Minecraft removing obfuscation in Java Edition: https://www.minecraft.net/en-us/article/removing-obfuscation-in-java-edition
#linux #linuxgaming #update #minecraft #java #obfuscation #improvement
#obfuscation
2 posts2 participants0 posts today
Minecraft removing obfuscation in Java Edition
https://www.minecraft.net/en-us/article/removing-obfuscation-in-java-edition
A quotation from Robert Louis Stevenson
The cruellest lies are often told in silence. A man may have sat in a room for hours and not opened his teeth, and yet come out of that room a disloyal friend or a vile calumniator.
Robert Louis Stevenson (1850-1894) Scottish essayist, novelist, poet
Essay (1879-05), “The Truth of Intercourse,” Cornhill Magazine, Vol. 39
More info about this quote: wist.info/stevenson-robert-lou…
WIST Quotations · Essay (1879-05), "The Truth of Intercourse," Cornhill Magazine, Vol. 39 - Stevenson, Robert Louis | WIST QuotationsThe cruellest lies are often told in silence. A man may have sat in a room for hours and not opened his teeth, and yet come out of that room a disloyal friend or a vile calumniator. Collected "Virginibus Puerisque, Part 4" in Virginibus Puerisque and Other Papers, ch. 1,…
Introducing #r2morph , a metamorphic binary transformation engine built on @radareorg + #r2pipe.
It applies semantic mutations (NOPs, instruction swaps, dead code, opaque predicates…) without breaking functionality.
Perfect for research on evasion, obfuscation & malware analysis.
GitHubGitHub - seifreed/r2morph: A metamorphic binary transformation engine based on r2pipe and radare2.A metamorphic binary transformation engine based on r2pipe and radare2. - seifreed/r2morph
Speech was given to man to conceal his thoughts.
[La parole a été donné à l’homme pour déguiser sa pensée.]
Charles-Maurice de Talleyrand-Périgord (1754-1838) French secularized clergyman, statesman, wit, diplomat
(Attributed)
More info about this quote: wist.info/talleyrand/79291/
Malware Analysis
===================
Malware Analysis
Executive summary: Fake utility installers (including speedtest,
manual-reader/finder, PDF tools, and some AI frontends) have been
observed to bundle a portable Node runtime, extract an obfuscated
JavaScript payload, and install a Scheduled Task to execute that JS on
a recurring cycle. The JS speaks to a C2 (observed domain:
cloud.appusagestats[.]com), exfiltrates system identifiers and can
execute arbitrary commands returned by the server.
Technical details:
• The installers are packed with an Inno-Packer and drop a portable
Node runtime folder alongside the visible application executable.
• Persistence is implemented via a Scheduled Task (task.xml) that
executes the dropped node.exe with an obfuscated *.js script on an
approximate 12-hour cadence.
• The JavaScript is heavily obfuscated but decodes into JSON-formatted
POST payloads (e.g., a version string like "0.2.1" and a
JSON.stringify body). The script queries
HKLM\Software\Microsoft\Cryptography for MachineGuid via reg.exe to
uniquely identify hosts.
• The C2 interaction includes encoded/obfuscated POSTs and server
responses that can include commands such as powershell -NoPr... for
remote execution.
Impact and attack mechanics:
• The visible app functions normally, reducing suspicion while the
background agent provides persistent C2 connectivity and remote
execution capabilities.
• This separation increases attack surface: defenders may see only a
benign UI app while a persistent Node-based agent operates
independently.
Detection guidance:
• Search for Scheduled Tasks invoking node.exe outside known
development contexts.
• Detect unexpected portable Node runtimes co-located with third-party
installers.
• Monitor outbound POSTs to uncommon domains like
cloud.appusagestats[.]com and inspect request bodies for JSON
structures and Base64-encoded payloads.
• Track registry queries for
HKLM\Software\Microsoft\Cryptography\MachineGuid from non-standard
processes.
Mitigations:
• Block or alert on execution of portable runtimes from user-writable
directories.
• Restrict scheduled task creation to privileged installers; monitor
changes to task scheduler.
• Enforce egress filtering to limit access to suspicious domains and
use TLS inspection where policies allow.
References & notes:
• Observed artifacts: Inno-Packer installer, portable Node folder,
obfuscated *.js, task.xml, C2 domain cloud.appusagestats[.]com.
nodejs #powershell #scheduledtask #obfuscation #persistence
Source: https://security5magics.blogspot.com/2025/09/fake-online-speedtest-application.html
security5magics.blogspot.comFake Online Speedtest ApplicationAnalysis of TamperedChef like applications. Obfuscated JS dropped with Node, to run scheduled tasks, along-side PDF, Manuals, Games, and AI apps.
Hacker News Reverse Engineering Vercel's BotID
https://www.nullpt.rs/reversing-botid
#ycombinator #reverse_engineering #reversing #javascript #obfuscation
www.nullpt.rsReverse Engineering Vercel's BotIDVercel recently announced BotID, an anti-bot meant to protect against bots without requiring manual intervention. This post reverse-engineers the script and takes a peek inside.
How can you define a word or expression to make it precise enough to be studied?
Instead of just defining it, you can "operationalize" it [1], or even better, operationalisationalisticalise it [2]. And then instead of using a method to study it, you can use a methodology [3], or even better, a methodologicalisationism [2].
It should be mentioned that the reader should note the above.
[1] https://en.wiktionary.org/wiki/operationalize
[2] (neologisms)
[3] https://en.wiktionary.org/wiki/methodology#Usage_notes
Wiktionaryoperationalize - Wiktionary, the free dictionary
"Votre adresse e-mail est utilisée pour l'envoi de ce message. Vous disposez de droits sur vos données personnelles, notamment le droit d'accès, de rectification, d'effacement, de limitation du traitement, de portabilité et d'opposition. Pour exercer ces droits, veuillez remplir notre widget prévu à cet effet sur notre site internet."
Et mettre un lien vers ce widget *dans le mail*, c'était trop compliqué, #HopitalEuropéen de #Marseille ?
"We are watching a genocide live in 4K. And you do not have the luxury of saying you didn't know. Your only answer is going to be 'You didn't care.'."
- Liam Cunningham, Irish actor
Control-Flow Flattening Obfuscated #JavaScript Drops #Remcos.
The observed JS contains multiple self-invoking functions that loop arrays of strings and numbers in a while(!![]) loop until a calculated checksum matches a predefined value. This #obfuscation technique forces static analyzers to parse through the array content instead of returning the required string directly.
#ANYRUN’s Script Tracer enables easy analysis of heavily obfuscated scripts by logging their execution in real time, with no need for manual deobfuscation.
Execution chain:
#Wscript (JavaScript) 
PowerShell MSBuild (Remcos )
See analysis session: https://app.any.run/tasks/eaef10ea-3567-4284-b87e-a3a0aedc5f83/?utm_source=mastodon&utm_medium=post&utm_campaign=obfuscated_js_drops_remcos&utm_term=110625&utm_content=linktoservice
This script invokes #PowerShell using ActiveXObject("http://WScript.Shell") with parameters and executes the following: Creates a http://System.Net.WebClient object Specifies the URL to download the binary Downloads the binary data and passes it to #MSBuild
As a result, the script downloads and executes the Remcos #malware module.
Observe obfuscated loaders, explore execution flows, and extract behavioral indicators in real time. Improve your security operations with #ANYRUN Sandbox.
Replied in thread
Also... it seems most/all of the masked "black-baggers" are #HSI agents, not the usual #ICE "Enforcement and Removal Operations" #ERO officers. ?!?
Apparently HSI stands for "Homeland Security Investigations". There is very little objective info on their involvement online. (I treat all .gov info on this topic as suspect.)
Based on bits of reporting I've heard, these are *investigators* and not enforcers. I assume using them as the equivalent of secret police is a tactical move by #DHS to misdirect and obfuscate.
Whoever they are, they should be in uniform with proper ID plainly visible!
#Tycoon2FA is a rapidly evolving #phishkit bypassing 2FA on M365 & Gmail Multi-stage execution chain Dynamic code generation & #obfuscation for stealth Browser fingerprinting for targeted execution
Analysis of 27 observed evasion techniques
https://any.run/cybersecurity-blog/tycoon2fa-evasion-analysis/?utm_source=mastodon&utm_medium=post&utm_campaign=tycoon2fa_analysis&utm_content=linktoblog&utm_term=150525
ANY.RUN's Cybersecurity Blog · Evolution of Tycoon 2FA Defense Evasion MechanismsExplore technical analysis all evasion mechanisms employed by the Tycoon 2FA phishing kit to beat detection systems.
Deception, Obfuscation & Misdirection
This is a concatenation of posts I originally made in 2016-2017--even more relevant today...
Most are familiar with the concept of #FUD—short for #Fear, #Uncertainty & #Doubt. It summarizes a strategy often used in marketing and political propaganda. Its effects are pernicious, divisive and lead to exploitation. Examples abound. Fear is a strong motivator! To resist FUD one must understand how it is practiced using the principles of #Deception, #Obfuscation and #Misdirection.
https://mdpaths.com/rrr/commentary/deception_obfuscation_misdirection/index.html
We published a blog yesterday about a PhaaS and phishing kit that employs DoH and DNS MX records to dynamically serve personalized phishing content. It also uses adtech infrastructure to bypass email security and sends stolen credentials to various data collection spaces, such as Telegram, Discord, and email. https://blogs.infoblox.com/threat-intelligence/a-phishing-tale-of-doh-and-dns-mx-abuse/
Infoblox Blog · PhaaS actor uses DoH and DNS MX to dynamically distribute phishingLarge-scale phishing attacks use DoH and DNS MX records to dynamically serve fake login pages
**Monitoring Reasoning Models for Misbehavior and the Risks of Promoting Obfuscation**
“_While we show that integrating CoT monitors into the reinforcement learning reward can indeed produce more capable and more aligned agents in the low optimization regime, we find that with too much optimization, agents learn obfuscated reward hacking, hiding their intent within the CoT while still exhibiting a significant rate of reward hacking._”
Baker, B. et al. (2025) Monitoring reasoning models for misbehavior and the risks of promoting obfuscation. https://arxiv.org/abs/2503.11926.
#AI #ArtificialIntelligence #LLM #LLMS #ComputerScience #Obfuscation #Preprint #Academia #Academics @ai @computerscience
arXiv.orgMonitoring Reasoning Models for Misbehavior and the Risks of Promoting ObfuscationMitigating reward hacking--where AI systems misbehave due to flaws or misspecifications in their learning objectives--remains a key challenge in constructing capable and aligned models. We show that we can monitor a frontier reasoning model, such as OpenAI o3-mini, for reward hacking in agentic coding environments by using another LLM that observes the model's chain-of-thought (CoT) reasoning. CoT monitoring can be far more effective than monitoring agent actions and outputs alone, and we further found that a LLM weaker than o3-mini, namely GPT-4o, can effectively monitor a stronger model. Because CoT monitors can be effective at detecting exploits, it is natural to ask whether those exploits can be suppressed by incorporating a CoT monitor directly into the agent's training objective. While we show that integrating CoT monitors into the reinforcement learning reward can indeed produce more capable and more aligned agents in the low optimization regime, we find that with too much optimization, agents learn obfuscated reward hacking, hiding their intent within the CoT while still exhibiting a significant rate of reward hacking. Because it is difficult to tell when CoTs have become obfuscated, it may be necessary to pay a monitorability tax by not applying strong optimization pressures directly to the chain-of-thought, ensuring that CoTs remain monitorable and useful for detecting misaligned behavior.
The more you know, the more you know how much you don't know, you know? #philosophy #wisdom #obfuscation
r2ai just de-obfuscated strings inside Linux/Ladvix malware for me.
No, no, I should not say "for me", it makes me sound lazy and passive. In reality, we were a team :D Honestly, I had to pilot it ;P
After some conversation, we understand that a few strings are obfuscated. I ask the AI to de-obfuscate them. r2ai integrates an automatic mode that passes the questions to the AI and is able to process some r2 commands.
1/2
A quotation from Orwell, George:
«
The great enemy of clear language is insincerity. When there is a gap between one’s real and one’s declared aims, one turns as it were instinctively to long words and exhausted idioms, like a cuttlefish spurting out ink.
»
Full quote, sourcing, notes:
https://wist.info/orwell-george/5188/
Replied in thread
@mullvadnet Nice!
I wish you would add xtls-reality support too to mobile apps to obfuscate wireguard traffic with ability to setup my own xtls bridge.
Right now I have to use a complex setup with multiple Android profiles running at the same time to bypass highly advanced censorship.