安坂星海 Azaka 🐼 VTuber @AzakaSekai_ Twitter profile

Pinned Tweet

安坂星海 Azaka 🐼 VTuber

9 months

Reminder that I'm using Twitter less and less. still @ for #infosec azakasekai @ for #Vtuber content still @ for personal

VT Social

The biggest VTuber instance, by VTubers for VTubers and adjacent content creators.

vt.social

1

3

21

Last Seen Profiles

@smrtstinbthroom

@LorentzenS48479

@DevenMagli2

@TEConnectivity

@PatDStat

@MKUltraMoney

@KbKeima

@JoseAntonio_BG

@iluvtacos0822

@abdulqadermortd

@Munzevikul_

@b_habbab

@adachi_imaru

@hyunieddalgi

@brokuroos

@tsukimi__o00

@Coach_Ledford

@mepp__

@cherejoblo

@tomthom11

@KaymanMurat

@hockeycalgary

@Malikfrank23

@TobaccoPunished

@heloatatriste

@tightaction

@MartinaJime1967

@Rheavon

@mstalnaker23

@MhsPound10602

@muscledaddyb

@alfagonzalezm

@HayleyGrayHoehn

@soranosoramoyou

@OAUTweet

@GCCSG

安坂星海 Azaka 🐼 VTuber

@AzakaSekai_

3 months

#threatintel someone just leaked a bunch of internal Chinese government documents on GitHub

I-S00N/I-S00N

Contribute to I-S00N/I-S00N development by creating an account on GitHub.

github.com

259

4K

15K

安坂星海 Azaka 🐼 VTuber

@AzakaSekai_

3 months

holy fuck there's a list of victims too

47

436

4K

安坂星海 Azaka 🐼 VTuber

@AzakaSekai_

14 days

12

185

2K

安坂星海 Azaka 🐼 VTuber

@AzakaSekai_

2 years

@khyleri ayo

20

4

2K

安坂星海 Azaka 🐼 VTuber

@AzakaSekai_

19 days

Earlier this month when I was troubleshooting performance issues on my computer, I found that the #WMI host process WmiPrvSE.exe was consistently using about 5% of my CPU. This led me to investigate what was causing it and going down a rabbit hole and issuing a fix. 🧵(1/)

9

108

1K

安坂星海 Azaka 🐼 VTuber

@AzakaSekai_

3 months

From the looks of it, it looks like a bunch of spyware developed by the company 安洵信息

5

63

1K

安坂星海 Azaka 🐼 VTuber

@AzakaSekai_

3 months

Some of these software features includes obtaining the user's Twitter email and phone number, realtime monitoring, publishing tweets on their behalf, reading DMs.

8

135

1K

安坂星海 Azaka 🐼 VTuber

@AzakaSekai_

3 months

Twitter monitoring system - dated 2022 The system is designed to monitor a user's top 5 posts, IP address hotspots (more on that later), latest posts. This system is also used to remote control accounts to make posts, retweet, comment, etc.

9

170

918

安坂星海 Azaka 🐼 VTuber

@AzakaSekai_

3 months

Custom RAT built for Windows x64/x86 with features such as process/service/registry management, remote shell, keylogging, file access logging, obtaining system info, disconnect, uninstallation.

4

57

895

安坂星海 Azaka 🐼 VTuber

@AzakaSekai_

3 months

An iOS version also... exists somehow, and they claim that this supports all iOS versions. Includes features such as gathering hardware information, GPS data, contacts, media files, and real-time audio record. No jailbreak required.

9

96

859

安坂星海 Azaka 🐼 VTuber

@AzakaSekai_

3 months

Correction: technically not Chinese government data, but a spyware vendor contractor's internal data.

10

51

768

安坂星海 Azaka 🐼 VTuber

@AzakaSekai_

3 months

what do you mean they stole 3D models of the entire Taiwan and what do you mean it's 459GB

3

49

762

安坂星海 Azaka 🐼 VTuber

@AzakaSekai_

3 months

I won't talk about this in detail since it contains very sensitive details, but it's basically a bunch of sensitive call logs and call data specifically stolen from the affected telecommunication providers. The type of stuff that not even most workers normally have access to.

9

67

761

安坂星海 Azaka 🐼 VTuber

@AzakaSekai_

3 months

A Mac version also exists, with features such as remote shell, file management, screenshot and keylogging.

1

43

625

安坂星海 Azaka 🐼 VTuber

@AzakaSekai_

3 months

This is the weirdest of them all - a WiFi-capable device that can inject into the targeted... Android devices via WiFi? The device is said to be portable, plug and play, supports 3G and 4G. After a successful injection, it can get device info, GPS, SMS, contacts, call log, files

12

58

599

安坂星海 Azaka 🐼 VTuber

@AzakaSekai_

3 months

The documentation contains a screenshot of the controller, titled Security System (V3.0.0.3)

4

30

593

安坂星海 Azaka 🐼 VTuber

@AzakaSekai_

2 years

@Aegis_Asu meanwhile

2

82

560

安坂星海 Azaka 🐼 VTuber

@AzakaSekai_

3 months

TBs of data stolen from Pakistan, Kazakhstan, Kyrgyzstan, Malaysia, Mongolia, Nepal, Türkiye, India, Egypt, France, Cambodia, Rwanda, Nigeria, Hongkong, Indonesia, Vietnam, Myanmar, Philippines, Afghanistan

3

46

554

安坂星海 Azaka 🐼 VTuber

@AzakaSekai_

3 months

Android version also exists, supporting Android 6.0 and above. Features include obtaining system information, GPS, contacts, SMS, call logs, browser history, app list, real-time audio recording, process list, camera, WiFi list, screenshot, keylogging, and system info.

3

34

539

安坂星海 Azaka 🐼 VTuber

@AzakaSekai_

3 months

The standard version is disguised as a Xiaomi battery, whilst the mini version is just a plain PCB that can be inside anything.

7

54

518

安坂星海 Azaka 🐼 VTuber

@AzakaSekai_

3 months

how many of these people are gonna start unfollowing me when they realize i RT anime women

54

16

488

安坂星海 Azaka 🐼 VTuber

@AzakaSekai_

3 months

Few interesting tidbits for the Android one - Ability to dump messages from QQ, WeChat, and MoMo - all popular Chinese IM apps (requires root) - Ability to keylog specifically QQ, WeChat, Momo *AND* Telegram. - Ability to elevate as system app for persistence (requires root)

4

37

492

安坂星海 Azaka 🐼 VTuber

@AzakaSekai_

10 days

@sc_codeUM start writing PowerShell scripts instead

15

7

482

安坂星海 Azaka 🐼 VTuber

@AzakaSekai_

2 months

@Vedal987 i'm sure snuffy is patient enough

0

469

安坂星海 Azaka 🐼 VTuber

@AzakaSekai_

3 months

this one was the funniest/saddest thing i've read in the entire dump

安坂星海 Azaka 🐼 VTuber

@AzakaSekai_

3 months

bro only got paid 2000 RMB for his month of work💀

7

23

213

5

26

461

安坂星海 Azaka 🐼 VTuber

@AzakaSekai_

3 months

Linux version also exists that specifically supports CentOS 5/6/7 & Ubuntu 12/14. Oddly old versions of these distros. Features include remote shell, file management, Socks5 proxy via SocksCap64, port reuse. Controller appears to be named "TracedStone"

2

15

449

安坂星海 Azaka 🐼 VTuber

@AzakaSekai_

3 months

I think the thread blowing up is both a curse and a bless: people are finally now realizing that the APT operations have been ongoing for ages. If it weren't for the leak, I could have probably never revealed just how wide of an impact they've been causing over the last few years

7

39

411

安坂星海 Azaka 🐼 VTuber

@AzakaSekai_

3 months

With that, I think that wraps up almost everything in the leak. This leak is the most impactful piece of intel I've ever seen in my short three years of working in the industry. A lot of the times we could mostly speculate on how it looks like on the inside of these operations.

4

31

406

安坂星海 Azaka 🐼 VTuber

@AzakaSekai_

3 months

Another one: "WiFi Near Field Attack System," with a Standard and Mini edition. The standard version can be installed on a specifically crafted device and be used to infiltrate the internet network... somehow. It doesn't explain.

4

25

410

安坂星海 Azaka 🐼 VTuber

@AzakaSekai_

3 months

The Mini version is said to be able to disguise as a power strip, power adapter etc. and can be set up to connect to target WiFi and establish a SOCKS tunnel with the internal network.

5

28

402

安坂星海 Azaka 🐼 VTuber

@AzakaSekai_

3 months

Controller for the Android RAT

1

16

399

安坂星海 Azaka 🐼 VTuber

@AzakaSekai_

2 months

A lot of people expressed positive interest in the malware lecture thing, so I'm thrilled to announce that I will be doing a test run of a lecture-styled stream where I'll be going over malware-related stuff for beginners that want to learn about how malware and things work in…

shindigs

@shindags

2 months

This vtuber was once a history professor, and recently did a history lecture on stream. It's really cool to all types of knowledge being shared through the vtuber community. Imagine if more educators were vtubers. Perhaps this is the future of educational content.

248

5K

33K

6

60

377

安坂星海 Azaka 🐼 VTuber

@AzakaSekai_

19 days

The problem is that this was *not* the first time I've seen people make poor use of WMI. It is usually the easiest way to get certain information, but most definitely not the most efficient - the issue is it gets worse the moment you try to spam the calls.

5

374

安坂星海 Azaka 🐼 VTuber

@AzakaSekai_

3 months

A dedicated Tor-like device for hopping between endpoints. Designed specifically for agents working overseas.

3

27

372

安坂星海 Azaka 🐼 VTuber

@AzakaSekai_

3 months

It's a bit offending when people outside of the field call my coverage some machine translated/AI generated garbage. I've been in the field for multiple years and have held multiple presentations and talks about Chinese APTs.

14

20

362

安坂星海 Azaka 🐼 VTuber

@AzakaSekai_

11 days

@3letter_ Wii u

1

0

369

安坂星海 Azaka 🐼 VTuber

@AzakaSekai_

3 months

ah great it also contains population data including their names, email, address, and phone number doesn't really state where it's from but great, good to know

1

9

360

安坂星海 Azaka 🐼 VTuber

@AzakaSekai_

19 days

I offered a fix just now, which makes it so that it uses the native Win32 API to get process name via the PID instead of having to do a roundabout trip to WMI. The performance improvement from my PoC made the call count go from ~2400 calls to a mere 17.

3

1

363

安坂星海 Azaka 🐼 VTuber

@AzakaSekai_

3 months

The Standard edition can be used to crack WiFi passwords, LAN port sniffing, SOCKS tunnel, port projection, remote shell, file management, and remote detonation (self-destruct).

3

21

355

安坂星海 Azaka 🐼 VTuber

@AzakaSekai_

3 months

Next chapter, they also have a DDoS system. The botnet client is 29kb sized and can be deployed on to Windows, Linux, or generic IoT devices with the total throughput of 10~100Gbps (or GBps? not specified).

1

23

352

安坂星海 Azaka 🐼 VTuber

@AzakaSekai_

3 months

This blew up so instead of plugging something I'm gonna tell you to go read the chat log analysis I'm doing over at .

Still (@[email protected])

#threathunting I'm currently doing a writeup on the I-S00N Chinese government spyware data leak in real time over on the bird site. Buckle up there are a lot of juicy information. https://twitter.c...

infosec.exchange

1

32

351

安坂星海 Azaka 🐼 VTuber

@AzakaSekai_

3 months

The chatlogs are extremely fascinating as they provide a much broader view of how people are making money off of attacking critical government agencies. I'm seeing quotes and prices all in these chatlogs over intel/data from these hacked institutions.

2

29

344

安坂星海 Azaka 🐼 VTuber

@AzakaSekai_

1 year

@IzzzyzzzArt sometimes i completely forget about the original Luna

0

335

安坂星海 Azaka 🐼 VTuber

@AzakaSekai_

3 months

The standard version comes with 4G ability, 8GB eMMC, dual core 1.2GHz ARM processor, 10000 mAh battery, whilst the mini version runs on MIPS with 128MB of DDR2(?) and does not contain a battery.

3

17

331

安坂星海 Azaka 🐼 VTuber

@AzakaSekai_

3 months

> been hiding my follower count on desktop client with Twitter Control Panel > only occasionally catches a glimpse of follower count > last I checked it was 380 > *checks phone 12 hours after the coverage* > almost a 3k what

13

4

329

安坂星海 Azaka 🐼 VTuber

@AzakaSekai_

3 months

@Calerid that's what I do and the risk i take for being in the industry

8

0

298

安坂星海 Azaka 🐼 VTuber

@AzakaSekai_

3 months

Automatic pentesting system that supports Windows, Linux, web services, and networking equipment with support for various pentesting frameworks.

1

12

301

安坂星海 Azaka 🐼 VTuber

@AzakaSekai_

3 months

@vxunderground it's still an ongoing thing yeah there's just so much to read through I've been sitting here for 6+ hours

3

2

299

安坂星海 Azaka 🐼 VTuber

@AzakaSekai_

3 months

Product stack designed for spying on users using Chinese social media, including Weibo user details lookup (email/phone), historic IP address lookup, user detail lookup via the uploaded image (i.e. Alice uploads food pic to Weibo, Alice's details can be pulled up).

2

17

293

安坂星海 Azaka 🐼 VTuber

@AzakaSekai_

3 months

There's also specialized hardware for tracking down WiFi devices (i.e. alert when device with WiFi's MAC address is in range) and disrupt WiFi signals and can be controlled with a dedicated smartphone.

3

18

288

安坂星海 Azaka 🐼 VTuber

@AzakaSekai_

3 months

It also supports specialized APT attack scenarios, including generating email templates, browser-based attacks, exploited Office document generator and more.

2

12

284

安坂星海 Azaka 🐼 VTuber

@AzakaSekai_

3 months

They've also developed their own KoTH style CTF platform for training offsec employees.

3

14

277

安坂星海 Azaka 🐼 VTuber

@AzakaSekai_

11 months

@LknoNo2 @khyleri that's the joke - probably

0

1

267

安坂星海 Azaka 🐼 VTuber

@AzakaSekai_

3 months

can't believe they've got nia

2

12

266

安坂星海 Azaka 🐼 VTuber

@AzakaSekai_

3 months

Baidu lookup, reverse searching username, phone number, email address, Baidu Pan links.

1

14

266

安坂星海 Azaka 🐼 VTuber

@AzakaSekai_

3 months

Features designed specifically for forums: - Emote beacon: Effectively IP grabber when opened: the user's IP address, portt, time, browser details are returned. - Link beacon: Same thing as above but URL-based.

1

13

262

安坂星海 Azaka 🐼 VTuber

@AzakaSekai_

3 months

Platform designed specifically for cracking down gambling cases, can be used to look up username, email, password, home address, IP address, etc. Notably, an email address of admin @webside .com can be seen. Not sure if this is a typo of "website"

1

16

259

安坂星海 Azaka 🐼 VTuber

@AzakaSekai_

3 months

Reverse searching phone number for WeChat, WeChat payment QR code, etc.

2

15

254

安坂星海 Azaka 🐼 VTuber

@AzakaSekai_

3 months

"Skywalker" data research platform. Used to look up information related to the keyword, such as phone address, email, username, which would then bring up their IRL details.

4

16

254

安坂星海 Azaka 🐼 VTuber

@AzakaSekai_

3 months

Email text search platform. The emails can be automatically imported via SMTP, POP3, iMAP, and most importantly, Exchange. Exchange server can be configure to add "non-plaintext" transfer during transport.

3

12

249

安坂星海 Azaka 🐼 VTuber

@AzakaSekai_

1 year

@hews__ hews really said horny on main

0

1

244

安坂星海 Azaka 🐼 VTuber

@AzakaSekai_

3 months

This information can then be fed into an "in-development" feature of looking up user details on various social media, including QQ, WeChat, Weibo, Facebook, and Twitter.

3

13

230

安坂星海 Azaka 🐼 VTuber

@AzakaSekai_

3 months

> follows one person > account locked good platform

13

7

211

安坂星海 Azaka 🐼 VTuber

@AzakaSekai_

3 months

"All-in-one combat platform" product whitepaper - dated 2022. Appears to be a large internal network for assigning and performing red teaming tasks. The management can assign tasks to workers from across the states and can assign the sufficient resource for these attackers.

4

26

213

安坂星海 Azaka 🐼 VTuber

@AzakaSekai_

3 months

@patr10tic you can find the list here I translated all of them

Still (@[email protected])

Attached: 1 image 24.md - chat log in HTML format - conversation between wxid_7p054rmzkhqf21 and wxid_5390224027312. 2022-04-25 > screenshot of a list of bunch of UK agencies (purpose unknown),...

infosec.exchange

1

21

206

安坂星海 Azaka 🐼 VTuber

@AzakaSekai_

3 months

bro only got paid 2000 RMB for his month of work💀

7

23

213

安坂星海 Azaka 🐼 VTuber

@AzakaSekai_

3 months

That was *most* of the data in just ONE PDF file that is leaked from this repository. There's presumably a lot more to dig through.

1

6

209

安坂星海 Azaka 🐼 VTuber

@AzakaSekai_

3 months

I'll be posting the rest of the updates back in the Mastodon thread.

Still (@[email protected])

#threathunting I'm currently doing a writeup on the I-S00N Chinese government spyware data leak in real time over on the bird site. Buckle up there are a lot of juicy information. https://twitter.c...

infosec.exchange

11

12

205

安坂星海 Azaka 🐼 VTuber

@AzakaSekai_

3 months

@3Baracuda just tell them a CTI nerd did the work

0

193

安坂星海 Azaka 🐼 VTuber

@AzakaSekai_

19 days

With lots of digging, I eventually got to the Microsoft Docs page of troubleshooting WMI high CPU usage (). The page describes how to find the culprit - and helpfully, the doc mentioned a FOSS tool called WMIMon, instead of having to view tracing manually.

1

4

188

安坂星海 Azaka 🐼 VTuber

@AzakaSekai_

19 days

Thankfully, everything about duckyPad is open-source, from the hardware, to the firmware, to the relevant software. I quickly pinned down the issue - the Python implementation appears to refreshes the window and queries for Win32_Process in WMI every .25s for process name.

2

0

182

安坂星海 Azaka 🐼 VTuber

@AzakaSekai_

8 days

@adultswim @StreamOnMax Wii u

1

5

198

安坂星海 Azaka 🐼 VTuber

@AzakaSekai_

3 months

@IIlIIlIIIII nah this was from 2020, and the other documents are as new as 2022/2023

2

174

安坂星海 Azaka 🐼 VTuber

@AzakaSekai_

3 months

The rest of the repo seems to be mostly low-res screenshots (presumably thumbnails?) of various WeChat logs, and random camera shots of random notes.

1

5

173

安坂星海 Azaka 🐼 VTuber

@AzakaSekai_

3 months

hey so uh i know people are a little confused when I said it's from the government - it's not *directly* from the CCP - I immediately corrected myself shortly after in the reply; unfortunately it's getting buried in the comments.

安坂星海 Azaka 🐼 VTuber

@AzakaSekai_

3 months

#threatintel someone just leaked a bunch of internal Chinese government documents on GitHub

259

4K

15K

4

29

170

安坂星海 Azaka 🐼 VTuber

@AzakaSekai_

2 months

@NeurosamaAI what stream

1

0

164

安坂星海 Azaka 🐼 VTuber

@AzakaSekai_

19 days

WMIMon () attaches to the ETW for WMI and displays all the relevant queries and most importantly, who is the main process that queried these calls.

1

2

159

安坂星海 Azaka 🐼 VTuber

@AzakaSekai_

14 days

@AUTOMATON_ENG Note that the sample size was 434 students across age 15 to 24, and the samples were taken from June 2023.

3

8

157

安坂星海 Azaka 🐼 VTuber

@AzakaSekai_

3 months

the takeaway of this post is stop blindly clicking/accepting random OAuths you see

0

19

153

安坂星海 Azaka 🐼 VTuber

@AzakaSekai_

3 months

uhhh I'm gonna be muting this thread because it's nuking my notification

1

0

153

安坂星海 Azaka 🐼 VTuber

@AzakaSekai_

3 months

"Email intelligence analysis system" whitepaper - dated 2022 This system is designed for sorting through and viewing data from various email sources, such as Gmail, Outlook, etc. Check all of the imported emails with keywords, and use emails to create additional relation points.

4

21

141

安坂星海 Azaka 🐼 VTuber

@AzakaSekai_

3 months

guess karma finally caught up with them after multiple hospital/school ransoms

vx-underground

@vxunderground

3 months

Every single known Lockbit ransomware group website is either offline or displaying a seized by EUROPOL page. It appears law enforcement has seized and/or taken down, at minimum, 22 Tor sites, in what is labeled 'Operation Cronos'.

22

311

1K

0

7

141

安坂星海 Azaka 🐼 VTuber

@AzakaSekai_

3 months

if you still aren't convinced the clients are gov

2

19

136

安坂星海 Azaka 🐼 VTuber

@AzakaSekai_

19 days

Through WMIMon, I discovered that the culprit was #duckyPad AutoSwitcher, a helper application that switches the profiles on my duckyPad macro keypad depending on the foreground process name. Once I've closed the application, the WMI usage was back to normal.

1

136

安坂星海 Azaka 🐼 VTuber

@AzakaSekai_

21 days

Some basic #IDA101 here: IDA does not support decompiling exception handlers; in other words, code that are within a catch block will not show up in the pseudocode view. A reminder that you should not blindly trust the pseudocode view. This is a very common anti-analysis method,…

3

16

136

安坂星海 Azaka 🐼 VTuber

@AzakaSekai_

3 months

@arbormikesavage Seems too elaborate to be fake given the amount of chatlogs included.

2

1

133

安坂星海 Azaka 🐼 VTuber

@AzakaSekai_

3 months

There's also a RAT called Hector. "Hector is an active RAT that supports HTTP/WebSocket and HTTPS/WS over TLS." "Hector supports interactive remote shell, file directory viewing, file management."

6

5

134

安坂星海 Azaka 🐼 VTuber

@AzakaSekai_

3 months

"Microsoft email secrets platform" - dated 2022 Basically designed to exfiltrate data or attack Outlook/Exchange. The attacker can use it to create phishing emails.

3

21

131

安坂星海 Azaka 🐼 VTuber

@AzakaSekai_

24 days

@NeurosamaAI no, assert your dominance - verbally abuse your viewers

0

132

安坂星海 Azaka 🐼 VTuber

@AzakaSekai_

3 months

Another reason why I didn't cover this part of the leak - I'm nowhere near capable enough for understanding what I'm looking at for these logs.

HaxRob

@haxrob

3 months

The Chinese APT contractor leak contained a few interesting files; namely: - CDRs (Call Detail Records) - LBS (Location Based Services) db records Threat actors compromise telcos with the aim to obtain subscriber metadata to support IC objectives. Some background: (1/5)🧵

10

226

1K

2

7

131

安坂星海 Azaka 🐼 VTuber

@AzakaSekai_

3 months

To clarify, the document leaked from a offsec contractor that works with the Chinese national police. Based on the README, it was likely a disgruntled employee upset with the pay/management. *Probably*.

0

16

129

安坂星海 Azaka 🐼 VTuber

@AzakaSekai_

3 months

someone from the chatlog also claimed that they have data from Jens Stoltenberg (Secretary General of NATO) they've been wanting to sell

1

19

125

安坂星海 Azaka 🐼 VTuber

@AzakaSekai_

3 months

1

10

121

安坂星海 Azaka 🐼 VTuber

@AzakaSekai_

3 months

They claim that they processed 100 million+ tweets every day and uses many crawlers to crawl Twitter every 5 to 10 minutes. Through compromising the account, it can be used to "curb illegal public opinions."

3

19

121

安坂星海 Azaka 🐼 VTuber

@AzakaSekai_

10 days

cheat devs are some of the scariest people out there

1

7

119

安坂星海 Azaka 🐼 VTuber

@AzakaSekai_

3 months

The point I want to make is it's not *just* government hired actor, but companies are profiting off of these contracted attacks.

1

5

115

安坂星海 Azaka 🐼 VTuber

@AzakaSekai_

2 months

I'd do this more if people actually found malware unpacking lectures done in real time interesting 😭

shindigs

@shindags

2 months

This vtuber was once a history professor, and recently did a history lecture on stream. It's really cool to all types of knowledge being shared through the vtuber community. Imagine if more educators were vtubers. Perhaps this is the future of educational content.

248

5K

33K

13

6

117

安坂星海 Azaka 🐼 VTuber

@AzakaSekai_

3 months

accidentally liking an AI generated image is the digital feeling of accidentally stepping on shit

2

8

110

安坂星海 Azaka 🐼 VTuber

@AzakaSekai_

1 month

@UnseenJapanSite That is awful :(

0

107

安坂星海 Azaka 🐼 VTuber

@AzakaSekai_

16 days

@Vedal987 I have uhhh food

1

0

116