Today Spaniard authorities seized 10 tonnes (metric tons, 22,000lbs, 10,000kg) of cocaine being smuggled into the country from Brazil.

The cocaine is reportedly valued at enough to purchase 3 DDR5 RAM sticks and maybe a few Claude tokens

Lots of drama on the internet today as TESLA announces the self-driving functionality will now require you paying a monthly subscription.

Tesla lovers are absolutely furious.

Tesla stock owners are dancing in the streets

I need help.

My 9 month old son loves Ms. Rachel. For the past 3 days I've been subjected to cruel and unusual punishment. I'm trapped. I'm stuck listening to this lady sing "Wheels On The Bus" for, at minimum, 8 hours a day.

My home is a CIA torture black site. "thE wHeElS oN the BuS gO rOunD n RouNd" ... in the morning... in the afternoon... at night ... when he's trying to sleep or he's sleeping.

I'm at the point where I'll start confessing to crimes I've never committed to make this fucking song stop playing.

Imagine hearing this shit ALL DAY. I'm losing my mind. I've disconnected from reality. I don't know what's real and what isn't real.

https://www.youtube.com/watch?v=bOiYN7iU-W8

I've decided to poke MalwareBytes with a stick.

Why? I'm mildly curious how it works internally and I'm curious if I can produce malware custom tailored to evade it.

Why? Because sometimes I get weird ideas and want to do weird things for literally zero reason other than "sounds kind of cool".

I setup a VM for the first time in years to poke it with a stick. I didn't want to install an AV on my main machine. Yes, I will do malware analysis on my main machine but not install an AV.

After installing MalwareBytes, skimming some of the files, poking random things and saying "wtf does this thing do", I've learned some mildly interesting things but nothing revolutionary.

1. They use Jenkins for continuous integration. Does this mean anything? No.

2. Based off my minimal testing, I don't see any DLLs injected into binaries when they're loaded into memory. However, the binaries I tested are well known and well established. It might inject DLLs into unknown binaries.

3. MalwareBytes main binary is written in C#.NET. It loads a secondary MalwareBytes.dll which then displays everything. It does the same stuff Microsoft Copilot does. That is how MalwareBytes has a fancy UI and stuff.

4. MalwareBytes stores very little in HKEY_CURRENT_USER making tampering from user mode kind of hard. It's just basic settings and stuff.

5. MalwareBytes has a custom protocol handler of "malwarebytes://". It looks like it uses this for interprocess communication between other MalwareBytes modules and binaries

6. MalwareBytes ships with a (basically) blank DLL called "Sample.dll". I have no idea why.

7. MalwareBytes has 2 mini filters in place which (presumably) are the main thing responsible for detecting malware. This is standard. MalwareBytes Chameleon (one of the minifilters) looks like it's meant to prevent tampering with the actual important MalwareBytes minifilter.

8. MalwareBytes Chameleon looks like it's responsible for communicating with user mode and kernel mode components. It looks like this is done so user mode components don't communicate directly with the minifilter responsible for actually detecting malware

9. I have a lot more poking to do

10. There is a binary called "assistant.exe" which loads "assistant.dll" (more .NET) stuff. It may possible to abuse this as a LOLBIN (maybe, need to poke more, kind of). assistant.exe does things like issuing commands for scanning, updating, and displaying things in the MalwareBytes UI. It accepts commands as "assistant.exe --uri malwarebytes://"

11. I have no idea how their scanning works, but it's labeled internally as Hyperscan

12. There is a thing called ProtectedHashes. I have no idea what this is.

13. There are tons of SQLite libraries, but I have no idea what it's for. Presumably, it's for known-good and known-bad file hashes, maybe? But I have no idea where this is stored.

14. I like cats

Poking MalwareBytes with a stick continues. I fell down a weird rabbit hole.

MalwareBytes contains a file that is packaged with it called "malwarebytes_assistant.exe". This file is written in C#.NET, it subsequently loaded malwarebytes_assistant.dll.

As the name implies, it is indeed an assistant file. It accepts commands and does things based on the commands given to it. There's a lot of commands, but here are the interesting ones.

- AddExclusion (can't find it though)
- Deactivate
- DisableWebProtection
- StopService
- LaunchProcess
- SetRegistryValue
- CreateWFCRule
- ModifyWFCRule
- DeleteWFCRule

LaunchProcess and SetRegistryValue check the parent process of the invoker. If it is not from a process that is signed by MalwareBytes, it fails. However, everything else works. It does prompt UAC, but it says its coming from MalwareBytes.

tl;dr disable MalwareBytes, modify Windows Firewall, etc. It displays as MalwareBytes doing it.

We must continue poking it with a stick.

tl;dr

"C:\Program Files\Malwarebytes\Anti-Malware\malwarebytes_assistant.exe" --disablertp

yay no more protection

It's 10pm and I'm reverse engineering Javascript malware targeting FiveM.

Why are people making malware for Grand Theft Auto V roleplay servers

I fucking HATE this shit. I hate dealing with this type of obfuscating. Ugh.

https://raw.githubusercontent.com/Linux123123/fivem-malware/refs/heads/main/second_stage/nulljj.js

I was reverse engineering this Grand Theft Auto V malware that targets FiveM stuff. It was a big ol' mess of obfuscated Javascript. I hate obfuscated Javascript.

I posted I hated obfuscated Javascript.

Subsequently, a very nice person named nullableVoidPtr deobfuscated the massive code base for me when I was sleeping. Thank you. I love you.

Anyway, when I began poking it with a stick I discovered the malware connects to blum-panel(.)me. It registers there. It's the C2.

When you visit via HTTPS it notifies you of their Discord server (also references to their Discord in their code?)?

When you connect to their Discord they advertise security services for Grand Theft Auto V stuff ... ?

What the fuck.

Dawg, do you NOT run a malware campaign and advertise it on Discord like this. Are you OUT OF YOUR MIND?

X is offline.

Is it DDoS? Is it an oopsie doopsie? Did Elon Musk crash out? Find out next time on Dragon Ball Z

When I shared that obfuscated Javascript payload that was targeting Grand Theft Auto V FiveM stuff, I had like 6 nerds pop out the bushes telling me how much they enjoy working with obfuscated payloads (Javascript, Lua, Powershell, etc).

WHO ARE YOU PEOPLE? WHO HURT YOU?

There are people out there who unironically like deobfuscating stuff like this (see attached link).

Imagine that level of schizophrenia. Imagine waking up and enjoying pain and suffering.

https://raw.githubusercontent.com/Linux123123/fivem-malware/refs/heads/main/second_stage/nulljj.js

Sabrina Thipdavone Rhodes, an Intelligence Analyst with the Nevada High Intensity Drug Trafficking Area (HIDTA) working with the United States Drug Enforcement Administration, plead guilty to theft of property of the United States.

Rhodes stole and converted to cash 243,199.0421 of the virtual currency Ripple (“XRP”) that had been seized by the DEA.

The value of the XRP stolen from the DEA Wallet would have been approximately $689,688.

More information, courtesy of the wonderful people of CourtWatch

https://storage.courtlistener.com/recap/gov.uscourts.cacd.989465/gov.uscourts.cacd.989465.3.0.pdf

The thing I find most admirable about my colleagues and peers in the United Kingdom is that they too dislike and distrust the government.

I'm like, "wtf y'all don't trust mfers either?" then I ask if they want to party and almost always they agree.

Good people across the pond

Nerds online have identified a malware strain using "Deno", some fancy Javascript run-time thingy. I have no idea what this means. However, other malware nerds have identified this as unique.

The payload is a second stage which comes from a payload impersonating TopWebComics (???).

They're targeting WEB COMIC NERDS (or not, nobody really knows yet for sure). It was first identified by @malwrhunterteam

Cybersecurity vendor Cylerian identified a similar malware campaign using this exact malware technique in early January, 2026. This appears* to be a relatively novel malware campaign. Unfortunately, there is insufficient information to identify it more. It is difficult to ascertain for the time being if this is something truly unique or novel, or recycled stuff from a previous malware campaign.

tl;dr need to poke with stick. Not enough information. First glance looks interesting.

This payload is also interesting because it appears (at first glance) to contain mutation-like properties. When the first stage connects and downloads the second stage (in attached link is one of the mutated Javascript payloads), the code changes each time the loader connects to the URL. However, the core functionality (domains it connects to) seems* static.

tl;dr
Stage 1 - TopWebComicsv1.msi
Stage 2 - Weird URL, obfuscated Javascript payload
Stage 3 - ???
Stage 4 - Profit!!1

Stage 2 obfuscated Javascript changes each time it is downloaded, hence it's mutation characteristics.

Some researchers have identified the same weird URL it uses to delivery the Stage 2 payload as also hosting an Amadey panel. Amadey is a very common Malware-as-a-Service provider. However, it would be ... unusual ... for an obfuscated polymorphic multi-staged Javascript payload to delivery Amadey. It would be a ton of complexity and sophistication to then throw it all out of the window for some run-of-the-mill crimeware.

If you're a nerd who likes trying to reverse engineer obfuscated Javascript this is your time to shine because, as of this moment, nobody has de-obfuscated it or determined which malware campaign it is potentially associated.

Note: some of the obfuscation SUCKS. It's very clearly an information stealer. It targets cryptowallets, Discord (???), web browsers, etc.

tl;dr tl;dr crowdsourced malware reverse engineering for clout

https://gist.github.com/vxunderground/0d0c5f265d9f5248fa9dca171aec16ba

You don't have to be a genius to see this and say "Oh, it's targeting cryptocurrencies"

> reverse engineer MalwareBytes
> find local sqlite db
> look inside
> password "VGhhbmtZb3VGb3JDaG9v"
> password: "c2luZ01hbHdhcmVieXRlcw"
> append
> base64
> decode
> "ThankYouForChoosingMalwarebytes"