vx-underground
>wake up >take a shit >get out of bed >slide trash off desk >get on beep boop machine >powered by lots of hamsters >get on internet >check news >russia malwares poland >something about clawd idfk >windows is dumb >some other stuff probably >thank God it'sβ¦
HAVE U SEEN LATEST AI THING?
No, because every other day some fucking AI company pops out the bushes and tries yelling in my face about how they're going to "change everything". I can't keep up. I'm busy with malware, cats, a big stinky baby (he fucking STINKS)
No, because every other day some fucking AI company pops out the bushes and tries yelling in my face about how they're going to "change everything". I can't keep up. I'm busy with malware, cats, a big stinky baby (he fucking STINKS)
β€52π20π₯°6π―4π«‘2
In you missed it (I did, I don't know how), Microsoft is aiming to phase out UAC and replace it with a more secure thingie called "Administrative Protection".
They're doing this because UAC currently has over 81 bypasses and, for reasons unknown to me, Microsoft decided to scrap UAC in totality and redo the entire thing from the ground up. Why? I have literally no idea. Maybe you stinky nerds can educate me.
AP is now in preview mode for Windows Insider builds (testing stuff). Big brain security researchers from Google Project Zero poked it with a stick and discovered eight vulnerabilities that allowed them to bypass AP. Microsoft has since patched it. AP has yet to be deployed to Windows 11 as of this writing.
AP on paper, when reading about it, seems like a good idea and seems like it unironically would be a massive security improvement for Windows. However, the new architecture would bamboozle some legacy applications. Making it work with older stuff will require lots of science from Microsoft. Additionally, and maybe I'm being a bit pessimistic, I am concerned Microsoft will vibe code slop their new security module and make it one massive cluster fuck disaster.
Please read the research performed by Tirando (can't find his social media profile) and the other nerds at Project Zero. It's interesting. They're all very talented security researchers and make feel like an imbecile.
https://projectzero.google/2026/26/windows-administrator-protection.html
They're doing this because UAC currently has over 81 bypasses and, for reasons unknown to me, Microsoft decided to scrap UAC in totality and redo the entire thing from the ground up. Why? I have literally no idea. Maybe you stinky nerds can educate me.
AP is now in preview mode for Windows Insider builds (testing stuff). Big brain security researchers from Google Project Zero poked it with a stick and discovered eight vulnerabilities that allowed them to bypass AP. Microsoft has since patched it. AP has yet to be deployed to Windows 11 as of this writing.
AP on paper, when reading about it, seems like a good idea and seems like it unironically would be a massive security improvement for Windows. However, the new architecture would bamboozle some legacy applications. Making it work with older stuff will require lots of science from Microsoft. Additionally, and maybe I'm being a bit pessimistic, I am concerned Microsoft will vibe code slop their new security module and make it one massive cluster fuck disaster.
Please read the research performed by Tirando (can't find his social media profile) and the other nerds at Project Zero. It's interesting. They're all very talented security researchers and make feel like an imbecile.
https://projectzero.google/2026/26/windows-administrator-protection.html
projectzero.google
Bypassing Windows Administrator Protection - Project Zero
A headline feature introduced in the latest release of Windows 11, 25H2 is Administrator Protection. The goal of this feature is to replace User Account Cont...
β€41π₯°12π7π―5π€£2π±1π€©1
Last time on Dragon Ball Z: I did a sort of long post discussing wanting to abuse Windows Application Execution Aliases for malware.
To make this schizo rant short, I'll call it AEA (App Execution Alias).
Refresher:
In Windows 11 if you go to:
-> Settings
-> Apps
-> Advanced App Settings
-> App execution aliases
You'll see "aliases". Hence, when a user types something into Powershell, or CMD, or Windows search, it defaults to whatever is aliased (see image 1)
Windows did a pretty good job at making this a convoluted mess. I am lost and confused. I am in places I have never been on Windows (as is tradition).
All of the execution aliases are the result of Microsoft store apps because they're from AppX and/or MSIX packages (although technically it doesn't NEED to come from the Microsoft app store, it's just the most common). MSIX is a Windows program installation file format. If you're not familiar with it, look it up online. It's nothing crazy. It's pretty common.
However, the MSIX installation thingie has package manifest elements, and this is where AEA come from. It's an element called "uap5:AppExecutionAlias".
The MSIX installer creates an NTFS reparse point in %LOCALAPPDATA%\Microsoft\WindowsApps\*
Inside that directory you'll see all the aliased programs, but they're 0 bytes in size. However, if you use fsutil you'll see this (image 2)
It was at this point I began researching "0x8000001B", which translates to "IO_REPARSE_TAG_APPEXECLINK". This lead me to discovering James Forshow (tiraniddo) reversed engineered AEA in 2019 as a result of people on social media arguing about Windows executing the incorrect Python as a result of AEA (see subsequent post for his write-up).
.... which coincidentally we're here discussing THIS RIGHT NOW because people on social media were arguing about Windows executing the wrong Notepad. It's been 7 years and people are still rustled by it.
He concludes his technical write-up with the message, "I'm sure there's probably some exploitable security bug in the code here, but I'm too lazy to find it :-)"
Now I am in a situation where I can continue to poke AEA with a stick, to find a mechanism to abuse for malware, or I could give up and go back to watching Dragon Ball Z.
To make this schizo rant short, I'll call it AEA (App Execution Alias).
Refresher:
In Windows 11 if you go to:
-> Settings
-> Apps
-> Advanced App Settings
-> App execution aliases
You'll see "aliases". Hence, when a user types something into Powershell, or CMD, or Windows search, it defaults to whatever is aliased (see image 1)
Windows did a pretty good job at making this a convoluted mess. I am lost and confused. I am in places I have never been on Windows (as is tradition).
All of the execution aliases are the result of Microsoft store apps because they're from AppX and/or MSIX packages (although technically it doesn't NEED to come from the Microsoft app store, it's just the most common). MSIX is a Windows program installation file format. If you're not familiar with it, look it up online. It's nothing crazy. It's pretty common.
However, the MSIX installation thingie has package manifest elements, and this is where AEA come from. It's an element called "uap5:AppExecutionAlias".
The MSIX installer creates an NTFS reparse point in %LOCALAPPDATA%\Microsoft\WindowsApps\*
Inside that directory you'll see all the aliased programs, but they're 0 bytes in size. However, if you use fsutil you'll see this (image 2)
It was at this point I began researching "0x8000001B", which translates to "IO_REPARSE_TAG_APPEXECLINK". This lead me to discovering James Forshow (tiraniddo) reversed engineered AEA in 2019 as a result of people on social media arguing about Windows executing the incorrect Python as a result of AEA (see subsequent post for his write-up).
.... which coincidentally we're here discussing THIS RIGHT NOW because people on social media were arguing about Windows executing the wrong Notepad. It's been 7 years and people are still rustled by it.
He concludes his technical write-up with the message, "I'm sure there's probably some exploitable security bug in the code here, but I'm too lazy to find it :-)"
Now I am in a situation where I can continue to poke AEA with a stick, to find a mechanism to abuse for malware, or I could give up and go back to watching Dragon Ball Z.
β€39π₯°8π―1
vx-underground
Last time on Dragon Ball Z: I did a sort of long post discussing wanting to abuse Windows Application Execution Aliases for malware. To make this schizo rant short, I'll call it AEA (App Execution Alias). Refresher: In Windows 11 if you go to: -> Settingsβ¦
www.tiraniddo.dev
Overview of Windows Execution Aliases
I thought I'd blogged about this topic, however it turns out I hadn't. This blog is in response to a recent Twitter thread from Bruce Dawso...
β€26
vx-underground
Last time on Dragon Ball Z: I did a sort of long post discussing wanting to abuse Windows Application Execution Aliases for malware. To make this schizo rant short, I'll call it AEA (App Execution Alias). Refresher: In Windows 11 if you go to: -> Settingsβ¦
> be me
> have idea
> look inside
> james forshaw, or x86matthew, or hexacorn, or grzegorz tworek did it
/me flips desk
> have idea
> look inside
> james forshaw, or x86matthew, or hexacorn, or grzegorz tworek did it
/me flips desk
π₯°44π25β€7
vx-underground
Photo
i got https without winsocks working by communicating directly with drivers. i said i wouldnt do it, but i did. everything hurts inside
β€60π₯°14π€10β€βπ₯4π€3π2π€£2π₯1
>poking windows with stick
>want to learn how handles tls http stuff
>look inside
>secu32.dll - QueryContextAttributesW
>look inside
>sspi.dll - QueryContextAttributesW
>look inside
>sspi provider virtual table QueryContextAttributes
>look inside
>LsaQueryContextAttributesW
>look inside
>NtDeviceIoControlFile
>talks to driver kdsecdd
>Kernel-mode Security Device Driver
tl;dr
>want to learn how handles tls http stuff
>look inside
>secu32.dll - QueryContextAttributesW
>look inside
>sspi.dll - QueryContextAttributesW
>look inside
>sspi provider virtual table QueryContextAttributes
>look inside
>LsaQueryContextAttributesW
>look inside
>NtDeviceIoControlFile
>talks to driver kdsecdd
>Kernel-mode Security Device Driver
tl;dr
π€£77β€12π«‘11π₯°5π2
Chat, I've done it.
I've managed to get Windows Sockets (Winsock) functionality working by communicating directly with AFD (Ancillary Function Driver for WinSock) by IO control codes AND used it with HTTPS by using SSPI (Microsoft Security Support Provider Interface).
By doing this, this completely eliminates the need for WININET or WINHTTP for malware payloads. It also removes the weird telemetry and ETW stuff present in Winsocks, WININET, and WINHTTP.
My code is still in a debug state at the moment, but I'll eventually release a non-fucked-up version (no SYSCALLs, no position independence) so people can look at it, study it, or review it.
Currently this is only supports GET requests for simple pages (not even file downloads...). However, I'm having so much fun with this I think I am going to expand on it to do the following:
- HTTPS authentication
- HTTPS upload
- HTTPS download
- ???
I'll make it all open source, non-crazy, in a format people can copy pasta and have fun with it. I'll also probably make a fork where it's the crazy schizo version.
I hope all my malware development friends, reverse engineer friends, and anime friends, look at it and appreciate it. This is some of my favorite code I've written and I think it has a lot of applicability to Red team engagement. Conversely, it also offers insight to defenders on detecting this sort of functionality.
I've managed to get Windows Sockets (Winsock) functionality working by communicating directly with AFD (Ancillary Function Driver for WinSock) by IO control codes AND used it with HTTPS by using SSPI (Microsoft Security Support Provider Interface).
By doing this, this completely eliminates the need for WININET or WINHTTP for malware payloads. It also removes the weird telemetry and ETW stuff present in Winsocks, WININET, and WINHTTP.
My code is still in a debug state at the moment, but I'll eventually release a non-fucked-up version (no SYSCALLs, no position independence) so people can look at it, study it, or review it.
Currently this is only supports GET requests for simple pages (not even file downloads...). However, I'm having so much fun with this I think I am going to expand on it to do the following:
- HTTPS authentication
- HTTPS upload
- HTTPS download
- ???
I'll make it all open source, non-crazy, in a format people can copy pasta and have fun with it. I'll also probably make a fork where it's the crazy schizo version.
I hope all my malware development friends, reverse engineer friends, and anime friends, look at it and appreciate it. This is some of my favorite code I've written and I think it has a lot of applicability to Red team engagement. Conversely, it also offers insight to defenders on detecting this sort of functionality.
π₯°102β€49π€―13π₯8π4π4π«‘2π€1π―1
Lots of drama on the internet today as nerds quickly ascertained some new stuff CloudFlare released was vibe coded, and a blog was written with AI
Internet nerds collectively began screaming as they witnessed the slop slowly, but surely, encapsulate their entire existence.
Internet nerds collectively began screaming as they witnessed the slop slowly, but surely, encapsulate their entire existence.
π₯°45π€£26π±12π’8β€1
Madhu Gottumukkala, the freshly elected Director of the United States Cybersecurity and Infrastructure Security Agency (CISA) has had a few ... kerfuffles ... since he began the role.
He initially was Deputy Director, nominated by United States Secretary of Homeland Security (DHS) Kristi Noem, in May 16th.
May 30th most leadership at CISA had resigned. He was promoted to Director.
In June, 2025, Gottumukkala requested access to a DHS controlled access program. He was issued a polygraph test. He failed the polygraph test. Six staffers were suspended after Gottumukkala failed the polygraph test because it was determined Gottumukkala did not need to take a polygraph test for access to the controlled access program.
In January, 2026, it was unveiled that Gottumukkala had, on at least four different occasions, uploaded FOUO (For Official Us Only) documents to ChatGPT. This violates DHS guidelines. DHS employees are issued an AI agent called "DHSChat".
Per DHS, ChatGPT is blocked on DHS networks and devices. However, Gottumukkala requested special access to use ChatGPT and it was granted. It was during a routine audit it was discovered Gottumukkala uploaded these FUOU documents.
He initially was Deputy Director, nominated by United States Secretary of Homeland Security (DHS) Kristi Noem, in May 16th.
May 30th most leadership at CISA had resigned. He was promoted to Director.
In June, 2025, Gottumukkala requested access to a DHS controlled access program. He was issued a polygraph test. He failed the polygraph test. Six staffers were suspended after Gottumukkala failed the polygraph test because it was determined Gottumukkala did not need to take a polygraph test for access to the controlled access program.
In January, 2026, it was unveiled that Gottumukkala had, on at least four different occasions, uploaded FOUO (For Official Us Only) documents to ChatGPT. This violates DHS guidelines. DHS employees are issued an AI agent called "DHSChat".
Per DHS, ChatGPT is blocked on DHS networks and devices. However, Gottumukkala requested special access to use ChatGPT and it was granted. It was during a routine audit it was discovered Gottumukkala uploaded these FUOU documents.
π€£131π9π€8π€5β€4π±1π«‘1
This media is not supported in your browser
VIEW IN TELEGRAM
"You penetration test 'em so you simulate the pressure"
π£π₯π₯
π£π₯π₯
π€£68π₯35π€17π€2β€1π₯°1
I've seen some comments recently where people have criticized this social media profiles grammar, typos, and word misuse.
This has been a long standing issue with this social media because the mysterious (and smelly) person behind it can't brain good.
This has been a long standing issue with this social media because the mysterious (and smelly) person behind it can't brain good.
β€55π17π8π₯2π±1
Hi
I have finished the first part of my Spoopy Windows Sockets project. I'll continually work on it for because I'm (probably) mentally ill.
I have written code which can communicate with HTTPS hosts without using WININET, WINHTTP, or WINSOCKS. It works by communicating directly with the Windows AFD (Ancillary Function Driver for WinSock). This is extremely beneficial because WININET, WINHTTP, and WINSOCKS have Windows telemetry stuff in place, for detecting stuff, or whatever.
My favorite part of this project is that it also resolves DNS with AFD, so you can resolve DNS with SYSCALLS too.
Basically, you can do web stuff with raw SYSCALLS and nothing else (sort of). The HTTPS TLS verification stuff happens (mostly) in user-mode space, and attempting to recreate it programmatically would result in me having to basically recreate something like OpenSSL, but Windows specific. I'm not doing that.
You COULD do HTTPS stuff without verifying the TLS stuff, but that is probably a poor decision.
Anyway, I have stripped this code down to the bone. I have removed virtually all dependencies. All headers have been recreated from scratched so there is zero bloat. This project and/or proof-of-concept is entirely self-encapsulated.
To make it work all you need to do CTRL+C and CTRL+V into Visual Studio. That's it. Nothing else. I have made it as shrimple as possible.
It has two functions right now:
- EXAMPLE_HttpsSimpleGetRequestClose
- EXAMPLE_HttpsSimpleGetRequestKeepAlive
The names speak for themselves.
I have code in place which will allow file uploads, downloads, and (maybe) HTTPS authentication. Ideally Red Team nerds, or Blue Team nerds, can look at this, poke it with a stick, and do really cool stuff with it. I have made it as least-schizo as possible. I have removed the position independence and stuff.
This project is the result of research by x86matthew, Apple, MΔrtiΕΕ‘ MoΕΎeiko, Mateusz Lewczak, Google Chrome nerds, ReactOS nerds, and some guy on UnknownCheats who writes like a caveman.
https://gist.github.com/vxunderground/0db801dbc16371fc2b3143d471f551b0
I have finished the first part of my Spoopy Windows Sockets project. I'll continually work on it for because I'm (probably) mentally ill.
I have written code which can communicate with HTTPS hosts without using WININET, WINHTTP, or WINSOCKS. It works by communicating directly with the Windows AFD (Ancillary Function Driver for WinSock). This is extremely beneficial because WININET, WINHTTP, and WINSOCKS have Windows telemetry stuff in place, for detecting stuff, or whatever.
My favorite part of this project is that it also resolves DNS with AFD, so you can resolve DNS with SYSCALLS too.
Basically, you can do web stuff with raw SYSCALLS and nothing else (sort of). The HTTPS TLS verification stuff happens (mostly) in user-mode space, and attempting to recreate it programmatically would result in me having to basically recreate something like OpenSSL, but Windows specific. I'm not doing that.
You COULD do HTTPS stuff without verifying the TLS stuff, but that is probably a poor decision.
Anyway, I have stripped this code down to the bone. I have removed virtually all dependencies. All headers have been recreated from scratched so there is zero bloat. This project and/or proof-of-concept is entirely self-encapsulated.
To make it work all you need to do CTRL+C and CTRL+V into Visual Studio. That's it. Nothing else. I have made it as shrimple as possible.
It has two functions right now:
- EXAMPLE_HttpsSimpleGetRequestClose
- EXAMPLE_HttpsSimpleGetRequestKeepAlive
The names speak for themselves.
I have code in place which will allow file uploads, downloads, and (maybe) HTTPS authentication. Ideally Red Team nerds, or Blue Team nerds, can look at this, poke it with a stick, and do really cool stuff with it. I have made it as least-schizo as possible. I have removed the position independence and stuff.
This project is the result of research by x86matthew, Apple, MΔrtiΕΕ‘ MoΕΎeiko, Mateusz Lewczak, Google Chrome nerds, ReactOS nerds, and some guy on UnknownCheats who writes like a caveman.
https://gist.github.com/vxunderground/0db801dbc16371fc2b3143d471f551b0
Gist
winsock no winsocks
GitHub Gist: instantly share code, notes, and snippets.
β€30π₯°11π7π€2π1
vx-underground
Hi I have finished the first part of my Spoopy Windows Sockets project. I'll continually work on it for because I'm (probably) mentally ill. I have written code which can communicate with HTTPS hosts without using WININET, WINHTTP, or WINSOCKS. It worksβ¦
TODO:
- File Upload (done, just needs improvement)
- File Download
- Authentication
- C5pider mentioned proxy support?
Thanks to HTTPBin I'm having a lot of fun with this.
- File Upload (done, just needs improvement)
- File Download
- Authentication
- C5pider mentioned proxy support?
Thanks to HTTPBin I'm having a lot of fun with this.
π26β€7π₯°2
The Chinese government executed 11 people today. They were leaders in a massive crypto scamming empire.
The Ming crime family had at it's peak over 10,000 people performing scams for them. People who tried to leave were beaten or in some instances killed.
They people who "worked" for the Ming crime family performed crypto pig butchering scams. In other words, long-term romance cons.
The Chinese government began a crackdown on the Ming crime family in 2023 following international scrutiny. After their detention they sentenced to death.
One of the leaders of the Ming crime family killed himself in jail while awaiting sentencing.
The Ming crime family had at it's peak over 10,000 people performing scams for them. People who tried to leave were beaten or in some instances killed.
They people who "worked" for the Ming crime family performed crypto pig butchering scams. In other words, long-term romance cons.
The Chinese government began a crackdown on the Ming crime family in 2023 following international scrutiny. After their detention they sentenced to death.
One of the leaders of the Ming crime family killed himself in jail while awaiting sentencing.
π€£79π₯°23π±16π€―8π’6β€4π₯3π1π€©1