Joined August 2019
- Tweets 23,814
- Following 359
- Followers 438,333
- Likes 19,713
7,398 Photos and videos
> lay off a bunch of people
> replace with AI slop machine 9000 turbo edition
> everything breaks and implodes
wow its the future
lmao. Facebook’s down because…
*drumroll*
… they didn’t lint the program that sends its json, and now its malformed.
Another classic from the golden age of AI slop code.
21
43
750
35,717
Holy cow
Unlimited AI usage!!!!
Just run GPT_Claude_Free.exe as admin
164
121
3,246
166,224
Poked with a stick:
x.com/vxunderground/status/2…
Someone showed me this on Telegram. It is very silly. It is clearly masquerading as "Free GPT and Claude". Anyone with half a brain knows this is malicious, but people will still fall for it.
People asked what it is. I have some free time. I poked it with a stick,
People discussing it said it is XMRig. That is not entirely accurate. This is not XMRig. This is flagged as XMRig from Triage and VirusTotal because it does indeed drop XMRig, but it is much more than that. This is a (maybe new) information stealer packaged with XMRig as a double whammy.
This malware is interesting because of a few things:
1. It is position independent, they care enough to be evasive and strip out a majority of dependencies. This is usually indicative of more serious malware.
2. They .zip it delivers from the "Free GPT and Claude" is intentionally bloated (payload inflation). It is 97MB, which may evade a majority of anti-malware product (initially) due to it's large size. It packages itself with FFMpeg and various other audio codecs.
3. It accesses Microsoft Outlook e-mails, accesses Chrome stuff using the COM IElevationService, looks for any SFTP credentials
It (currently) does not have any matching YARA rules from AV vendors. The closest approximation is LummaStealer. My knowledge base on the Information Stealer scene is out-of-date (it changes a lot). However, on first initial glance this appears like a new information stealer. Again, this should be taken with a grain of salt.
It's also worth noting the domain it exfiltrates to does not appear in any malware reports. The domain is unique, and the payload does not match any existing YARA rules (it's behavioral characteristics do, but not a specific malware family), so this is actually a pretty interesting sample.
A lookup though shows this is an emerging malware campaign. It first appeared around the end of May. This is (probably) a known Threat Actor who has switched it up a bit (or it's MaaS, whatever though).
The malware appears online masquerading as various products.
- ecore-sourceproject
- LogiDA
- GPT_Claude_Free
- CortexSystems.v3.4.2.Stable
- TikTokBot-v2.2
- CortexLauncher
Funny enough, this malware would have been much, much, much, MUCH more evasive if they didn't package it with XMRig. VirusTotal and Triage immediately flagged it because after it establishes persistence, and steals any credentials on the machine, it pulls XMRig to turn into a cryptocurrency miner.
If they did not pull the XMRig binary this stealer would be much more quiet. I have no idea why they decided to burn their OPSEC with XMRig.
C2: dfwioeiofwr-dot-info
Payload (and associated families from the C2)
027d576c6b5512d661081aaeeeb8e611f95a469ccf5ba35e0a390e8814334d05
5dcc599cf48227e65ea49d2708d08704fd1cb7e3b89736718d0d8e557857c49c
5e8b40b0b7512e1a1355374fb0cf34bfdf1260ebdb80a353c8f9da2490beeed3
6a0c332296b017220fc2b522da653fce36a8a3c5c79de0200d61c5fc31eb89ce
a2f8ebf65d54a4d9c8b720d01da77ad796683f1a5b8bd3d08738d7df4365f8a
9d4aaa9842c947756b7c128c432292732098fb71d247ef0bce60368563572da3
c4caca93e2291c018e701c217b7d232c534e4dd142042a59aa4d32754ef3022a
1
3
70
22,159
Someone showed me this on Telegram. It is very silly. It is clearly masquerading as "Free GPT and Claude". Anyone with half a brain knows this is malicious, but people will still fall for it.
People asked what it is. I have some free time. I poked it with a stick,
People discussing it said it is XMRig. That is not entirely accurate. This is not XMRig. This is flagged as XMRig from Triage and VirusTotal because it does indeed drop XMRig, but it is much more than that. This is a (maybe new) information stealer packaged with XMRig as a double whammy.
This malware is interesting because of a few things:
1. It is position independent, they care enough to be evasive and strip out a majority of dependencies. This is usually indicative of more serious malware.
2. They .zip it delivers from the "Free GPT and Claude" is intentionally bloated (payload inflation). It is 97MB, which may evade a majority of anti-malware product (initially) due to it's large size. It packages itself with FFMpeg and various other audio codecs.
3. It accesses Microsoft Outlook e-mails, accesses Chrome stuff using the COM IElevationService, looks for any SFTP credentials
It (currently) does not have any matching YARA rules from AV vendors. The closest approximation is LummaStealer. My knowledge base on the Information Stealer scene is out-of-date (it changes a lot). However, on first initial glance this appears like a new information stealer. Again, this should be taken with a grain of salt.
It's also worth noting the domain it exfiltrates to does not appear in any malware reports. The domain is unique, and the payload does not match any existing YARA rules (it's behavioral characteristics do, but not a specific malware family), so this is actually a pretty interesting sample.
A lookup though shows this is an emerging malware campaign. It first appeared around the end of May. This is (probably) a known Threat Actor who has switched it up a bit (or it's MaaS, whatever though).
The malware appears online masquerading as various products.
- ecore-sourceproject
- LogiDA
- GPT_Claude_Free
- CortexSystems.v3.4.2.Stable
- TikTokBot-v2.2
- CortexLauncher
Funny enough, this malware would have been much, much, much, MUCH more evasive if they didn't package it with XMRig. VirusTotal and Triage immediately flagged it because after it establishes persistence, and steals any credentials on the machine, it pulls XMRig to turn into a cryptocurrency miner.
If they did not pull the XMRig binary this stealer would be much more quiet. I have no idea why they decided to burn their OPSEC with XMRig.
C2: dfwioeiofwr-dot-info
Payload (and associated families from the C2)
027d576c6b5512d661081aaeeeb8e611f95a469ccf5ba35e0a390e8814334d05
5dcc599cf48227e65ea49d2708d08704fd1cb7e3b89736718d0d8e557857c49c
5e8b40b0b7512e1a1355374fb0cf34bfdf1260ebdb80a353c8f9da2490beeed3
6a0c332296b017220fc2b522da653fce36a8a3c5c79de0200d61c5fc31eb89ce
a2f8ebf65d54a4d9c8b720d01da77ad796683f1a5b8bd3d08738d7df4365f8a
9d4aaa9842c947756b7c128c432292732098fb71d247ef0bce60368563572da3
c4caca93e2291c018e701c217b7d232c534e4dd142042a59aa4d32754ef3022a
19
31
316
40,194
I've been asked a bunch about AI and malware.
As many others have stated many times, and I will happily regurgitate, AI acts as an augmentation device to skilled Threat Actors and a kiddy booster to non-skilled Threat Actors.
AI has yet to produce truly sophisticated malware, presumably because non-skilled Threat Actors don't know the correct nomenclature or what exists and what doesn't.
Skilled Threat Actors know what is, and what isn't, possible and AI enhances their skill set and allows RAD (Rapid Application Development) for languages people may be less skilled in.
Conversely, my malware library must adjust appropriately for the future and include malware targeting AI agents. AI focused malware is a new and evolving threat. Is it paramount information like this be archived. Unfortunately, I myself am not an AI expert, I only have an elementary understanding on the programmatic implementation of AI models, hence I am incapable of assessing what is a good malware paper on AI agents, and what isn't.
We'll figure it out.
Cheers
26
24
345
9,906
There is some bizarre thought that AI can just wish hyper sophisticated, never seen before, malware into existence. The reality of the matter is that truly sophisticated malware requires quite a bit of creativity combined with objectives and targets. It is not malware aimlessly blasted into the wild.
2
1
53
4,015
Literally the worst cable management I've ever seen in my life
62
197
2,686
48,392
11
18
209
7,847
Jun 13
I've added like, 90 papers on malware development and malware detection.
The stuff I've added ranges from kernel mode stuff, to how to hide malware stuff on the BlockChain, to detecting SYSCALL evasion, blah blah blah. It's about 50% of my backed up papers-to-add that I've had building up since my son was born.
Mrs. Smellington has been watching the baby while I lock in, archive the papers, and sync them to prod.
Thank you, Mrs. Smellington, for allowing me to add all of these papers for these stinky nerds. It is very important nerds have this stuff.
You can view the MASSIVE update here:
vx-underground.org/Updates
16
32
557
18,074
Jun 13
"Bro it's so totally badass and scary, I swear bro, like, the GOVERNMENT is censoring us bro, I swear!!! It's like, sooo hardcore bro, for real" - Anthropic on their totally real and scary product
Jun 13
The US government, citing national security authorities, has issued an export control directive to suspend all access to Fable 5 and Mythos 5 by any foreign national, whether inside or outside the United States, including foreign national Anthropic employees.
The net effect of this order is that we must abruptly disable Fable 5 and Mythos 5 for all our customers to ensure compliance.
Access to all other Claude models is not affected.
We apologize for this disruption to our customers. We believe this is a misunderstanding and are working to restore access as soon as possible.
Read our full statement: anthropic.com/news/fable-myt…
77
196
2,831
90,078
Jun 12
> be me
> somehow end up on keynote for @_ContinuumCon_
> everyone has cameras and mics
> smart people there
> super nice, welcoming, loving people
> i join
> in underwear, no camera
> swear a bunch
> tell kids to steal books
> almost get beat up
> banned from conferences now
49
15
908
20,502
Jun 12
I don't usually like comics and stuff, no disrespect to them, but it's not my cup of milk. Regardless, some nerd on Xitter named @foolibuster has been making so much noise it's bleeding into my cybersecurity bubble.
He made this comic and I really want to share it with you all.
27
24
719
21,485
Jun 12
.@MiscreantsHQ will be selling limited edition vx-underground merch at DEFCON.
The shirts, despite not having any silly pictures of cats, are pretty cool. I like them a lot. If you see these shirts, please grab me me one (I seriously don't even have these).
8
15
199
9,001
Jun 12
> "hey bro i found malware"
> sends link
> "its clickfix"
> look inside
> nothing
> ???
> realize uBlock origin blocked it
is this slop clickfix?
12
16
905
26,270
Jun 12
Please note that in 2025 the FBI requested and executed over 7,000 FISA orders (technically 702 warrants, already collected data, that's a different story but within scope of FISA).
FISA warrants a/k/a wiretapping computer lines, cell phones, etc. have come under scrutiny for a long time due to the high volume of requests with little to no return.
FISA orders performed by the FBI typically do not require a criminal complaint. Additionally, United States Civil Liberties groups have noted the FBI may weaponize FBI warrants to invade US citizen privacy or attack political opponents.
In 2025 it was noted the FBI executed nearly 900 FISA orders on political activists, social media influencers, church leadership, and more.
I have no idea why the United States Grand Old Party is so deadset on wanting more FISA stuff despite heavy push back from a majority of US citizens.
Jun 11
The Foreign Intelligence Surveillance Act (FISA) act helped stop the terrorists who plotted to massacre Taylor Swift’s Eras Tour ahead of the American people.
To make a political point, Democrats are allowing FISA to go dark this week.
While they block the tools we need to stop the next attack, our safety is on the line.
AUTHORIZE FISA NOW.
24
57
506
29,858
Jun 12
The irony that the GOP, which supposedly wants to limit government, wants to expand the surveillance state.
However, it should be noted government surveillance is a bipartisan thing and left-leaning organizations are all on board online identification.
Pick your poison.
7
7
174
7,334
Jun 11
Through a series of shenanigan events, I will be participating in the @_ContinuumCon_ keynote
I saw people discussing it. I joked if I could join. I was suddenly invited. I have no idea what I'm doing.
tl;dr shitposted my way into giving a keynote, scared and confused
26
9
398
34,514