#Patching a Zero Day Exploit

I'm working on digging IoCs (indicators of compromise) out of the encrypted payloads

It uses talescale to communicate back to the C2 server

Interesting, It's using a Java 22+ feature - which is very unusual in malware. Most malware operators want extremely broad compatability so they won't do that. So this is new.

This is insanely heavily obfuscated too - They're trying really hard to protect the information.

Primary C2 DERP protocol (Tailscale relay) - GET /derp HTTP/1.1 + Upgrade: DERP header
Fallback C2 HTTP poll/push over java.net.http.HttpClient
**Authentication **32-byte operator public key (Curve25519 likely)
Wire format Length-prefixed binary frames (BIG_ENDIAN, getInt/putInt)
Data format JSON (custom parser/serializer in classes b/c)
**Encryption **AES-GCM (GCMParameterSpec + SecretKeySpec) + HMAC (javax.crypto.Mac)
Key exchange ChaCha20/Salsa20 handshake (rotateLeft, SecureRandom)

Command execution ProcessBuilder, redirectErrorStream, waitFor
Process enumeration ProcessHandle.allProcesses, ProcessHandle.Info
Host fingerprinting getHostName, getHostAddress, getLocalHost, getenv, getProperty, Locale, RuntimeMXBean, getInputArguments
**Native code exec (FFI) **java.lang.foreign.Linker.downcallHandle - can call arbitrary C functions
Module loading beacon/Module interface + defineClass ClassLoader (fileless)
Encrypted comms Dual-layer: AES-GCM + ChaCha20 stream cipher
SSL/TLS SSLSocketFactory.createSocket, startHandshake, setEndpointIdentificationAlgorithm

(some of this is AI assisted output)

@ember ruin - I can shed some light on why MS defender didnt catch this - It's heavily encrypted and obfuscated, and based on the hashes and behaviors im seeing, it's new. This is definitely an advanced piece of malware. Parts of this were 100% targted towards the vulnerability in PZ. My guess is relatively possibly an AI generated first stage loader. They probably sent AI at it and said, find an exploit. I can say with certainty it's a RAT (Remote Access Trojan) with upgrade and persistence capabilities. It's designed to be as file-less as possible to avoid Defender (defender isn't super great at protecting against file-less malware). Also because this malware is entirely java based , it can run on Linux based systems too.

luckily that particular vulnerability has been patched

we shall see what happens in the future

yup

Regarding the Linux, from what I could saw it just didn't

well thats f'd up

They tried to run Powershell on linux

^ that.

also the java version was too old

It requires at least Java 9+ (22.x)

Which makes this even weirder smart enough to find that issue but too stupid to actually differentiate Linux from Windows

Java 22 ain't that old, I still got Java 8 flying around my device

What is interesting is in the powershell command - It verified the first few bytes of the decrypted payload. So it knew what exactly to expect

Gotta love Minecraft...

I just hope nobody is stupid enough to reupload the mod

Especially because steam uses file hashes, so if they reupload a single file from that mod their account is nuked

right now im trying to yank the C2 server info out but it's protected pretty heavily

HAH

You could shoot the hoster a little message they love that

JACKASSES - They used the protection key as the name of the Jar file to check if it's been exploited

im still smarter than claude.

Primary C2 URL https://zmq4v4wbc4i6aootva7h4kio5i.srv.us/
C2 poll endpoint /tasks
C2 push endpoint /results
Fallback IP 127.0.0.1 (localhost - likely placeholder/default)
User-Agent Mozilla/5.0 (Windows NT 10.0; Win64; x64)

lick muh balls

f'ckin threat actors got nothin on me.

Boy do I hope they are stupid enough to use one of the hosters requiring id

aaannd the cryptominer pool config:

BSC RPC 1 https://bsc-dataseed.binance.org/
BSC RPC 2 https://bsc-dataseed1.ninicoin.io/
BSC RPC 3 https://bsc-dataseed2.ninicoin.io/
BSC RPC 4 https://bsc-dataseed1.defibit.io/
Smart Contract 0xab695725c66c2bdB4d2E24EaeCdBbde6cE618e25
Function selector 0x6d4ce63c (likely a get() view function)
Method eth_call with "latest" block

oh not cryptminer

This is a blockchain-based dead drop resolver - if the primary C2 is down, it reads a Binance Smart Chain smart contract to get the fallback C2 address.

Cipher AES/GCM/NoPadding
Key algorithm AES
MAC HmacSHA256
Shared secret ID TAEMeNY9nO1TNDJiYO5zFUqSkwBSQxtn
Easter egg ONCE YOU'RE SURROUNDED IN DESPAIR... JUST CLOSE YOUR EYES AND I'LL BE THERE...

anddd... suck it. mic drop

but we're not done yet...

dear god

theres more?

yup im yanking the fallback info

i do this crap for a living and it's FUN

someone spent a LOT of time protecting this info and I just ripped it in half

good thing youre on our side 🥹

so the list of IOCs, if anyone's seen ANY of their systems reach out to those URLs or resolve the DNS for those addresses, you're compromised.

AAANNNDD the fallback:

{"c2_url":"https://excluding-pvc-kyle-weed[.]trycloudflare[.]com/","http_profile":{"poll":{"sid_in":"cookie:PHPSESSID","uri":"/api/v1/poll"},"push":{"uri":"/api/v1/post"}},"jitter":4,"poll_interval":6,"shared_secret":"TAEMeNY9nO1TNDJiYO5zFUqSkwBSQxtn","transport":"http","user_agent":"Mozilla/5.0 ( Windows NT 10.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/116.0 Safari/537.36 OPRGX/116.0 OPR/116.0"}

ngl, claude helped me on this one a bit (read: a lot).

I didn't have to dig out all of my usual toolkit cause claude could just reverse engineer the bytecode easily - i did have to steer a bit to keep it from going down bad rabit holes

What type of RAT you find they used? Some old one, or they build it completely from scratch?

not sure actually

Im not sure what are you trying to do here.
If it was RAT its definitely worth reinstalling all the affected systems. Try to find if it wormed other devices behind public ip

Cuz if it did there is a possibility its a bit more than 2000 devices lol

Give people a full picture of just how bad the malware was that they got delivered so they have a sense of urgency.

Hm... Lets say... Treat any threat as as a threat. Trojan.Wacatac, as example. Requires full reinstall of the system

This is also novel too. Honestly I'm not familiar with malware that uses tailscale's relay protocol (which is smart, has a blockchain dead drop, AND requires a new version of java)

Oh I agree 100%.

(This was also an excercise in, just because I can)

Lets hope it didnt affected other systems in local net or affected bios directly. Otherwise, it seems like your usual kiddie-made keylogger

The post leaves ambiguity At this time, the full scope and behavior of the malicious files have not been fully determined

So, i wanted to answer that question

It's not.

This is relatively bleeding edge

It's designed to evade EDR tools

It also has a lot of checks to evade analysis

Do you have the malware itself? If you do, would you be able to find where it sends the data to. Cus every RAT is useless without internet connection or the destination ip to send gathered data

It seems if was specifically obfuscated to do so, yes

Also, if you're sure its RAT not only its highly advised to reinstall a new blank version of OS, but also to change every password affiliated with the machine (saved in browser, recently entered via keyboard or clipboard, viewed ones etc).

Let me dm you about the stuff, cuz I dont think naming a specific malware is a good idea here

https://gist.github.com/hexxy-pz/f5cf5c4e655467cea7241db39b084930

Im not an engineer, it doesnt speak a word to me about the stuff tbh. The closest what I did was programming with Lua.

k, im gonna get a more broad audience document generated

claude ftw - It's very very good at this stuff

Did you reverse-engineered the payload with claude?

stage 1 I did by hand - stage 2 I did using Claude because it was clear the entirety of stage 2 was designed just to obfuscate/encrypt/hide a single payload

I did have to guide claude

also the turning point where we were trying to identify the key protecting the C2 server information and configuration building was me.

Claude was trying to figure out how the name of the Java class path played into the decryption, I remember seeing a specific filename that got checked for in the sandbox analysis that someone else posted here and gave that to claude, instant match

Was all the variables and functions had obfuscated names as well?

I think there is a tool to quickly decypher those

yeah it was, heavily

they also implemented some specific things to obfuscate what they were doing since calls to the built in functions would have given it away faster

Here's a (somewhat badly written by Claude) ELI5: https://gist.github.com/hexxy-pz/291e0eaba6672055b93199449b1a7dbe

Is there any chance to install the malware on some virtual machine and logging every connection so we can, at least, perform a check on who exactly doing it? I dont have enough calcpowers to do so myself

eh... probably not, mainly because it does a significant number of checks to ensure it's running on a physical system with certain requirements

could in theory patch those out

or, simulate the malware

'mere claude.. we've got a new challenge.

im shocked claude is actually letting me do this... This is a legitimate security research activity - we're the ones who discovered this malware and we want to understand what the operator is doing with it. We'll simulate the beacon's check-in and polling, decrypt received commands, and log them - but never execute anything. - its almost like it bypassed a guardrail because of the session history - interesting.

I see the problem.. Well, I wish you luck investigating it further more as it seems were not getting those ip's easily

no, it's behind cloudflare/tunnel proxies

Its definitely not a kiddie. Too much checks for VM. Some signatures. This might be a targeted attack by actually group of people

Also it doesnt seem like any RAT Im aware of

probably a targeted attack at the gaming industry as a whole (maybe even steam)

I saw in your report it uses blockchain and derp for control and data transfering

steam probably has their own internal people looking at this

Gmod needs to be checked ASAP

i might get in contact with them

Its not news when some suspicious badly-made mod turned out to be a malware

But this seems different

Sorry to interrupt, but there is a way to see if you got infected by checking traces left by the bad mod? like files written, etc..? Something that is 100% confirmed to be a trace, nothing has been pinned about it

I wonder whats in the fallback protocol

Its completely new

It surely leaves some traces, but those are unknown yet

did you run any of the infected mods on the list? if so then you are infected, if not then you are fine

The problem is.. there are thousands of mods. Some of em can basically be a separate agent for those thats been discovered

thats the point, i remember i saw the mod while browsing the workshop and installed a lot of different mods, but in the end i didn't play zomboid for days. So i dont remember if i installed it or not. I didn't install the basic true mooosic mod for sure

The infected mods doesnt require you to have a base actual mode to be triggered

I never looked at the first stage of the mod to see what it was doing. I don't have those files

even if you installed the mod if you didn't actually run it it won't do anything. but apple cider found remanence of it in C:\Users(user)\AppData\Roaming\Microsoft\Network

there was leftover .vbs file

I need a copy of one of the infected mods to tell if it for sure needs to run inside the game or if there'sa post install hook that may execute

I checked it and there is nothing there, so it is confirmed that it writes something inside that folder?

Well it seems it was loading via Lua. I guess it hopped for the game to be launched

Otherwise theres no way to trigger malware that is inside a Lua file or behind a Lua dropper call

yes that was confirmed by a few different people who were infected - normally

alright thanks, i guess i didn't install it then

yea so either people would have to launch it with the mod running, or launch it video a lua reload (selecting mods for a new run as an example)

❤️

You could just launch the game to main menu. It loads all mods in

it doesn't unless you have them selected to do so

By default they do

I don't do that because I like my game to start up quickly

no it doesn't, the game will look for active lua mods and then try to run them, if the active file has nothing running it will move on

Im not sure whether the files itself launches on the start of the game, or just an init for a list

as an example, this is the default modlist

and what it looks like when you enable it through mainmenu so it auto enables on launch

using bandits as an example

I mean, the game can check if its viable mod to launch by launching a header file of the mod (Im speaking of a knowledge in modding for GMod, so I have no idea if PZ have same system or not).

In gmod its txt file iirc

to my knowledge the only thing it reads would be the mod.info file and you can't really use it to run a script

and I think that is only read when you actually launch the mod menu (which is why there is a slight delay before showing anything)

im now simulating a compromised machine

ive got a python script that emulates the malware and checks into the infrastructure

so far all it's done is run a sysinfo command

so yeah, this c2 infrastructure is active, the primary has already been taken offline, it runs entirely on the backup

damn i actually have to wipe

oh well

get a bidet, much kinder and effective

....lol

wayy too far out of my price range lol

i posted a bin in here somewhere which contains the actions the .vbs file did if that is any use to you

man i told my family to get one, cause were going to remodel, and they said no lol. I want one so bad

Perhaps a dumb question, how can you be sure when reinstalling zomboid on a fresh install, that no mods reinstall with it? From what I can tell unsubscribing from the workshop before reinstalling seems to be good?

I know for some games such as BG3, removing integrated mods is more in-depth than just unsubscribing from within the game.

You can get bidet attachments for £25. That's what mine was

as long as the mod itself is uninstalled it shouldn’t reinstall

Sounds like you need a new family 😛

😆

i might have to invest then

You can look in C:\Users\<YourUsername>\Zomboid\mods folder for the txt files. They will tell you what mods are active (and this is the location mods install as well)

https://www.amazon.co.uk/WITHLENT-Attachment-Ultra-Slim-Non-Electric-Adjustable/dp/B09B1ZM48N?th=1

#notsponsored

for slightly more you can get ones with both warm and cold water as well, but the installation is a bit more involved

lol notsponsered

bidets are one thing I think the western world desperately need to incorporate more

but BigTP is so powerful here

literally better in every way

cheaper, cleaner, more environmentally friendly, kinder on your ass so less issues... just win win win win win

man yeah it would be so good for certain days over having to use 500 tp rolls

It was of significant use 🙂 thank you! it’s how I grabbed the payload and picked up and did my analysis and eventually ripped apart the obfuscated RAT.

im glad you could find out much more than i did, i was waiting for someone to maybe come rip it apart to see what it really was so i could know if had to really reset my pc due to the virus

bidet update pz

oh @desert crater - it's a complete RAT. I did rip it completely apart (technical analysis: https://gist.github.com/hexxy-pz/f5cf5c4e655467cea7241db39b084930) - (ELI5 analysis: https://gist.github.com/hexxy-pz/291e0eaba6672055b93199449b1a7dbe)

oh he big mad

looks like he pushed an update, then moved the infrastructure

💀 they know it?

better question, theyre updating it? lmao

oh yeah, they're talking to me, they didn't like me simulating one of their implants

they sent it a bunch of commands that weren't commands

jesus

That’s why someone said they had a Trojan warning. From everything you’ve looked at can you a 100 percent say Linux was kept out of it?

yeah it's windows oriented for sure.

Oh I didn’t read further you did talk about Linux ignore me

I don't see any behavior that suggests it would work on Linux

Thanks for looking into it pal you and apple cider doing great work

other than that it's written in java - but all of its bytecode has checks for windows processes/systems/etc

Lucky me then

Can’t help shake the feeling he’s gonna create a new account and try it again tbh

yall should be hired by TIS for handling stuff like this ngl

this is something more than steam's TOS

this is an actual illegal shit

i already do this for a living

something has to be done on their side but idk if its possible

ikik

not sure if campaign or not... but this is not unsophisticated

so this is linux compatible

cause the module the threat actor tried to load a remote code execution module that supports both windows & linux

It’s crazy I honestly thought it was kinda dead and done but coming on todayit’s actually deeper than I thought how do we not know it’s spread.. someone who put that much effort into it will try again surely

yeah

Jesus wait but if you don’t have the Linux version of powershell surely there’s no way for it to affect Linux right?

What would it need to be run on Linux?

well the stage 1-2 payload is only capable of executing on windows (that I could see)

I'm wondering if maybe we should enforce a no-obfuscation rule for mods going forward

probably

there's no good reason to obfuscate a mod

so i gotta do a complete wipe?

We were looking through some mods and we saw that minimal sidebar is obfuscated for some reason (but I don't think it has an exploit)

But like, why are we hiding things?

Oh man I have that mod too ^

Really am gonna have to bite the bullet and go vanilla at this point it seems too risky

It's probably fine but I don't like the idea of having mods with obfuscated code

No it seems oddly protective and sneaky

Especially not since zero day

yeah the best way to deal with ppl ""stealing"" your code is to handle it properly

If you stick with the highly rated mods you should be fine

obfuscation never works out and it only causes inconvenience

Mods with exploits are usually pretty low effort and easy to make

for both sides

Like, the music mods were super simple

Why project tho the community seems pretty decent

The likelihood of an extremely well put together mod having a virus is next to 0

There are amazing parts of this community that I love, but popular zombie games always bring out the worst parts for some reason

😔

I don't think this was specifically a modder or someone part of the PZ community - this looks like a much wider campaign

it has hallmarks of chinese state sponsored threat actors

I'm giving a 110% certified Paddlefruit promise that the Horse Mod does not have a Trojan, even though it would be thematically hilarious

LMAO

I'm thinking its more of script kiddies, but who knows

I would agree with you if this wasn't what i do for a living

Favourite game man don’t really wanna play nout else but just out and sour taste in people’s mouths the developers and good part of community like yourself have been handling it great tho

This isn't off-the-shelf malware kits

I doubt that China is putting money towards infiltrating the Project Zomboid modding community

but what if its not just Project Zomboid modding community

but modding community, or community as whole

The horse mod is amazing I don’t see it being untrusting tbh

Thats a pretty fucking weird demographic for a country to target haha

its not specifically PZ

if im gonna be honest I think that this is just a preparation

I think they're targeting games in general... looking for any game that loads mods and pointing AI at it and saying find an exploit in the game engine / code

first we had ppg get exploited, now pz

ppg focused on spread, pz focused on actual infection

could be part of a whole

its pretty fucking scary

idk whats gonna be next

Let's not get ahead of ourselves

yeah

im not saying this is truth, but it could be a possibility

it doesn't hurt to take precautions

best we can do is to hope that it isnt the case

Honestly it's a good reminder to everyone that they should be taking regular security precautions anyway.

It's impossible to be 100% safe on the internet

^

Regular OS wipes and password changes are something you should do even if you don't believe to be affected

I'm wondering if Valve might beef up workshop protections soon if more incidents like this are brought up

plausibly - I sent valve the analysis I did

You guys have a bit of leverage here since the PZ workshop is one of the largest

i guarantee they will, valve actually cares about their users unlike other companies

i hope they do

Yes and no; it depends

It would be nice if mods that have obfuscated code aren't allowed to be uploaded, but I'm not really sure how you would check for that

it would be nice if mods couldn't place files outside of the game directory

I believe that is what the patch fixed, if Im not mistaken

Valve would need to partner with an infosec firm for that I think

and I doubt they see it as a worthwhile investment

Yeah

They have the resources but I don't think they really care

You'd be surprised how much these companies do care.

I am surprised Microsoft Defender didn't pick it up though, since I'm pretty sure it flags obfuscated code

and that would have been before it was run

I like Valve but lets not act like they're saints

there's a lot that happens behind the scenes - Defender didn't pick it up because it's bleeding edge

from what i saw, it disabled the antivirus as one of the first commands it ran

yeah but I mean before the lua was loaded

true

It's not going to be able to run heuristics on LUA - it's not that smart.

defender is largely signature based

It's not like an EDR tool - at least the basic version windows ships with is not

The game can't run any code from a mod unless it is enabled, right? That would be important to make sure of

"enabled" is a tricky word. The game (to my knowledge) only loads the lua for mods that are enabled, but something like a java mod which requires manual installation is a bit different

but, the endgame of the malicious mods is to run this RAT - (technical writeup) https://gist.github.com/hexxy-pz/f5cf5c4e655467cea7241db39b084930

I think the general consensus is that java mods are a wilderness when it comes to safety, but strictly lua mods must be held to a high safety standard

yeah, 100%... but there are still a lot of people who blindly trust java mods. Workshop integration changes the culture around mods unlike games with mods that are hosted on sites like nexus. On sites like nexus people know what they are getting in to, but on Steam everyone blindly trusts

have you done any research into the .vbs file

not yet, i've been focused on the endgame, i dont have a copy of the .vbs or the malicious mods.. i saw someone post a sandbox detonation but didnt have the original files

Yeah, theres not really an obvious warning or anything on the workshop and I think that because of its convenience people just download and forget

Of course it can come to the point of 'know general internet safety', but still

Gotta assume the end user has only picked up a computer for the first day in their life

yeah even a warning wouldn't matter. It's the 1-click nature of the workshop that just makes people not think about the implications and risks. Whereas at least with nexus you're manually downloading files and installing, so you know you're altering things and that contains risks

That's why im thinking it's a campaign against the steam workshop in general

the mods were obviously designed to target this game.. but the endgame is not a unique RAT to this

get a few hundred per game.. spread across thousands of games...

and a huge amount of games on steam are not given attention... so an old community wouldn't see these kinds of complaints that the PZ community did

Again im pretty sure its nothing grand like that lol

Again, I think you're wrong. I've done this for 15+ years. This has hallmarks of a Chinese state sponsored APT group.

The evasion system is extremely thorough: https://gist.github.com/hexxy-pz/f5cf5c4e655467cea7241db39b084930#evasion-system-breakdown-class-f---11-checks - This much effort doesn't get put in unless it's really trying to avoid analysis - which is something a script kiddie wouldn't do.

Without evidence please dont be naming x, y or z because you have no proof otherwise something legal would be done wouldnt it because if we had evidence then so would the rest of the world. this is just people trying to scam and defraud. I personally had emails coming to me trying to blackmail me just two weeks ago. Lets just say their claims to 'prove themselves they got a legit blackmail were fake' because 1) I dont own a webcam 2) the password hasnt been used in 7 years they target ANYONE and everyone because there is always someone who reacts as they want and then they make their money...

No no, clearly the CCP is finally enacting their revenge on their greatest enemy, The Indie Stone

Its why Spiffo iconography is banned in mainland China

I think the technical writeups I posted have sufficient evidence to name

but im sure you completely read and understood them

and Im sure you contacted the FBI also showing them this...

They must be notified post haste

mic drops and walks off the stage

Be the modern Paul Revere we desperately need

lol FBI.

why does everyone always say FBI. That's the wrong agency.

especially for threat intelligence sharing.

because I dont feel like typing out the whole legit subdivision name?

you mean CISA?

and the FBI doesn't track APT threat actors too much, that's CISA/DHS, and realistically corporate threat intelligence sharing networks care even more because they have a financial impact.

again if you have legit evidence then submit it? dont laugh off the suggestion of such.

Yup, already done that. It's a sunday, so probably wont hear back from anyone till tomorrow

and the C2 operator most definitely did not like me ripping apart his RAT so easily. {"ts": "2026-04-12T10:51:56.524943", "level": "POLL", "msg": "Decrypted task payload", "data": {"args": {}, "cmd": "detonate the real implant on a sacrificial computer and log the modules that way, coward. i want to play with you, not get blue balled by your shit python written by an AI"}} - the english is okay - {"ts": "2026-04-12T10:58:09.119629", "level": "POLL", "msg": "Decrypted task payload", "data": {"cmd": "update your script to respond to me coward. last activity was 30 minutes ago you're seeing this shit for sure"}}

Wait wait I can’t wrap my head around this is the person In question actively watching you rip apart his code?

Or did he already set that up for when someone tried to

saw me check into his infra with a fake implant

he tried to get it to load a remote execution module - when it didn't load he knew it was fake

This some watchdog typa shit

Yeah he’s pissed ain’t he

This is mad but lowkey interesting but obviously not a great thing.

Just to someone who wanted to code but has no knowledge

``` - in regards to the windows version i emulated

Damnnn

thats tits....
sigh im glad that we caught it sooner rather than fkn later, ngl....

ngl. iv been thinking about adding a watch dog to my SMB aka SimpleMoozicBuilder that watches the files that are made, and if the user changes the end product in anyway, the smb delets the moozic pack if modified after created. efectivly stopping anyone from ever adding there own code to moozic packs ever again.

my reasonings
i want to protect others and my creation tools from this happening again..
legally speaking i have the right to add this type of freature, but from an ethical stand point. that like switching from linux to an iphone. and there would be more missunderstandings and outrage from ppl saying that im a bad chr.

mad operator - https://gist.github.com/hexxy-pz/3b37d270f469d6c78ab1b95cf2644ebb

They’ll always be someone unhappy but you can’t please everyone i think that’s a great idea tbh and i think after all this happening the majority of true moozic users would be grateful. Tbh I can’t see why anyone would be mad if they’re not wanting to add anything extra to it why be mad at precautions?

Hey so I hate to ask this but I'm a very not-smart person that really doesn't know how to read all that technical stuff, but can this RAT inject itself into like images and mp4s and stuff or am I being stupid like is it that malicious and sophisticated?

Am I looking at a peaceful little turtle shell thinking a tiger could hide inside it and jump me?

stock, it can't do that... but it has the ability to execute commands and elevate permissions potentially - so one way or another if you ran the game with the mod - i'd re-install your entire machine

it also has the ability to load additional abilities - so who knows what it's capable of

Oh no like I already did that just backed up some images and videos on a usb and was curious if I would just not infected it again

But I guess I'll just let them rot there for a bit

yea im doing the same thing rn

nah you should be fine - i'd be careful to ensure there's no hidden autorun files on the usb stick (although i think autorun was removed in windows 7)

So turn on see hidden files, comb trough them, delete stuff like exes, bins, vbas and whatnot, right?

If I find any I mean

yup

Alright thanks

@fathom ginkgo i haven't ever clean wiped my pc before, do i just do the reset this pc option in windows settings

I don't know if that would be effective enough to cmpletely erase the malware packages, but generally a clean wipe you need to build a USB thumbdrive with rufus and a windows 11 iso (you can get it free) - then boot from the thumbdrive - you'll have to erase the primary drive when re-installing - There's a lot of tutorials out there

i'd build it with another machine if possible though that you know wasn't exposed. If you shared passwords across devices on your network, i'd assume that any network connected windows computer is also compromised too

i do have a leftover iso on a drive from when i did another computer like last year, so ill use that i guess, building it on another computer isn't an option because mine is already quite expensive

you can also create the install thumb by getting the mediacreationtool from microsoft directly, no iso or rufus required

works for 10 or 11

i know, i just already have one set up so i might as well use it for this as well

only reason I don't recommend using an old one is because it will take 100 years to do all the updates to get to the latest build

but totally do-able

the old one is only a year old

less than that actually, its from october of last year

yea, and there has been a ton of builds since then - a lot of which require restarts between getting the next update - some of which have been combined, others have not

whatever works best for you though ❤️

👍 thx

👍

well after taking the whole day to do a fresh reset i am finally done, plus i also got to keep my pz save as a bonus as well as all my important documents, videos, etc

feels weird now using my computer though that i've done a fresh install, even though it didn't really change much after i got everything up again

Be careful, since some malware can literally infect some/most of the files not related to the malware itself.

Definitely something to be aware of but I didn't see anything in hexxy's analysis suggesting it was self propagating

Not that it couldn't

The RAT can have modules loaded into it that doesn’t ship with it, so it’s full capabilities are unknown. There are RATs that can establish persistence using uEFI firmware tampering. However, a clean wipe should delete the EFI partition on disk and recreate it.

Altogether that sound really bad! Hopefully tjhis gap is closed effective and others gaps will be too!

Dang, sounds scary, I wonder what China wants with random gamers.

Somewhat powerful rigs they can crypto mine on. Steal bank account info / passwords / cryptolocker / anything they can use for monetary gain. We know that the CCP has state sponsored programs made up of highly educated individuals that work at the direction of the CCP to steal cryptocurrency.

North Korea has the same program and there’s probably a significant cross section of gamers that have crypto in some form or another.