It's been extremely hard to keep this one under wraps.
Uncategorized
32
Posts
17
Posters
50
Views
-
@da_667 malware born after 1993 can't virus. All they know is be on their phones, run mirai, steal crypto, eat hot chip and lie
-
@da_667 malware born after 1993 can't virus. All they know is be on their phones, run mirai, steal crypto, eat hot chip and lie
@Dio9sys Quick question- the initial payload string -- were you all seeing that in GET requests? POST requests? Attached to particular exploit attempts? Would love to sig it. I'll have Suricata rules for the C2 tomorrow (We just finished up QA release for today, unfortunately)
-
It's been extremely hard to keep this one under wraps.
I just published a new blog post, where one weird string that looks like a cookie value turned out to be a whole cryptostealer and database wiping operation.
https://www.labs.greynoise.io/grimoire/2026-02-24-whats-that-string/
I spent some late nights on this one, and am a little bit ridiculously proud of the work I did.
@Dio9sys Ah yes. I've seen my share of those. Kudos on the writeup.
-
It's been extremely hard to keep this one under wraps.
I just published a new blog post, where one weird string that looks like a cookie value turned out to be a whole cryptostealer and database wiping operation.
https://www.labs.greynoise.io/grimoire/2026-02-24-whats-that-string/
I spent some late nights on this one, and am a little bit ridiculously proud of the work I did.
@Dio9sys this is an amazing read! Great work.
-
@Dio9sys "hey that looks like backwards base64"
i love those moments.
@Dio9sys this is such a good post! thanks for writing it.
-
@Dio9sys "hey that looks like backwards base64"
i love those moments.
@neurovagrant @Dio9sys "hey that looks like AES-GCM, encrypted with the Key ..." would be very handy.
-
@Dio9sys Quick question- the initial payload string -- were you all seeing that in GET requests? POST requests? Attached to particular exploit attempts? Would love to sig it. I'll have Suricata rules for the C2 tomorrow (We just finished up QA release for today, unfortunately)
@da_667 The payload that triggered all this was a POST request. Best guess right now is that it was intended for a machine that had already been exploited and with a malware dropper hiding on the device to wait for the POST request with the hidden payload.
Fun fact that I didn't note in the post: I found the same payload on one of those Chinese websites where they share their firewall logs....and then I checked it again the next day and the file was corrupted lol
-
@Dio9sys Ah yes. I've seen my share of those. Kudos on the writeup.
@alda everything comes down to someone wanting crypto
-
@Dio9sys this is an amazing read! Great work.
@InsiderTreat thanks!
-
@Dio9sys this is such a good post! thanks for writing it.
@neurovagrant Thanks! It was fun!
-
@da_667 The payload that triggered all this was a POST request. Best guess right now is that it was intended for a machine that had already been exploited and with a malware dropper hiding on the device to wait for the POST request with the hidden payload.
Fun fact that I didn't note in the post: I found the same payload on one of those Chinese websites where they share their firewall logs....and then I checked it again the next day and the file was corrupted lol
@Dio9sys sorry to keep badgering you, and if you're under NDA or just don't want to right now, that's fine, but can you tell me if it was an actually cookie header value?
-
It's been extremely hard to keep this one under wraps.
I just published a new blog post, where one weird string that looks like a cookie value turned out to be a whole cryptostealer and database wiping operation.
https://www.labs.greynoise.io/grimoire/2026-02-24-whats-that-string/
I spent some late nights on this one, and am a little bit ridiculously proud of the work I did.
Dear reader, I cannot describe the joy I have at working with the type of person who can look at a string and go “ah yeah, backwards base64.”
beautiful sentence
-
It's been extremely hard to keep this one under wraps.
I just published a new blog post, where one weird string that looks like a cookie value turned out to be a whole cryptostealer and database wiping operation.
https://www.labs.greynoise.io/grimoire/2026-02-24-whats-that-string/
I spent some late nights on this one, and am a little bit ridiculously proud of the work I did.
@Dio9sys Not finished reading but
The c2c subdomain is an nginx server on ubuntu on a server in japan, per URLScan. I was curious what the top level domain looked like, so I tried www as well. Turns out their www is in a tencent datacenter in singapore. Neat!
Tencent is that company that buys games from indie developers
That seems forboding...
-
It's been extremely hard to keep this one under wraps.
I just published a new blog post, where one weird string that looks like a cookie value turned out to be a whole cryptostealer and database wiping operation.
https://www.labs.greynoise.io/grimoire/2026-02-24-whats-that-string/
I spent some late nights on this one, and am a little bit ridiculously proud of the work I did.
@Dio9sys I'm reminded of the book "The Cuckoo's Egg" by Clifford Stoll, who similarly stumbled upon foreign hacker activity in the computer system at Lawrence Berkley National Laboratory, because of a $0.75 accounting discrepancy in computer usage.
-
@Dio9sys Not finished reading but
The c2c subdomain is an nginx server on ubuntu on a server in japan, per URLScan. I was curious what the top level domain looked like, so I tried www as well. Turns out their www is in a tencent datacenter in singapore. Neat!
Tencent is that company that buys games from indie developers
That seems forboding...
@Epic_Null
Tencent is a megabrand tho. They are basically the chinese AWS if AWS also had a movies division, blogging platform, and game studio -
@Dio9sys I'm reminded of the book "The Cuckoo's Egg" by Clifford Stoll, who similarly stumbled upon foreign hacker activity in the computer system at Lawrence Berkley National Laboratory, because of a $0.75 accounting discrepancy in computer usage.
@Intaglio_Dragon
oh, I should give that one a read -
@Epic_Null
Tencent is a megabrand tho. They are basically the chinese AWS if AWS also had a movies division, blogging platform, and game studio@Dio9sys Okay so this is more "Someone buying file storage and runtime to run this operation" than "tencent is running cryptominers"
-
It's been extremely hard to keep this one under wraps.
I just published a new blog post, where one weird string that looks like a cookie value turned out to be a whole cryptostealer and database wiping operation.
https://www.labs.greynoise.io/grimoire/2026-02-24-whats-that-string/
I spent some late nights on this one, and am a little bit ridiculously proud of the work I did.
@Dio9sys I love @greynoise 🤓
-
@Epic_Null
Tencent is a megabrand tho. They are basically the chinese AWS if AWS also had a movies division, blogging platform, and game studioSo, Amazon (minus the blog platform) -
undefined oblomov@sociale.network shared this topic on
-
It's been extremely hard to keep this one under wraps.
I just published a new blog post, where one weird string that looks like a cookie value turned out to be a whole cryptostealer and database wiping operation.
https://www.labs.greynoise.io/grimoire/2026-02-24-whats-that-string/
I spent some late nights on this one, and am a little bit ridiculously proud of the work I did.
No immediately visible MX server. I wonder if they’re actually using an email protocol or if it’s a front end for sending log files.
this doesn't seem right. your query was for mail.deepgtp.net/health, which is a url, not a domain. querying the domain gives proper mailserver data:$ dig +short deepgtp.net mx 10 mail.deepgtp.net. $ dig +short mail.deepgtp.net a 43.160.236.90
Gli ultimi otto messaggi ricevuti dalla Federazione
-
Turns out supporting trans rights is a winning issue. Wake up, Democrats! https://www.erininthemorning.com/p/anti-trans-democrats-blown-out-in
-
@evan I agree... that characterization has been a bugaboo of mine.
"User" is a perfectly cromulent word.
-
@esilvia @filobus cosa hanno da lamentarsi venti milioni di italiani astenuti alle elezioni europee?
-
Crosetto e Meloni da Mattarella. Per il Quirinale la crisi nel Golfo “è grave”. L'esecutivo: “Il momento più difficile degli ultimi decenni”... no, è stato il COVID e non c'era un governo di scappati da casa!
-
i cant believe Im PUPPY and NONE of u Fuckers Told Me
-
@Gargron you are chaotic evil! 😬
-
@GustavinoBevilacqua hai bisogno di farti bloccare di nuovo? 8-D
-
@andre123 non capisco la differenza tra nodi in vista e online. Se sono alimentati (accesi) sono visibili o online?
