It's been extremely hard to keep this one under wraps.
Uncategorized
32
Posts
17
Posters
50
Views
-
It's been extremely hard to keep this one under wraps.
I just published a new blog post, where one weird string that looks like a cookie value turned out to be a whole cryptostealer and database wiping operation.
https://www.labs.greynoise.io/grimoire/2026-02-24-whats-that-string/
I spent some late nights on this one, and am a little bit ridiculously proud of the work I did.
-
It's been extremely hard to keep this one under wraps.
I just published a new blog post, where one weird string that looks like a cookie value turned out to be a whole cryptostealer and database wiping operation.
https://www.labs.greynoise.io/grimoire/2026-02-24-whats-that-string/
I spent some late nights on this one, and am a little bit ridiculously proud of the work I did.
@Dio9sys good to know I'm among the like-minded. Second I saw this I was like... "That's URL-encoded base64 with the double equal at the start, so... in reverse. Good times.
-
@Dio9sys good to know I'm among the like-minded. Second I saw this I was like... "That's URL-encoded base64 with the double equal at the start, so... in reverse. Good times.
@Dio9sys every damn time I see something interesting, its either mirai or a crypto miner, lmao.
-
@Dio9sys good to know I'm among the like-minded. Second I saw this I was like... "That's URL-encoded base64 with the double equal at the start, so... in reverse. Good times.
@da_667 Pulling the thread on this sweater was some of the most fun I've had in a long time, ngl
-
@da_667 Pulling the thread on this sweater was some of the most fun I've had in a long time, ngl
@Dio9sys Oh I live for unraveling stuff like this. I love your write-up. Extremely well-done, and thank you for sharing with us.
-
@Dio9sys every damn time I see something interesting, its either mirai or a crypto miner, lmao.
@da_667 malware born after 1993 can't virus. All they know is be on their phones, run mirai, steal crypto, eat hot chip and lie
-
It's been extremely hard to keep this one under wraps.
I just published a new blog post, where one weird string that looks like a cookie value turned out to be a whole cryptostealer and database wiping operation.
https://www.labs.greynoise.io/grimoire/2026-02-24-whats-that-string/
I spent some late nights on this one, and am a little bit ridiculously proud of the work I did.
@Dio9sys "hey that looks like backwards base64"
i love those moments.
-
It's been extremely hard to keep this one under wraps.
I just published a new blog post, where one weird string that looks like a cookie value turned out to be a whole cryptostealer and database wiping operation.
https://www.labs.greynoise.io/grimoire/2026-02-24-whats-that-string/
I spent some late nights on this one, and am a little bit ridiculously proud of the work I did.
@Dio9sys Great work! This was a fun read. :3
-
@da_667 malware born after 1993 can't virus. All they know is be on their phones, run mirai, steal crypto, eat hot chip and lie
-
@da_667 malware born after 1993 can't virus. All they know is be on their phones, run mirai, steal crypto, eat hot chip and lie
@Dio9sys Quick question- the initial payload string -- were you all seeing that in GET requests? POST requests? Attached to particular exploit attempts? Would love to sig it. I'll have Suricata rules for the C2 tomorrow (We just finished up QA release for today, unfortunately)
-
It's been extremely hard to keep this one under wraps.
I just published a new blog post, where one weird string that looks like a cookie value turned out to be a whole cryptostealer and database wiping operation.
https://www.labs.greynoise.io/grimoire/2026-02-24-whats-that-string/
I spent some late nights on this one, and am a little bit ridiculously proud of the work I did.
@Dio9sys Ah yes. I've seen my share of those. Kudos on the writeup.
-
It's been extremely hard to keep this one under wraps.
I just published a new blog post, where one weird string that looks like a cookie value turned out to be a whole cryptostealer and database wiping operation.
https://www.labs.greynoise.io/grimoire/2026-02-24-whats-that-string/
I spent some late nights on this one, and am a little bit ridiculously proud of the work I did.
@Dio9sys this is an amazing read! Great work.
-
@Dio9sys "hey that looks like backwards base64"
i love those moments.
@Dio9sys this is such a good post! thanks for writing it.
-
@Dio9sys "hey that looks like backwards base64"
i love those moments.
@neurovagrant @Dio9sys "hey that looks like AES-GCM, encrypted with the Key ..." would be very handy.
-
@Dio9sys Quick question- the initial payload string -- were you all seeing that in GET requests? POST requests? Attached to particular exploit attempts? Would love to sig it. I'll have Suricata rules for the C2 tomorrow (We just finished up QA release for today, unfortunately)
@da_667 The payload that triggered all this was a POST request. Best guess right now is that it was intended for a machine that had already been exploited and with a malware dropper hiding on the device to wait for the POST request with the hidden payload.
Fun fact that I didn't note in the post: I found the same payload on one of those Chinese websites where they share their firewall logs....and then I checked it again the next day and the file was corrupted lol
-
@Dio9sys Ah yes. I've seen my share of those. Kudos on the writeup.
@alda everything comes down to someone wanting crypto
-
@Dio9sys this is an amazing read! Great work.
@InsiderTreat thanks!
-
@Dio9sys this is such a good post! thanks for writing it.
@neurovagrant Thanks! It was fun!
-
@da_667 The payload that triggered all this was a POST request. Best guess right now is that it was intended for a machine that had already been exploited and with a malware dropper hiding on the device to wait for the POST request with the hidden payload.
Fun fact that I didn't note in the post: I found the same payload on one of those Chinese websites where they share their firewall logs....and then I checked it again the next day and the file was corrupted lol
@Dio9sys sorry to keep badgering you, and if you're under NDA or just don't want to right now, that's fine, but can you tell me if it was an actually cookie header value?
-
It's been extremely hard to keep this one under wraps.
I just published a new blog post, where one weird string that looks like a cookie value turned out to be a whole cryptostealer and database wiping operation.
https://www.labs.greynoise.io/grimoire/2026-02-24-whats-that-string/
I spent some late nights on this one, and am a little bit ridiculously proud of the work I did.
Dear reader, I cannot describe the joy I have at working with the type of person who can look at a string and go “ah yeah, backwards base64.”
beautiful sentence
Gli ultimi otto messaggi ricevuti dalla Federazione
-
Turns out supporting trans rights is a winning issue. Wake up, Democrats! https://www.erininthemorning.com/p/anti-trans-democrats-blown-out-in
-
@evan I agree... that characterization has been a bugaboo of mine.
"User" is a perfectly cromulent word.
-
@esilvia @filobus cosa hanno da lamentarsi venti milioni di italiani astenuti alle elezioni europee?
-
Crosetto e Meloni da Mattarella. Per il Quirinale la crisi nel Golfo “è grave”. L'esecutivo: “Il momento più difficile degli ultimi decenni”... no, è stato il COVID e non c'era un governo di scappati da casa!
-
i cant believe Im PUPPY and NONE of u Fuckers Told Me
-
@Gargron you are chaotic evil! 😬
-
@GustavinoBevilacqua hai bisogno di farti bloccare di nuovo? 8-D
-
@andre123 non capisco la differenza tra nodi in vista e online. Se sono alimentati (accesi) sono visibili o online?
