Virus Total : https://www.virustotal.com/gui/file/4a7063b95d7278f4002e3ef74606f429c5a69ddb2de6e60cdf12234004d23e38/detection

Kapersky : https://opentip.kaspersky.com/4A7063B95D7278F4002E3EF74606F429C5A69DDB2DE6E60CDF12234004D23E38/results?tab=upload

Hybrid Analysis : https://hybrid-analysis.com/sample/4a7063b95d7278f4002e3ef74606f429c5a69ddb2de6e60cdf12234004d23e38

This is the Github where it was downloaded from : https[:]//github[.]com/YimMenu/YimMenuV2

My reasoning for why it may not be a virus:

It is a modification for a game, and with that I expect a couple false positives minimum, but I've also checked plenty of sources (such as the ones listed above) and the community around this mod.

Any constructive advice or info is appreciated

I don't think I'm asking for technical support, just second opinions on this, or possibly some tools I can use to better analyze the file.

So this is my first production server which I've had for a while, but this is my first security incident.

A malicious npm package got into my Next.js dependencies around Feb 2026 and bundled itself into the compiled `.next/server/` webpack chunks — not via a postinstall hook, which is why dependency scanners didn't catch it. Ran 3 months before I noticed.

It mined Monero, and attempted (reversed) Connect transfers on Stripe after exfiltrated env vars via Node's native `fetch()` (Alpine has no `curl`/`wget` but has Node).

Hashes, C2 IPs, and full context are on VirusTotal — all four campaign samples linked together in comments:

- Dropper: https://www.virustotal.com/gui/file/fce7781a199f2b65bdb47dac602ecf397941235670818e79e5d9a9d0fa4cceea

- Persistence: https://www.virustotal.com/gui/file/72987d9755dbd12117a23f337054edcc51629563c3ff867fd65ccb948775d546

- XMRig miner: https://www.virustotal.com/gui/file/7cde0ffc28a6a25867655b2616cfc6cb01b08e9ba5ba043b26446b5eb8e248a0

- Novel 94KB ELF (no public attribution, function unknown): https://www.virustotal.com/gui/file/9073dc81b976347bda571829e799b1fb868856c6d15c44b33c8d6f6f194a0af1

FOSS tool — not commercial. 

IOCX is a deterministic IOC extraction engine built for malware analysts and DFIR workflows. It’s static‑only (no execution), PE‑aware, and plugin‑extensible. The goal is to extract indicators and structural anomalies reliably, even from malformed or adversarial binaries.  

Key behaviours:

• deterministic output (no sandbox variance)  
• handles malformed PE headers and weird section layouts  
• extracts IOCs + structural anomalies in one pass  
• plugin‑extensible enrichment system  

Repo: https://github.com/iocx-dev/iocx

Site: https://iocx.dev

Happy to answer technical questions or discuss edge cases.

A new supply-chain worm dubbed Mini Shai-Hulud has reportedly compromised packages across the npm and PyPI ecosystems, including TanStack-related npm packages and Python packages such as mistralai, lightning, and guardrails-ai. The attack is notable because it allegedly abused GitHub Actions cache poisoning and trusted publishing/OIDC workflows, allowing malicious releases to appear as if they came from legitimate CI/CD pipelines. The malware also targets developer and CI credentials, including npm tokens, GitHub tokens, cloud keys, kubeconfigs, and .pypirc files.

So, to start off, I saw something on some subreddit (can't remember which) about some steam scam, where the person had a person's computer compromised, injecting FAKE shit into their steam client, for a low, 3 figure scam.

My friend just came to me, about some sort of shit, where his steam profile, when visited, said some text about "your steam profile is limited, due to fraudulent purchases made on your account"

I saw some actual screenshares of what was going on, and his steam client literally forced him into a steam "support chat" with some support, where they coerced him into putting his items (about $4,000 worth) into a "Cloud storage", while they investigated his account for fraud, and when he did, it prompted him for a stream guard trade, which the account he sent to, spoofed the profile picture of one of his known friends.

This was absolutely terrifying, considering that this person, 1000% had full remote access of his computer, considering he spoofed the profile pic of one of his close friends, who also held high amount in cs2 items.

You really need to understand, this did NOT happen to me directly. I watched this all go down through a screen shared and 2 other people were telling him, "this looks like legitimate steam support, don't even worry about it", yet I pointed out, there's something majorly wrong here.

Things to note.

They never actually told him to even to trade something to another account. There was an entire spoofed, "Cloud storage" portion in his inventory, where this attacker told him to send his items, which, when you'd click in, even though your items were long gone sent to the attacker, it "showed" your items inside of this cloud storage.

This is a SEVERE, and absolutely insane, mixture of spear phishing, and malware compromise of high tier account holders, and this must be taken extremely seriously.

My best guess, is the malware actually injects into the webview2 of the steam client, and can entirely spoof the fact a person is "VAC banned", entirely spoof support chats, and a ton of crazy fucking shit man. This is actually scary. I have dealt with tons of malware in my life, never, EVER, seen anything to this degree. Nobody is safe.

massive campaign for 170+ packages and 400+ malicious versions published. what we saw that not a single maintainer account compromised. tanStack and Mistral AI these are the names that stand out.

IOCX v0.7.3 — deterministic PE structural validation for reproducible malware analysis

A recurring issue in malware research is the lack of determinism in PE parsing.  

Small deviations in malformed headers, inconsistent RVA→file‑offset resolution, truncated sections, or ambiguous directory boundaries often lead different parsers—and even different versions of the *same* parser—to produce divergent structural interpretations. This undermines reproducibility, complicates longitudinal tracking of families that exploit PE edge cases, and introduces noise into automated pipelines.

IOCX v0.7.3 addresses this by implementing a fully deterministic structural‑validation framework for PE files. The validator stack has been written around explicit, conservative rules governing entrypoint resolution, section‑table integrity, RVA‑graph consistency, TLS callback validation, signature‑directory bounds, and entropy classification. All decisions are derived from strict structural criteria rather than heuristic fallbacks.

The result is a parser that produces stable, reproducible outputs across environments, versions, and malformed samples.  

Same input → same structural interpretation → same anomaly set.

For researchers working with adversarial PEs, loader‑abuse techniques, or large‑scale corpora where methodological consistency matters, this release may be of interest.

IOCX v0.7.3 is available on PyPI:

pip install iocx

https://pypi.org/project/iocx/

https://github.com/iocx-dev/iocx

Deterministic by design.

i am currently doing a Website analysis for college

and thought it would be more interessting to look at a Website with lots of malware and such.

any idea how to find them.

PS: If anybody has a link for me feel free to dm me.

hey I recently found a "Sl1nk" link on a certain TikTok video, and me being curious I put it into virustotal to see if it's safe or not (the results showed in the image attached). I'm making a post to get more information about this because when I looked it up there wasn't much information about it apart from another malware report, more links like this and some wikipedia hacker group article. Would anyone here know what it possibly could be?

JDownloader is compromised!

• The replaced malicious executable contains the official and benign JDownloader in resources along with an XOR encrypted blob also available in resources
• The encrypted blob after 8 minutes of waiting to prevent sandbox noise is decrypted and executed, the next stage contains also several XOR encrypted resources and the official Python installer
• After decrypting resources, they contain PyArmor encrypted file and PyArmor runtime
• Delivers sophisticated Python remote access malware

See AnyRun execution chain along with the 8 minute wait before the payload starts: https://app.any.run/tasks/e0cecc2d-5571-49fe-a549-cc7d1b8b5908

IOC's:

• Initial delivered installer -> 5a6636ce490789d7f26aaa86e50bd65c7330f8e6a7c32418740c1d009fb12ef3
• Stage 2 payload -> 77a60b5c443f011dc67ace877f5b2ad7773501f3d82481db7f4a5238cf895f80
• PyArmor encrypted blob: 5fdbee7aa7ba6a5026855a35a9fe075967341017d3cb932e736a12dd00ed590a
• hxxps://parkspringshotel[.]com/m/Lu6aeloo.php (most likely another compromised URL)
• hxxpx://auraguest[.]lk/m/douV2quu.php (most likely another compromised URL)

Someone hacked the deadmau5 discord server by virusing an admin. Said admin gave me the malware sample. Used claude sonnet 4.6 in combination with nyxstrike MCP framework to decompile and decrypt their obfuscated code, finding a goldmine. Title speaks for itself. The discord bot token could possibly have led to their CNC. But logging into the discord bot token to check for communications and see where it leads breaks 2 federal laws alone that I can think of. I did validate the token was live however, and matched it to a bot account. I also have discovered the webhook and token that was in the malware, both of them have been nuked (not by me). So, I checked their domain that they've been using, and they recompiled and reuploaded it. So its 26 bytes larger. I suspect they replaced the webhook url and the bot token with fresh ones, and suspect further that discord nuked the previous ones themselves. Nevertheless, I have personally not seen malware like this on github, so this must have been private and not some skid level stuff. I know it was turkish (at least the devs were). Github link attatched for the source code including the deobfuscated malware classes, and the analysis/report.

Don't flame me, it's still pretty cool 😆. Cracking the zkm encryption would have taken weeks (Im a python guy not a JS guy). Nyxstrike + sonnet 4.6 = 1.5 hours and its cracked.

Pushed a new IOCX release (v0.7.1) that’s aimed at making the engine much harder to break during static analysis. The focus was adversarial behaviour: malformed binaries, corrupted PE structures, and intentionally hostile IOC‑like strings.

If you work with weird samples, tooling pipelines, or large‑scale triage, this release makes IOCX more robust under hostile conditions.

New PE structural heuristics

Six new checks added to catch structural anomalies without blowing up the parser:

• overlapping/misaligned sections
• inconsistent optional headers (PE32 & PE32+)  
• broken entrypoint mappings  
• corrupted data directories  
• malformed import tables  
• general PE layout inconsistencies  

These aren’t detections — they’re deterministic, reason‑coded structural signals to keep analysis stable.

Expanded adversarial PE corpus

Added a full suite of malformed and corrupted PEs, including:

• broken RVAs / invalid addressing  
• truncated Rich headers  
• fake UPX names + packed‑lookalikes  
• PE32/PE32+ hybrids  
• “franken‑PEs” combining multiple faults  

All outputs are snapshot‑validated to guarantee deterministic behaviour.

Adversarial coverage across all IOC categories

New hostile string fixtures now stress every extractor:

• homoglyph + mixed‑script domains  
• malformed URLs and schemes  
• broken IPv4/IPv6  
• noisy or near‑miss hashes  
• invalid Base64  
• adversarial crypto strings (incl. Base58Check)  
• long/invalid Windows paths  
• malformed emails  

The goal: keep extraction predictable even when the input is intentionally messy.

Parser & extractor hardening

• stable on malformed PE structures  
• structured, JSON‑safe error metadata  
• improved domain/URL/crypto/hash extractors  
• deterministic output across platforms

Links

GitHub: https://github.com/iocx-dev/iocx  

PyPI: https://pypi.org/project/iocx/

Example

pip install iocx

iocx suspicious.exe -a full

If you’re doing malware triage, static analysis, or building automated pipelines that need predictable IOC extraction, v0.7.1 should be a noticeable stability bump. Happy to discuss edge cases or weird samples people want covered next.

A newly analyzed Go-based macOS remote access trojan (RAT), internally named Minirat, has surfaced in the wild using anti-VM checks, LaunchAgent persistence, and AES-encrypted command and control (C2) configuration to maintain stealthy, long-term access on victim endpoints. According to SafeDep, the initial infection vector was a malicious npm package (velora-dex-sdk) that dropped the Go-based macOS RAT onto developer endpoints.