> Peter Stokes
> Scattered Spider guy
> Arrested
> Microsoft helps FBI
> Read court documents
> Page 12
> Microsoft tracks Stokes from GDID
> Microsoft Global Device Identifier (GDID)
> Stokes used Windows
> Page 34
> GDID assigned to each OS install
> GDID unique to each device
> GDID only change if OS wiped
> Stokes GDID 6755467234350028
> GDID reported internet activity to Microsoft
> GDID showed Stokes using Ngrok
> GDID reported Stokes IP address
> GDID showed Stokes web activity
> GDID showed timestamps of web activity
> GDID mapped with video game activity
> GDID showed games played
> GDID undocumented
> GDID only mentioned in one MSDN document
> Azure UCDOStatus
> Azure Monitor Logging
Uncensored version of GLM-5.2 via abliteration easier to run locally,
40B active, 1M context, and zero corporate guardrails.
- HuggingFace.com/huihui-ai/Huih…
I tried to do a write-up on X and share some de-obfuscated malware source code
I kept getting notifications on X saying something like, "sorry—something has gone wrong, don't fret", blah blah blah.
If I removed the malcode it worked
I THOUGHT THIS WAS AMERICA
Chat, I don't want to jump to conclusions, but I have a sneaking suspicion this malware stager was vibe coded. Historically, malware hasn't left extremely descriptive comments in their stagers.
A full university malware analysis course with every lecture, video, assignment, and lab available for free online.
Malware taxonomy. Static and dynamic analysis. x86 and x86-64 assembly. Ghidra from introduction to scripting to machine learning applications. YARA rules. Runtime debugging. Host exploitation and forensic analysis. Android and Java malware. PDF payload analysis. Sysmon. Volatility memory forensics.
No enrollment. No paywall. No signup. Just a complete course.
Course: class.malware.re
YouTube Videos: youtube.com/channel/UC0qfX…
Author: @colemankane#MalwareAnalysis#ReverseEngineering#InfoSec
> get dm
> "government ppl in Colombia getting weird file"
> lolwtf
> send link
> look inside
> phishing page (looks good tho tbh)
> image 1
> i dont speak spanish, idk wtf it says
> look inside .html
> .zip hidden inside it as base64
> lol ok
> bonk with stick
> "Oficio 2231" zip file
> idk what that means still
> look inside
> .zip has .js inside of it
> look inside
> big ass fuck off obfuscated bs trying to trick u
> image 2
> utf16 bullshit
> utf16 makes another file
> ???
> extract from tiny little fragments of js
> look inside
> .dll .net file
> wtf lol
> look inside
> heavily obfuscated .net malware
> image 3
> tiny .js fragments contain powershell script
> ???
tl;dr
.html does something that triggers .js which extracts .zip. the .js from .html executes the .js inside the .zip which reads the .ps script from the .js. the .ps then executes a c# .dll which is named taskscheduler (its malware)
why would someone send government officials in Colombia this file wtf lol
People with ADHD often have a hyper curious mind.
A 2026 study of 521 adults shows that ADHD traits like hyperactivity and impulsivity lead to higher curiosity and more exploration.