Olivia
Online
sh4des
@augmentedsec
London
Joined May 2019
1.2K Following
68 Followers
139 Posts
Someone showed me this on Telegram. It is very silly. It is clearly masquerading as "Free GPT and Claude". Anyone with half a brain knows this is malicious, but people will still fall for it.
People asked what it is. I have some free time. I poked it with a stick,
People discussing it said it is XMRig. That is not entirely accurate. This is not XMRig. This is flagged as XMRig from Triage and VirusTotal because it does indeed drop XMRig, but it is much more than that. This is a (maybe new) information stealer packaged with XMRig as a double whammy.
This malware is interesting because of a few things:
1. It is position independent, they care enough to be evasive and strip out a majority of dependencies. This is usually indicative of more serious malware.
2. They .zip it delivers from the "Free GPT and Claude" is intentionally bloated (payload inflation). It is 97MB, which may evade a majority of anti-malware product (initially) due to it's large size. It packages itself with FFMpeg and various other audio codecs.
3. It accesses Microsoft Outlook e-mails, accesses Chrome stuff using the COM IElevationService, looks for any SFTP credentials
It (currently) does not have any matching YARA rules from AV vendors. The closest approximation is LummaStealer. My knowledge base on the Information Stealer scene is out-of-date (it changes a lot). However, on first initial glance this appears like a new information stealer. Again, this should be taken with a grain of salt.
It's also worth noting the domain it exfiltrates to does not appear in any malware reports. The domain is unique, and the payload does not match any existing YARA rules (it's behavioral characteristics do, but not a specific malware family), so this is actually a pretty interesting sample.
A lookup though shows this is an emerging malware campaign. It first appeared around the end of May. This is (probably) a known Threat Actor who has switched it up a bit (or it's MaaS, whatever though).
The malware appears online masquerading as various products.
- ecore-sourceproject
- LogiDA
- GPT_Claude_Free
- CortexSystems.v3.4.2.Stable
- TikTokBot-v2.2
- CortexLauncher
Funny enough, this malware would have been much, much, much, MUCH more evasive if they didn't package it with XMRig. VirusTotal and Triage immediately flagged it because after it establishes persistence, and steals any credentials on the machine, it pulls XMRig to turn into a cryptocurrency miner.
If they did not pull the XMRig binary this stealer would be much more quiet. I have no idea why they decided to burn their OPSEC with XMRig.
C2: dfwioeiofwr-dot-info
Payload (and associated families from the C2)
027d576c6b5512d661081aaeeeb8e611f95a469ccf5ba35e0a390e8814334d05
5dcc599cf48227e65ea49d2708d08704fd1cb7e3b89736718d0d8e557857c49c
5e8b40b0b7512e1a1355374fb0cf34bfdf1260ebdb80a353c8f9da2490beeed3
6a0c332296b017220fc2b522da653fce36a8a3c5c79de0200d61c5fc31eb89ce
a2f8ebf65d54a4d9c8b720d01da77ad796683f1a5b8bd3d08738d7df4365f8a
9d4aaa9842c947756b7c128c432292732098fb71d247ef0bce60368563572da3
c4caca93e2291c018e701c217b7d232c534e4dd142042a59aa4d32754ef3022a
RDP bitmap cache artifacts revealed the threat actor opening the Veeam Backup & Replication console, reviewing backup jobs, tape & storage infrastructure — and removing backups from the configuration database.
Full report 👇
https://t.co/IOlOAj2ClY
Dear Windows users, Hyprland will never be available on Windows because Windows does not deserve the greatness of Hyprland. Switch to Linux. Or BSD. Or an OS that respects you, as a person :)
Hello,
This social media profile is now the largest cybersecurity-related profile on Xitter. It has passed @SwiftOnSecurity.
What does this mean? Well, as the top influencer I am carrying the weight of the world on my shoulders. This is a very serious role. I'm basically a superhero.
First, I will begin pushing my new cybersecurity course. It will be somewhere between $200 - $500. It will not be formally recognized by any institution or employer. Additionally, it will be poorly developed and half-assed. I will lie and say it will help you get a job (it won't).
Second, I will begin pushing cryptocurrency coins which I will say are going to solve some opaque problem in cybersecurity. I'll make something up, like, "this coin will prevent DHCP DNS cluster fraud". It won't make sense. When someone questions it I will immediately deflect blame or call them bad names.
Third, I will travel to every major cybersecurity conference. Each talk I give will not be technical. My talks will primarily revolve around my experiences, and wisdom, or something. I will pretend to be an old sage filled with knowledge, things you could literally never understand. In actuality, I can barely send an e-mail.
Thank you for the love and support. I look forward to rug pulling all of you.
Reversing a Microsoft-Signed Rootkit: The Netfilter Driver - Reverse Engineering Attempts.
Author: @Splintersfury
Great detailed write-up. If anyone interested in driver reversing, do check his work out. 🫡🔥 https://t.co/pSm6GZzvk2
Chat, I've done it.
I've managed to get Windows Sockets (Winsock) functionality working by communicating directly with AFD (Ancillary Function Driver for WinSock) by IO control codes AND used it with HTTPS by using SSPI (Microsoft Security Support Provider Interface).
By doing this, this completely eliminates the need for WININET or WINHTTP for malware payloads. It also removes the weird telemetry and ETW stuff present in Winsocks, WININET, and WINHTTP.
My code is still in a debug state at the moment, but I'll eventually release a non-fucked-up version (no SYSCALLs, no position independence) so people can look at it, study it, or review it.
Currently this is only supports GET requests for simple pages (not even file downloads...). However, I'm having so much fun with this I think I am going to expand on it to do the following:
- HTTPS authentication
- HTTPS upload
- HTTPS download
- ???
I'll make it all open source, non-crazy, in a format people can copy pasta and have fun with it. I'll also probably make a fork where it's the crazy schizo version.
I hope all my malware development friends, reverse engineer friends, and anime friends, look at it and appreciate it. This is some of my favorite code I've written and I think it has a lot of applicability to Red team engagement. Conversely, it also offers insight to defenders on detecting this sort of functionality.
https://t.co/7zsdN8sgoH
Update on the NTLM reflection attack:
ctjf discovered that SMB signing enforcement does NOT protect against the NTLM reflection attack🛡
Cross-protocol relaying is still possible, even with mitigations in place. Only patching your system fully mitigates the vulnerability!
1/4🧵
A client walked in today shaking. Said his laptop was "whispering" his name. I thought he was crazy. Or maybe it was just a hardware glitch.
I was wrong. I fired up CORTEX-V9 to run a heuristic scan. What it found gave me chills. 🧵 (Video Included)
During a mobile device forensic examination, GPS coordinates were successfully extracted from WhatsApp messages. These coordinates were linked to specific conversations found in the device’s message database. The recovered location data was then verified using Google Maps and Google Street View. I targeted my friend MUSA.
The misconception out there is that you need to jailbreak an iPhone before getting vital data; I’m sorry but is wrong. There are ways to get concrete data aside jailbreaking. This is an iPhone 16 pro with a 26.1 firmware which has not been jailbroken.
The screenshots below document the extraction process, the coordinates recovered, and the real-world locations corresponding to those coordinates.
On 28 September 2024 at 12:18:07 UTC, a WhatsApp message that was received in the conversation with my friend“Musa Trillionaire” was marked as seen and contained embedded location metadata showing latitude 55.75583° and longitude 37.6173°.
- Google Maps Verification
(Shown in Screenshot 2)
Entering the coordinates 55°45′21.0″N 37°37′02.3″E (which converts to the same numeric coordinates) in Google Maps places the location within:
1. Tverskoy District, Moscow, Russia(Plus Code: QJ48+8WM)
Google Street View imagery (dated September 2014) shows the location as part of Red Square, with the buildings and open plaza visible in the screenshot.
- Satellite Map Confirmation
(Shown in Screenshot 3)
Satellite view confirms that the coordinates fall exactly at:
1. Voskresenskiye Vorota (Resurrection Gate)
2. Near the State Historical Museum
3. At the entrance of Red Square, Moscow
This is corroborated by the red marker positioned over the historical gate structure.
Extracting GPS locations from WhatsApp messages is important for investigators because it provides accurate, timestamped information about a device’s location at a specific moment.
Additionally, GPS data helps establish a clear timeline of events, allowing investigators to track a person’s movements and compare them with other evidence such as CCTV footage, phone records, or travel logs. Over time, multiple GPS points can reveal travel habits, meeting locations, or behavior patterns that may be relevant to the case. Overall, this type of digital location data is a powerful investigative tool because it connects communication activity to real-world locations and contributes to building a comprehensive, accurate picture of events.
VMware Workstation guest-to-host escape (CVE-2023-20870/CVE-2023-34044 and CVE-2023-20869) by Alexander Zaviyalov (@NCCGroupInfosec)
https://t.co/qAKnS15RLn
#infosec
A very big hashcat rules collection with 455 rulesets: https://t.co/NkcDSZXs1A
Spreadsheets with benchmarks on how these rules score:
🟢https://t.co/zly4ULQJY4
🟢https://t.co/Bl0knWfXYj
Imagine receiving a normal WhatsApp message from someone… and later discovering that the message secretly contained their exact location, even though they never shared it.
That’s exactly what happened during a recent forensic extraction I performed on my iPhone 12 Pro Max.
During the analysis, I found a I decided to pick a message I received from @RedHatPentester, on 3rd September 2025 at 7:11 AM.
Nothing unusual at first glance just a regular text.
But deep inside the message metadata, the phone had silently logged:
@RedHatPentester exact location at the moment he sent that message.
He didn’t share it intentionally.
I didn’t request it.
Yet the device recorded it automatically.
This was extracted directly from my own phone, meaning:
If your location is turned ON while chatting on WhatsApp, your exact location can be extracted from someone else’s device if theirs undergoes forensic imaging.
Most people have absolutely no idea this happens.
But this was only the beginning.
Also, every single file created on the device, ie: photos, videos, screenshots, recordings had the exact location of where I was when that file was created.
The phone automatically logged precise GPS coordinates for each media file.
This means investigators can determine where you were at the exact moment you took a picture, recorded a video, captured a screenshot, or created any media on the device.
This level of metadata helps reconstruct movements, timelines, and behaviors with incredible accuracy.
The extraction revealed far more than hidden location data and remember, this phone was NOT jailbroken.
Here’s what else was recovered:
1. Full Synchronized Accounts & Passwords
The extraction pulled:
•URLs
•Usernames
•Passwords
•Stored login metadata
Basically, every synchronized password ever used on the device all recovered without jailbreak.
2. Complete Application Logs & Histories
Every installed application had:
✔ Detailed logs
✔ Usage history
✔ Internal data
✔ Metadata
Even apps considered “secure” or “encrypted” still left behind recoverable traces.
3. Full WhatsApp Data, Including Group Histories
WhatsApp revealed more than most users realize:
•Full history of every group ever joined
•Date each group was created
•Who created it
•Date I was added
•Group metadata even after you exit the group
This is critical in investigations because a suspect cannot deny belonging to a group when the device itself retains:
📌 Creation date
📌 Creator identity
📌 Join date
📌 Participation timeline
Even if they left the group years ago.
4. Message-Level Location Metadata
The iPhone logged exact sender locations at the moment messages were typed and sent just like what happened with @RedHatPentester message.
Most people never see this.
Investigators do.
Why This Matters
Every phone tells a story.
Every app keeps footprints.
Every message carries more than text.
This extraction proves that even without a jailbreak, investigators can discover:
✔ Locations
✔ Passwords
✔ Group associations
✔ Message histories
✔ Detailed app activity
✔ Metadata most users never realize exists
Digital devices rarely forget even when the user does.
#ESETResearch has discovered the first known AI-powered ransomware, which we named #PromptLock. The PromptLock malware uses the gpt-oss:20b model from OpenAI locally via the Ollama API to generate malicious Lua scripts on the fly, which it then executes 1/6
Our research team took @AIatMeta LLaMA-8B, quantized it with QLIP using post-training int8, applied SmoothQuant, and used pre-defined compiler-compatible NVIDIA configs.
Why do this? Up to 2× fewer weights and 3.6× faster on one GPU.
Try it with our simple Jupyter Notebook.
A Pro-Iranian hacktivist group, APT-Iran, used RDP access to exfiltrate data and deploy LockBit Black ransomware samples to encrypt files. In a separate incident, the threat actor claimed to have compromised the Israel Ministry of Health’s network by exploiting an F5 BIG-IP vulnerability.
A little blog post I put together based around a talk I gave @BSidesLondon this year. We have had some easy access into client networks using the Cloudflared binary & when it is used in conjunction with Cloudflare Warp it can be just 1 command w/out ssh.
https://t.co/t3FMijRRtx
PYSA/Mespinoza Ransomware
➡️TTR 7.5 hours
➡️Koadic and Empire for C2
➡️7+ Credential Access techniques
➡️ADRecon, APS, quser, arp, and nltest for Discovery
➡️RDP and PsExec for Lateral Movement
➡️Files exfiltrated
➡️PYSA ransomware for Impact
Report link ⬇️
You can now jailbreak your AMD CPU! 🔥We've just released a full microcode toolchain, with source code and tutorials. https://t.co/4NYerRuFo1
Last Seen Users on Sotwe
Trends for you
Most Popular Users
Elon Musk 
@elonmusk
240.3M followers
Barack Obama
@barackobama
119.3M followers
Donald J. Trump
@realdonaldtrump
111.6M followers
Cristiano Ronaldo
@cristiano
109.9M followers
Narendra Modi
@narendramodi
106.9M followers
Rihanna
@rihanna
97.5M followers
NASA
@nasa
92.1M followers
Justin Bieber
@justinbieber
90.7M followers
KATY PERRY
@katyperry
87.3M followers
Taylor Swift
@taylorswift13
81.1M followers
Lady Gaga
@ladygaga
72.7M followers
Kim Kardashian
@kimkardashian
69.6M followers
Virat Kohli
@imvkohli
69.3M followers
YouTube
@youtube
68.6M followers
Bill Gates
@billgates
63.7M followers
The Ellen Show
@theellenshow
62.5M followers
Neymar Jr
@neymarjr
62M followers
CNN
@cnn
61.9M followers
X
@x
60.9M followers
Selena Gomez
@selenagomez
60.4M followers