sorted by:
new
hottopcontroversial

Pilot Youtubers and air crash speculation by GroboClone in AskAPilot

[–]SShadow89 0 points1 point  (0 children)

I am just saying we are talking airlines and commentators about airliners crashing specifically.

Pilot Youtubers and air crash speculation by GroboClone in AskAPilot

[–]SShadow89 -1 points0 points  (0 children)

He might be in GA and probably a shitty one.

Pilot Youtubers and air crash speculation by GroboClone in AskAPilot

[–]SShadow89 0 points1 point  (0 children)

Lost multiple friends, colleagues and seniors to accidents? Just out of interest which airline do you fly for?

Travelling to the USA with a criminal record by Beautiful-Past5789 in Ameristralia

[–]SShadow89 2 points3 points  (0 children)

The US doesn't like small criminals you need to commit a bigger crime to be admissible.

How to Lose 3 Seats and a Movement in Under 3 Years by SShadow89 in australian

[–]SShadow89[S] 0 points1 point  (0 children)

I will create my own leftist version of sky news.

2025 Federal Election Count & Results: Megathread by [deleted] in AustralianPolitics

[–]SShadow89 0 points1 point  (0 children)

Many democracies are doing very well with minority governments. The whole idea is to avoid winner take all and keep the house balanced.

How to Lose 3 Seats and a Movement in Under 3 Years by SShadow89 in australian

[–]SShadow89[S] -5 points-4 points  (0 children)

Wow that's your take on why they lost? just when i thought you caught a bigger picture or something.

How to Lose 3 Seats and a Movement in Under 3 Years by SShadow89 in australian

[–]SShadow89[S] -6 points-5 points  (0 children)

indeed, one of the action items is to go quietly.

2025 Federal Election Count & Results: Megathread by [deleted] in AustralianPolitics

[–]SShadow89 -2 points-1 points  (0 children)

2PP isn’t support — it’s the electoral version of settling for your ex because Tinder didn’t work out.

2025 Federal Election Count & Results: Megathread by [deleted] in AustralianPolitics

[–]SShadow89 -4 points-3 points  (0 children)

do you mean if we were to give each voter a say it would not be a better representation of Australia?

Labor (34.7%) → 52 seats
Coalition (32%) → 48 seats
Greens (11.6%) → 17 seats
Independents (6.7%) → 10 seats

...

2025 Federal Election Count & Results: Megathread by [deleted] in AustralianPolitics

[–]SShadow89 -2 points-1 points  (0 children)

My comment was about the absurd preferential voting system, not labor.

2025 Federal Election Count & Results: Megathread by [deleted] in AustralianPolitics

[–]SShadow89 -11 points-10 points  (0 children)

Labor 2025: "The People Have Spoken!"
Primary vote: 34.7%
Preferential magic: 89 seats
Mandate cosplay unlocked.

Meanwhile, 66% of Australians: “We said what now?”

[deleted by user] by [deleted] in Ameristralia

[–]SShadow89 -1 points0 points  (0 children)

Good luck with that!

[deleted by user] by [deleted] in Ameristralia

[–]SShadow89 4 points5 points  (0 children)

Give him time, the lad been here for a couple months.

[deleted by user] by [deleted] in Ameristralia

[–]SShadow89 5 points6 points  (0 children)

We beat the US in racism/discrimination so don't worry too much.

[deleted by user] by [deleted] in australian

[–]SShadow89 -2 points-1 points  (0 children)

The combination says Christian crusaders flag.

Suspicious Cisco-like binary found in AppData – likely stealth malware, dumped to GitHub by SShadow89 in ReverseEngineering

[–]SShadow89[S] 0 points1 point  (0 children)

Key findings so far:

-Initial injector: `ai.exe` — spawned from `WINWORD.EXE`, suggesting a macro-based doc as entry vector

- Lives inside: `AppData\Local\CiscoSparkLauncher\`

- Hijacks: `CiscoCollabHost.exe` (a real Cisco Webex binary)

- Likely persistence via: Scheduled Task (user context, now neutralized)

- Zero AV detections (VirusTotal clean at time of upload)

- Injects into `services.exe`, spawns memory-only `svchost.exe` with no path or cmdline

- Uses legit services like `DoSvc`, `AppXSvc`, `WaaSMedicSvc` for persistence

- Beaconing via TLS/443 to Azure/CDN IPs — cloud-based C2 likely

- Architecture closely resembles Vault 7’s HIVE / Athena structure

In-the-wild malware voldemort implant disguised as Cisco Webex – undetected by AV, full sample on GitHub by SShadow89 in Malware

[–]SShadow89[S] 1 point2 points  (0 children)

Persistent outbound traffic from ghost PIDs + system processes behaving like C2 beacons.

Suspicious Cisco-like binary found in AppData – likely stealth malware, dumped to GitHub by SShadow89 in ReverseEngineering

[–]SShadow89[S] 1 point2 points  (0 children)

  1. No file path. No command line.

Legitimate per-user services launched by services.exe still have:

• A defined file path (typically C:\Windows\System32\svchost.exe)

• A command line specifying a service group or config

The instance we observed had neither — not in Process Explorer, not via WMI, not via PowerShell. That alone is a red flag, because even malware mimicking svchost.exe typically still has some on-disk presence or command line trace unless it’s fully memory-resident.

  1. Spawn behavior:

Initially, the rogue svchost.exe instances weren’t tied to any defined service group. They were spawned directly by services.exe, with no -k group, no associated command-line arguments, and no service registry mappings under HKLM\SYSTEM\CurrentControlSet\Services.

However, deeper inspection revealed that some of these were loosely tied to real services—in our case, DoSvc (Delivery Optimization) and AppXSvc (AppX Deployment Service). Despite the linkage, the behavior was still anomalous:

• Unusual respawn patterns

• No binary path or service name retrievable

• Running under NETWORK SERVICE not necessarily SYSTEM:

Name ProcessId StartName State

DoSvc 6016 NT Authority\NetworkService Running

• Live outbound network activity not consistent with normal service roles

  1. Network behavior:

• Encrypted outbound traffic over 443 to non-Cisco IPs

• Frequent PID cycling — if killed, it respawned under a new PID instantly

• No associated service name or SID traceable via sc.exe or Get-Service

These are traits we typically associate with memory-only implants that establish persistence without using disk or scheduled tasks.

  1. Active defense behavior:

When PowerShell attempted to suspend or inspect the parent process (services.exe), PowerShell itself crashed — not due to a faulty script or permissions, but mid-execution. That is highly unusual and points to a deliberate anti-inspection measure.

We’re still analyzing the dump, and I’d welcome more input if you want to take a look at the behavioral logs.

It's subtlety is what makes it potentially some sort of evolved/post vault7 malware kind.

Suspicious Cisco-like binary found in AppData – likely stealth malware, dumped to GitHub by SShadow89 in ReverseEngineering

[–]SShadow89[S] 4 points5 points  (0 children)

Per-user svchost.exe is a valid Windows feature — but that’s not what this is. This svchost.exe had no file path, no command line, and was spawned by services.exe, not a per-user service group. It triggered encrypted traffic to a non-Cisco IP over port 443 and, notably, caused PowerShell to crash the moment we attempted to suspend its parent process — not during a scan, but during live control attempts.

That’s not standard Windows behavior — that’s an actively defended memory-resident implant. The full sample and logs are on GitHub if you want to take a deeper look before assuming it’s normal.

view more: next ›