xf0

contact: xf0@keemail.me

@vxunderground You're forgetting that "nerd" joined ISIS.

Note: there is a 0% chance they're drone striked. I've only seen a nerd drone striked once. These are just angry normies who don't understand computers and are raging online.

ShinyHunters has successfully hit the big leagues. ShinyHunters successfully disrupting exams, schooling, grading, government funded research projects, dissertation work, graduations, financial aid, financial loss, potentially immigration complications, and more, has elevated this from "a silly shenanigan" to "major national security incident" and being labeled as an attack on United States critical infrastructure. If I had to guess, the FBI, NSA, CIA, DIA, CISA, ICE, and DOE are all involved due to the disruption of this. This isn't the largest extortion campaign I've seen, but this is definitely in the top ten. This is what the kids call a "Certified Hood Classic".

@BleepinComputer seriously cool hack, unfortunate for Canvas...

🚨 BREAKING: ShinyHunters defaced Canvas login portals for hundreds of colleges and universities today, replacing them with extortion demands tied to the recent Instructure breach. Sources tell BleepingComputer that the hackers exploited another unpatched vulnerability in Instructure’s systems, allowing them to hijack approximately 330 Canvas portals and display ransom messages to students and staff. What happened: 🔴 Canvas login portals were replaced with ShinyHunters extortion messages 🔴 The messages warned schools to negotiate before May 12 or student data would be leaked 🔴 The defacements also appeared inside the Canvas mobile app The portals were visible for about 30 minutes before being taken offline as Instructure responded to the incident. This follows last week’s breach where ShinyHunters claimed to have stolen 280 million student and staff records tied to thousands of schools using Canvas.

Want to see what an operators attack box looks like? Below is a documentation of a real hackers tools, exploits, stagers and delivery payloads.😀🏴‍☠️

@DarkWebInformer they aren't professionals

PF 209[.]99[.]188[.]105

RIP @pcpcats, hopefully they make a comeback so we can document more of their infrastructure ;)

Another malware found, this time written in VBScript using Batch as a delivery mechanism. Thread coming soon.

> Persistence Beaconing. The script enters and infinite loop phoning home back to the C2s host every 5 minutes to signal if the implant is still active. Is this a threat actor testing his malware, or is it a real threat? Let me know :D

> LotL Downloads. Uses "certutil" & "bitsadmin" to download files from the C2 server to avoid detection. > Persistence. There are 3 methods being used; registry keys, startup folder and a task scheduler. > Data Exfil. All system collected data is sent to 108.165.[123.10 (2/n)

A Powershell script is being deployed infecting over 500 devices. This script acts as a dropper that disguises itself as a "pentest simulation". In this thread I will break down the functions of the powershell script and ask you guys what you think they are trying to achieve.

This is an example of a sophiscated vibe-coded Monero miner being deployed on a day-to-day basis.

> hides processes using 'mount --bind' to hide from /proc > clears bash history and touches timestamps to match legitimate system files > modifies .bashrc to load an aliased config > deletes itself after installation > then finally sends a POST request to a webhook (3/n)

Previously, during the React2Shell vulnerability we observed a miner being deployed called "sex.[sh". A new open directory index has been opened containing a similar script but appears to be vibe-coded by a Chinese actor. (1/n)

@CarTalkYumeship @DarkWebInformer That is because the owner is aligned with the federal government. Due to this, he has immunity by handing over any logs to the authorities if requested.

@DarkWebInformer Notice how Hackforums never has to deal with this

breachforums.rs/admin_e5f9c2/i… Credit: Breach

@discord_support So you terminate my account with no warning 1 day after I purchase Nitro, then you say I have been suspended for violent content and fraud? Please get in contact with me to help me fix this. At least show me evidence.