Cocoloco2005

I am absolutely flabbergasted Okay, so this nerd DMs me saying he thinks he got sent malware. He said I should check it out. I said "I'm in my undies, I'll do it later when I'm on my PC" (Image 1) This malware has so many twists and turns bro, this shit is all vibe coded too. I don't know what AI agent wrote it, but I know it's vibe coded because THE NOTES FROM THE AI AGENT ARE PRESENT. I think the Threat Actor who wrote this didn't understand how reverse engineering works, so they didn't know the AI agent notes would be present. This malware wasn't super sophisticated, it didn't contain any extreme logic or anything, but it was a convoluted fucking MESS and it a colossal pain in the ass. A normal malware developer could have written this too, but it's got so many stages this would be more akin to a well-established Threat Actor. This was written by someone who doesn't understand how reverse engineering works and someone who is willing to target GAMERS OVER DISCORD with malware that is actually pretty decent. In fairness, it could be MaaS, but this doesn't line up with anything I've seen from my peers (yet). It's possible I've missed it. But, this is a bitch of a payload and I unironically enjoyed it. Here is the silly meme summary > get sent rivals_toolkit.exe > electron app goop > masquerades as legit toolkit > electron app contains resource called "Discord.exe" > Discord.exe is a malware loader > Discord creates a Java VM > Loads obfuscated Java payload > I can't find where it the JVM payload > JVM payload hidden in different file from Electron app > Annoying.jpg > Electron App also has spoopy secondary functionality > Displays legit HTML stuff > Secondary thread executes, executes Ira.JS stager > f91a7efa0d476811455271e023dfb3be > Decodes and executes initial stager, Ira.jsc > c286ad4c51128266e10ad0a49da9cb3f > Decodes and drops secondary payload stage > 816bfabbb3408ad2114ba351690410c3 > Decodes and drops third payload stage > 7364f758b4b8623c0beb020a74ff09b5 > Decodes and drops fourth payload stage > 7b9627f07f7fb604f5edfb23c706b22a > Final payloads syncs and does IPC with Java payload > Contains AI notes (Image 2) Holy Christ, all of this for fucking gamers on Discord? Multi-staged masquerading payload with cross-language IPC? What the fuck?