Telegram News

Source-attributed Telegram item

vx-underground: Yesterday I got a funny DM. s00pcan said some AI slop is automatically forking his Linux...

Source-attributed Telegram post from vx-underground: Yesterday I got a funny DM. s00pcan said some AI slop is automatically forking his Linux open-source projects and adding goofy ass ReadMe files to look all...

Cyber & Hacking

vx-underground

@vxunderground | rank 12 | Tier 2 | Fast-alert source

Fast Alert Sensor Tier 2 Fast-alert source Malware-research community perspective Underground-source claims require extra corroboration source-attributed Telegram source claim Public Telegram post fast-alert sensor research source malware

Public Telegram feed monitored for malware and underground signals.

2.4K views 19 forwards 49 reactions Top 78.57% in source Source rank #12 Global pct 42.27

Original English English

Yesterday I got a funny DM. s00pcan said some AI slop is automatically forking his Linux open-source projects and adding goofy ass ReadMe files to look all fancy. The primary difference though is the ReadMe includes a "download here" link which delivers a .zip file.

The .zip file contains cool and badass malware. The malware is also free. Yay

This is a campaign which has been identified by various AV vendors since April, 2026. It is attributed to StealC.

In this particular instance though it is very, very silly. The exact mechanic in which this StealC group is using to automagically fork projects on GitHub, insert bogus ReadMe files, etc. is unknown. Clearly it is AI generated. However, this group failed to account for all edge cases because ... this is malware developed for Windows ... but it is from a Linux audio driver fork.

This yet again however a use case of AI in malware campaigns. StealC has been around forever and clearly isn't AI slop. However, Threat Actors are using AI to generate fancy schmancy ReadMe files. Very cool. Thank you, Mr. Smart GPU-thingy.

The following GitHub I'll be linking is giving FREE malware. Visiting the page won't give you the free malware. At the top of the ReadMe is a "Download" section with a hyperlink to "pcie_dante_snd_v1.4".

If you care what this payload does:
Inside this .zip file is "Application.cmd", "dir-dot-cc", "lua51.dll", and "loader.exe".

Application.cmd is a command line file, it launches loader.exe. Loader.exe is responsible for loading the "dir" file. Loader.exe is dependent on lua51.dll because the "dir" file is a GIANT obfuscated Lua file.

I hate Lua and I hate dealing with obfuscated Lua, I refuse to be a victim of Lua, so instead of trying to bonk it with a stick I emulated it. Unsurprisingly, the malicious Lua file tries to harvest credentials from Chrome and exfiltrate them to a remote host.

Free malware: github-dot-com/mbyington67-prog/snd-dante-pcie/tree/master

tl;dr ai slopping and forking github, delivers malware that uses obfuscated lua, i like cats a lot

cyber-hacking cyber fast-alert-sensor research-source malware osint
Telegram media item Media served by Telegram. The preview loads from telegram.org when this card is visible. Open original Telegram post