@vxunderground By decoding one of the JWTs, it is possible to extract the campaignId. by fuzzing sharecodepro[.]com, I discovered an /analytics endpoint that returns a Zod validation error indicating a required campaign parameter. Supplying one campaignId allows retrieval of the campaign logs.

@vxunderground I have partially deobfuscated the JavaScript gist.github.com/Kaliendo/b66bd… a ws connection is instantiated to sharecodepro[.]com, and multiple JWTs are used to authenticate the active campaign. 1/2

Nerds online have identified a malware strain using "Deno", some fancy Javascript run-time thingy. I have no idea what this means. However, other malware nerds have identified this as unique. The payload is a second stage which comes from a payload impersonating TopWebComics (???). They're targeting WEB COMIC NERDS (or not, nobody really knows yet for sure). It was first identified by @malwrhunterteam Cybersecurity vendor Cylerian identified a similar malware campaign using this exact malware technique in early January, 2026. This appears* to be a relatively novel malware campaign. Unfortunately, there is insufficient information to identify it more. It is difficult to ascertain for the time being if this is something truly unique or novel, or recycled stuff from a previous malware campaign. tl;dr need to poke with stick. Not enough information. First glance looks interesting. This payload is also interesting because it appears (at first glance) to contain mutation-like properties. When the first stage connects and downloads the second stage (in attached link is one of the mutated Javascript payloads), the code changes each time the loader connects to the URL. However, the core functionality (domains it connects to) seems* static. tl;dr Stage 1 - TopWebComicsv1.msi Stage 2 - Weird URL, obfuscated Javascript payload Stage 3 - ??? Stage 4 - Profit!!1 Stage 2 obfuscated Javascript changes each time it is downloaded, hence it's mutation characteristics. Some researchers have identified the same weird URL it uses to delivery the Stage 2 payload as also hosting an Amadey panel. Amadey is a very common Malware-as-a-Service provider. However, it would be ... unusual ... for an obfuscated polymorphic multi-staged Javascript payload to delivery Amadey. It would be a ton of complexity and sophistication to then throw it all out of the window for some run-of-the-mill crimeware. If you're a nerd who likes trying to reverse engineer obfuscated Javascript this is your time to shine because, as of this moment, nobody has de-obfuscated it or determined which malware campaign it is potentially associated. Note: some of the obfuscation SUCKS. It's very clearly an information stealer. It targets cryptowallets, Discord (???), web browsers, etc. tl;dr tl;dr crowdsourced malware reverse engineering for clout gist.github.com/vxunderground/…

Living with autism really be like - 5 reps eye contact - 10 reps considering others’ viewpoints and feelings - 3x60 seconds tolerating uncomfortable sensations - Remembering names and faces until failure

@vxunderground right now it only support .zip files, i'm thinking about making it freemium and adding a .7z support too. any angel investors for this soon to be fortune 500 startup?

@vxunderground for anyone trying to access the malware inside the .zip files, i have finally reverse engineered it and made a cracker github.com/Kaliendo/Vx-Un… shame on you having them behind a paywall!

@vxunderground vx-uwu and my baby

Hello, Due to the volume of people wanting free merch, we'll do another giveaway. Rules: - Reply to this post with a picture of your favorite animal - Say what you want (ransomware acktivist, VXUG corporate, vx-uwu, classic vx-underground) We'll just choose random people

Hackers back then vs now

@vxunderground @whid_ninja is this giveaway ww? if so count me in :)

Our friend @whid_ninja hooked us up with a Hardware Hacking Offensive Security training + exam. It comes with a bunch of super cool tools too =D *Winner must disclose their home address to receive the package in the mail Comment below to win:) Course: whid.ninja/store/product/…

If exploit developers, reverse engineers, and malware developers were alive in the medieval era they'd be the crazy person living out in the woods trying to perform alchemy spells like turning wood into gold

@gf_256 I believe in the Nintendo 3ds UA superiority

average api consumer vs average web etiquette ignorer