If you go to DEFCON this year you can visit the Data Duplication Village and clone yourself a copy of vx-underground. All it requires is an 8TB drive

Additionally, as a DEFCON exclusive, the drive will contain something secret

And no, we won't be at DEFCON. We don't go outside

We 'randomly' selected the FBI to receive free vx-underground swag. They ignored us and left us on read.

Got ego'd by the FBI 😭😭😭😭

We're partnering up with our sponsor TorGuard to offer a torrent (and if you're cool you'll seed) for vx-underground. You can stop sending us e-mails, messages, DMs, and smoke signals.

More information coming soon.

Thanks to our friends TorGuard and the degenerates from the DEFCON Data Duplication Village (ly7ine) we now allow individuals to torrent vx-underground

Note: Not all torrents are available yet

You can download the torrents here:
https://vx-underground.org/Torrents

A young man, presumably from the COM scene, is beginning to gain traction on Twitter for his calm and collected thoughts. A modern day philosopher

tl;dr some kid with a gun (airsoft, maybe?), talking about beaming people (?), and saying 'fuck da opps' and some Chicago gang stuff despite being .... 11? 12? maybe 13?

https://x.com/sgtmuffon/status/1793319240641950068

We received our first dick pic today. We don't really have anything else to say – but we felt like sharing that.

Good morning, afternoon, or night.

We've given away roughly $500 worth of merch for the 5 year giveaway. Dozens of people have been contacted. The giveaway is still ongoing due to the volume of people who entered.

tl;dr denial-of-service via nerd overflow

Updates to vx-underground

Samples:
- VirusSign.2024.05.15
- VirusSign.2024.05.16
- VirusSign.2024.05.17
- VirusSign.2024.05.18
- VirusSign.2024.05.19
- VirusSign.2024.05.20
- VirusSign.2024.05.21
- VirusSign.2024.05.22

Torrents:
- vxunderground.HD.APTs.WEBRip.torrent

Papers:
- 2024-04-29 - Zloader Learns Old Tricks
- 2024-04-30 - Latrodectus [IceNova] – Technical Analysis of the New IcedID
- 2024-05-01 - Router Roulette - Cybercriminals and Nation-States Sharing Compromised Networks
- 2024-04-30 - Pouring Acid Rain
- 2024-05-05 - Latrodectus "LittleHw"
- 2024-04-17 - Redline Stealer - A Novel Approach
- 2022-04-21 - Criminals provide Ginzo stealer for free, now it is gaining traction

"O Lord Jesus Christ, our God, who hast commanded us to love one another and to bear each other's burdens, we humbly beseech Thee to protect us from all harm and danger.

Send Thy holy angels to guard and keep us in peace and safety. Preserve us from every evil assault and from those who would seek to do us harm. Grant us the strength and wisdom to trust in Thy divine providence and to remain steadfast in our faith.

For Thou art our God, and we glorify Thee, together with Thy Father, who is from everlasting, and Thine all-holy, good, and life-creating Spirit, now and ever, and unto ages of ages. Amen."

– Russian Orthodox Priest doing a Prayer of Protection for Russian ransomware operator exfil servers, 2024

Today an unknown individual got access to Ring footage of the arrest of Conor Brian Fitzpatrick a/k/a Pompompurin.

We will not share the footage of the arrest because we believe it be unnecessarily invasive to the Fitzpatrick family. Although Pompompurin had plead guilty to the crime, and has been sentenced, we do not want to showcase his family members faces and identities.

What the footage shows:
The United States Federal Bureau of Investigation pretending to be a USPS Postal Worker, saying they have a package for Mr. Fitzpatrick.

Once Mr. Fitzpatrick steps outside the door, to sign for the phony USPS package, other FBI agents swarm him with weapons drawn, instructing him to place his hands behind his head.

Mr. Fitzpatrick remains calm, puts his hands behind his head and complies the entire time. A second person, presumably his Mother, exits the home and speaks with the FBI agents. They ask if anyone else is inside the home. She tells them no one else is currently home.

The entire incident was remarkably calm. Mr. Fitzpatrick complied, there was no physical altercation ...or even swearing. The woman (again, presumably his Mother) was also very polite and complied fully. The FBI agents also seemed calm and apologized to the woman for the event that is taking place.

Pompompurin was wearing sweat pants and for a brief second his butt crack is on camera. It wasn't a very eventful raid. ¯\_(ツ)_/¯

Per request, we will agree to share an image of the butt crack.

Today the NCA UK was discussing Operation Cronos (the takedown of Lockbit ransomware group) at SLEUTHCON – and for a brief moment in time we were on TV.

The cherry on top was the VX-UWU design as the profile picture.

Hello, how are you?

1. Our shipment of harddrives is on the way. We are expecting them sometime next week. Once they are received the cloning process will begin.

2. Bradley is OOO (like a loser), so giveaway winners and selections are briefly delayed

3. I love you

Here is some code that was written about a year for a project for vx-underground. However, due to various reasons, the code is being publicly released.

tl;dr recursive loader, painful to reverse engineer

Explanation of code:
The following code is inspired by APT Linux/Kobalos. Kobalos was malware, suspected to be tied to the Chinese government, which was fully recursive. It was novel malware.

Following this inspiration, an x64 recursive loader was developed for Windows 10 and Windows 11. When compiled the binary has no entries in the IAT. The binary resolves all APIs via NTDLL. Additional libraries are loaded via LdrLoadDll.

The code recursively calls itself to execute functions. It determines which portion of code to execute using a flag (an enum). Each 'function' is encapsulated in a switch statement. All variables are recursively passed using the 'VARIABLE_TABLE' structure. The VARIABLE_TABLE also contains further nested structures for handling API function resolving, initializing COM objects and associated classes, and data structures for some 'switch functions' which may require additional variables for tasks.

To avoid the compiler optimizing code and introducing functions into the IAT, some STDIO functionality such as ZeroMemory have been re-written in more unorthodox methods.

HTTPS requests are handled by COM via the WinHttpRequest Object.

The code basically downloads a binary from vx-underground and executes it. Currently the code will not work because the executable hosted on vx-underground for the proof-of-concept is no longer there – although it was just a copy cmd.exe.

Code may have some bugs. It can be improved upon by introducing pseudo-polymorphism by 'scrambling' the order of switch statements and enum values on each build.

Code written by smelly

You can checkout Win32.RecursiveLoader.b here: https://pastebin.com/HSTS2zwL