It's been extremely hard to keep this one under wraps.
Uncategorized
32
Posts
17
Posters
50
Views
-
@Dio9sys this is an amazing read! Great work.
@InsiderTreat thanks!
-
@Dio9sys this is such a good post! thanks for writing it.
@neurovagrant Thanks! It was fun!
-
@da_667 The payload that triggered all this was a POST request. Best guess right now is that it was intended for a machine that had already been exploited and with a malware dropper hiding on the device to wait for the POST request with the hidden payload.
Fun fact that I didn't note in the post: I found the same payload on one of those Chinese websites where they share their firewall logs....and then I checked it again the next day and the file was corrupted lol
@Dio9sys sorry to keep badgering you, and if you're under NDA or just don't want to right now, that's fine, but can you tell me if it was an actually cookie header value?
-
It's been extremely hard to keep this one under wraps.
I just published a new blog post, where one weird string that looks like a cookie value turned out to be a whole cryptostealer and database wiping operation.
https://www.labs.greynoise.io/grimoire/2026-02-24-whats-that-string/
I spent some late nights on this one, and am a little bit ridiculously proud of the work I did.
Dear reader, I cannot describe the joy I have at working with the type of person who can look at a string and go āah yeah, backwards base64.ā
beautiful sentence
-
It's been extremely hard to keep this one under wraps.
I just published a new blog post, where one weird string that looks like a cookie value turned out to be a whole cryptostealer and database wiping operation.
https://www.labs.greynoise.io/grimoire/2026-02-24-whats-that-string/
I spent some late nights on this one, and am a little bit ridiculously proud of the work I did.
@Dio9sys Not finished reading but
The c2c subdomain is an nginx server on ubuntu on a server in japan, per URLScan. I was curious what the top level domain looked like, so I tried www as well. Turns out their www is in a tencent datacenter in singapore. Neat!
Tencent is that company that buys games from indie developers
That seems forboding...
-
It's been extremely hard to keep this one under wraps.
I just published a new blog post, where one weird string that looks like a cookie value turned out to be a whole cryptostealer and database wiping operation.
https://www.labs.greynoise.io/grimoire/2026-02-24-whats-that-string/
I spent some late nights on this one, and am a little bit ridiculously proud of the work I did.
@Dio9sys I'm reminded of the book "The Cuckoo's Egg" by Clifford Stoll, who similarly stumbled upon foreign hacker activity in the computer system at Lawrence Berkley National Laboratory, because of a $0.75 accounting discrepancy in computer usage.
-
@Dio9sys Not finished reading but
The c2c subdomain is an nginx server on ubuntu on a server in japan, per URLScan. I was curious what the top level domain looked like, so I tried www as well. Turns out their www is in a tencent datacenter in singapore. Neat!
Tencent is that company that buys games from indie developers
That seems forboding...
@Epic_Null
Tencent is a megabrand tho. They are basically the chinese AWS if AWS also had a movies division, blogging platform, and game studio -
@Dio9sys I'm reminded of the book "The Cuckoo's Egg" by Clifford Stoll, who similarly stumbled upon foreign hacker activity in the computer system at Lawrence Berkley National Laboratory, because of a $0.75 accounting discrepancy in computer usage.
@Intaglio_Dragon
oh, I should give that one a read -
@Epic_Null
Tencent is a megabrand tho. They are basically the chinese AWS if AWS also had a movies division, blogging platform, and game studio@Dio9sys Okay so this is more "Someone buying file storage and runtime to run this operation" than "tencent is running cryptominers"
-
It's been extremely hard to keep this one under wraps.
I just published a new blog post, where one weird string that looks like a cookie value turned out to be a whole cryptostealer and database wiping operation.
https://www.labs.greynoise.io/grimoire/2026-02-24-whats-that-string/
I spent some late nights on this one, and am a little bit ridiculously proud of the work I did.
@Dio9sys I love @greynoise š¤
-
@Epic_Null
Tencent is a megabrand tho. They are basically the chinese AWS if AWS also had a movies division, blogging platform, and game studioSo, Amazon (minus the blog platform) -
undefined oblomov@sociale.network shared this topic on
-
It's been extremely hard to keep this one under wraps.
I just published a new blog post, where one weird string that looks like a cookie value turned out to be a whole cryptostealer and database wiping operation.
https://www.labs.greynoise.io/grimoire/2026-02-24-whats-that-string/
I spent some late nights on this one, and am a little bit ridiculously proud of the work I did.
No immediately visible MX server. I wonder if theyāre actually using an email protocol or if itās a front end for sending log files.
this doesn't seem right. your query was for mail.deepgtp.net/health, which is a url, not a domain. querying the domain gives proper mailserver data:$ dig +short deepgtp.net mx 10 mail.deepgtp.net. $ dig +short mail.deepgtp.net a 43.160.236.90 -
It's been extremely hard to keep this one under wraps.
I just published a new blog post, where one weird string that looks like a cookie value turned out to be a whole cryptostealer and database wiping operation.
https://www.labs.greynoise.io/grimoire/2026-02-24-whats-that-string/
I spent some late nights on this one, and am a little bit ridiculously proud of the work I did.
@Dio9sys me at 7:30 am: ahh what a lovely morning to read a hang on let me get my dictionary.
-
It's been extremely hard to keep this one under wraps.
I just published a new blog post, where one weird string that looks like a cookie value turned out to be a whole cryptostealer and database wiping operation.
https://www.labs.greynoise.io/grimoire/2026-02-24-whats-that-string/
I spent some late nights on this one, and am a little bit ridiculously proud of the work I did.
@Dio9sys I've never seen cyberchef before! That looks extremely useful
-
It's been extremely hard to keep this one under wraps.
I just published a new blog post, where one weird string that looks like a cookie value turned out to be a whole cryptostealer and database wiping operation.
https://www.labs.greynoise.io/grimoire/2026-02-24-whats-that-string/
I spent some late nights on this one, and am a little bit ridiculously proud of the work I did.
@Dio9sys that reminds me of the one time my university was attacked by a phishing operation, and the operator of the phishing operation had the stolen auth data publicly visible on their website, got in touch with the university, told them that and they wrote a cron job to see who fell for the phishing site and deactivate their accounts xD
-
It's been extremely hard to keep this one under wraps.
I just published a new blog post, where one weird string that looks like a cookie value turned out to be a whole cryptostealer and database wiping operation.
https://www.labs.greynoise.io/grimoire/2026-02-24-whats-that-string/
I spent some late nights on this one, and am a little bit ridiculously proud of the work I did.
@Dio9sys Oh and thank you, was a fun read and very impressive deduction sequence, hope you had a good night of sleep afterwards :D
Gli ultimi otto messaggi ricevuti dalla Federazione
-
Turns out supporting trans rights is a winning issue. Wake up, Democrats! https://www.erininthemorning.com/p/anti-trans-democrats-blown-out-in
-
Current* conditions near Toledo, OH:
-
@evan I agree... that characterization has been a bugaboo of mine.
"User" is a perfectly cromulent word.
-
@esilvia @filobus cosa hanno da lamentarsi venti milioni di italiani astenuti alle elezioni europee?
-
Crosetto e Meloni da Mattarella. Per il Quirinale la crisi nel Golfo āĆØ graveā. L'esecutivo: āIl momento piĆ¹ difficile degli ultimi decenniā... no, ĆØ stato il COVID e non c'era un governo di scappati da casa!
-
i cant believe Im PUPPY and NONE of u Fuckers Told Me
-
@Gargron you are chaotic evil! š¬
-
@GustavinoBevilacqua hai bisogno di farti bloccare di nuovo? 8-D
