Skip to content

Instantly share code, notes, and snippets.

View shavitush's full-sized avatar

shavit shavitush

174 followers · 8 following
View GitHub Profile
@shavitush
shavitush / From_MawaStealer_to_Vidar.md
Created February 28, 2026 12:59

From MawaStealer to Vidar: Sideloading via VLC

Introduction

The threat actor behind the MawaStealer campaign we saw a while ago is (probably) back. Instead of batch dropper -> PowerShell garbage disguised as a .lnk shortcut, they're actually using more sophisticated strategies now by leveraging libvlc.dll for DLL sideloading. They've been operating this campaign for roughly a month, since 2026-01-29. When I started analyzing this sample, it was delivered disguised as Jujutsu Kaisen episode 52, which I'm using as the base sample for this analysis. Ever since then, they've uploaded several fake highly-anticipated episodes for top-rated anime series (e.g., Sousou no Frieren and Oshi no Ko).

The latest attempt as of writing was performed through the Klyxar account which had been taken down.

@shavitush
shavitush / vidar_chrome_abe.c
Created February 27, 2026 13:30
Vidar Stealer v2's Chromium infostealer
// decomp with IDA Pro 9.3
// positive sp value has been detected, the output may be wrong!
__int64 process_browsers()
{
__int64 v0; // rcx
__int64 v1; // rbx
_BYTE *v2; // rbp
unsigned int v3; // esi
int v4; // r12d
@shavitush
shavitush / MawaStealer.md
Last active October 3, 2025 21:14

MawaStealer

Introduction

Nyaa. You're probably familiar with it if you're a stinky weeb like me. But if you're not, it's a torrent tracker; it allows users to upload torrents and to use their server as a tracker. In the past, the website allowed for registrations.
Ever since the website was flooded with child pornography and malware, they closed down on registrations years ago & disabled guest uploads, so only old accounts exist, and uploads are mostly fine. Occasionally, accounts are stolen and are used for spreading malware in the form of torrents.

Earlier today, 2025/09/11, there was a malicious archive uploaded to the website. It was titled Dr. STONE - Science Future - S04E21.zip. Advertises itself as a pirated copy of episode 21 in the 4th season of the anime series "Dr. STONE". The issue is that the contents of the file are actually a few unrelated items..

Figure 1: Screenshot of the archive's contents

@shavitush
shavitush / v83_actions.cpp
Created June 9, 2020 15:29
GMS v83 character action data
aCharacterActionData =
{
BSTR_INIT("walk1"),
BSTR_INIT("walk2"),
BSTR_INIT("stand1"),
BSTR_INIT("stand2"),
BSTR_INIT("alert"),
BSTR_INIT("swingO1"),
BSTR_INIT("swingO2"),
BSTR_INIT("swingO3"),
@shavitush
shavitush / xxhash.hpp
Last active February 17, 2021 12:59
Single header C++17 RAII wrapper for xxHash states and ultra fast file checksums
#pragma once
#include <any>
#include <cstdint>
#include <fstream>
#include <filesystem>
#include <xxhash.h>
class file_not_found_exception : public std::runtime_error
{
@shavitush
shavitush / sig_scan.hpp
Created March 9, 2020 12:27
template<typename T>
T sig_scan(const uint32_t dwStart, const uint32_t dwEnd, const uint8_t abPattern[], const char aMask[], const size_t dwPatternSize)
{
for(uint32_t i = dwStart; i < dwEnd; i++)
{
for(uint32_t x = 0; x < dwPatternSize; x++)
{
const uint8_t bMemory = *reinterpret_cast<uint8_t*>(i + x);
if(aMask[x] == 'x' && bMemory != abPattern[x])
@shavitush
shavitush / windia-client.md
Last active February 21, 2021 19:04

Windia client mods

Note: Anticheat related features are omitted from this list for obvious reasons.

  1. !notice uses a custom color
  2. .ini configuration
  3. @vote integration
  4. Added minimize button for the game client window
  5. Airborne teleporting
@shavitush
shavitush / osu! chat filters
Last active May 14, 2025 23:41
a list of chat filters
original word - filter
cookiezi - used to be "obama", "justin bieber" and "kettle". filter is removed now.
cookiez - used to be "lady gaga", now removed
dress - used to be "rainbow", now removed
cheat - break the law
ppv2 - pp
gay - coconut milk
fgt - lieutenant
nigger - fine sir
loli - fine lady