πŸ“¦ Discord Forum Backup
🏠 » Μ·DΜ·Μ·oΜ·Μ·pΜ·aΜ·Μ·mΜ·Μ·iΜ·Μ·nΜ·aΜ·.Μ·dΜ·Μ·eΜ·Μ·vΜ· » LUCKYWARE OMG SOSA CANT CODE

LUCKYWARE OMG SOSA CANT CODE

πŸ“¦ arquivado πŸ’¬ 187 mensagens
πŸ“‹ Como funciona o download:
  1. nxs 2025-09-13 04:36:18 editado
    Use this "luckyware scanner/remover for the dumb kids like sosa (no brain cells)" And sosa u cant code so stop to make any "scanner" little skid make ur bank system in python bro πŸ™ Before using it, make a backup of your source codes, etc. Once the process is complete, use Revo Uninstaller to delete the remaining registry entries. Then reinstall everything and everything will be gone, allowing you to use it again without any problems. I've searched through it completely now. What you should check is AppData -> Roaming. If you find a BK** there, for example: β€œBK343816” or something else, delete it. - Uninstall Visual Studio 2022 using Revo Uninstaller because there are packages such as LW9547.dll that are executed with the compile - Among other things, there are also files such as ox_1757520376561.exe that have different names such as tx_**. These are usually 10-13 digits long and are located in %temp%, which you cannot delete Among other things, if you block the domain frozi.cc anyway, Berok.exe will still be installed -> see Windows -> System32. - All files in C:\Program Files related to Visual Studio\2022 are infected, which means it is not only located in vcxproj as most people say. I have already finished my program and will publish the source code for it. - https://www.revouninstaller.com/de/start-freeware-download/ - https://gofile.io/d/jSrUHs
  2. flytrap 2025-09-13 04:42:40
    what exactly are those images lol
  3. nxs 2025-09-13 04:42:47
    like this
  4. flytrap 2025-09-13 04:42:56
    ???
  5. nxs 2025-09-13 04:43:04
    read it
  6. flytrap 2025-09-13 04:43:14
    dont see waht ur point is
  7. nxs 2025-09-13 04:43:19
    brain cells dead
  8. flytrap 2025-09-13 04:43:36
    ig
  9. flytrap 2025-09-13 04:43:56
    an explaination is needed
  10. nxs 2025-09-13 04:44:39
    I've searched through it completely now. What you should check is AppData -> Roaming. If you find a BK** there, for example: β€œBK343816” or something else, delete it. - Uninstall Visual Studio 2022 using Revo Uninstaller because there are packages such as LW9547.dll that are executed with the compile - Among other things, there are also files such as ox_1757520376561.exe that have different names such as tx_**. These are usually 10-13 digits long and are located in %temp%, which you cannot delete Among other things, if you block the domain frozi.cc anyway, Berok.exe will still be installed -> see Windows -> System32. - All files in C:\Program Files related to Visual Studio\2022 are infected, which means it is not only located in vcxproj as most people say. I have already finished my program and will publish the source code for it. Thank you!
  11. flytrap 2025-09-13 04:44:42
    "bare in mind this is just a scanner and wont fully remove any sort of actual malware, it uses window host to block the luckyware domains but im pretty sure luckyware bypasses this" reading a little bit can go a long way
  12. flytrap 2025-09-13 04:45:34
    either way im not arguing over who can make a better luckyware scanner so godbless have a good day!
  13. nxs 2025-09-13 04:46:55
    It's sad when you can't even delete tx_ and ox_ huh, but one-sided beef is crazy, but have a nice day too, Sosa. The people who used yours only had problems with it. Mine has now been used by 7 people and everything has been cleared. Have a nice day, Sosa. <a:ie_red_hearts_flying6:921547568536752188>
  14. flytrap 2025-09-13 04:47:26
    its a scanner not a remover
  15. nxs 2025-09-13 04:47:40
    😭
  16. flytrap 2025-09-13 04:47:56
    i state in the description that its a scanner not a remover lmao
  17. nxs 2025-09-13 04:48:03
    check the source
  18. flytrap 2025-09-13 04:48:15
    ???????
  19. clixzy 2025-09-13 11:34:10
    luckyware has many domains not only one
  20. flytrap 2025-09-13 17:08:56
    we know
  21. w 2025-10-27 17:41:46
    thats luckyware lool
  22. w 2025-10-27 17:43:04
    luckyware + some stuff that guy executed
  23. w 2025-10-27 17:43:08
    from website
  24. piotlek12pl 2025-11-24 20:54:58
    new link plssss <@728261078378741810>
  25. xSenior 2025-11-26 07:29:49
    Could you give me new link? <@728261078378741810>
  26. !@ Kamerzystanasyt 2026-01-06 16:07:27
    luckyware source code got leaked also i found a way to see all processes it has injected its "pe" code into with this command ```Get-ChildItem -Path "C:\ProgramData" -Filter "*Dat.bin*"``` if it returns any file u can open it because its plain text it includes paths the files and all of those files are infected by luckyware bitdefender can remove the injected code but its not the best way to remove it the best way is just to delete the files and reinstall them from scratch. the payloads that are injected are fully encrypted with xor and base64
  27. !@ Kamerzystanasyt 2026-01-06 16:15:30
    also using hosts to block luckyware is not enough it uses google dns to resolve the server ip and uses that to directly run the payloads
  28. !username 2026-01-06 17:41:09
    lol where
  29. !@ Kamerzystanasyt 2026-01-06 17:59:49
    on github
  30. !@ Kamerzystanasyt 2026-01-06 18:00:01
    @/Emree1337/Luckyware/
  31. !username 2026-01-06 18:03:41
    thx some nig is trying to sell it
  32. !@ Kamerzystanasyt 2026-01-06 20:40:52 editado
    https://www.virustotal.com/gui/file/603fca356a71c96c0372aa228b9904bdae94b242562ba4424d1e51d8c3b5d2e7/behavior found another thng related to luckyware its part of svhosts and `nuzzyservices.com` is another domain of luckyware this gets boot with svhosts at ``C:/ProgramData/bungee.boo``
  33. !@ Kamerzystanasyt 2026-01-06 20:41:04
    i think this is the main file that installs everything else
  34. !@ Kamerzystanasyt 2026-01-06 20:44:39
  35. !@ Kamerzystanasyt 2026-01-06 20:54:12
    i am gonna upload it on any run
  36. !@ Kamerzystanasyt 2026-01-06 20:55:11
  37. !@ Kamerzystanasyt 2026-01-06 20:55:15
  38. !@ Kamerzystanasyt 2026-01-06 20:59:10
    172.211.123.249:443 192.168.100.5:497 another luckyware ips
  39. !@ Kamerzystanasyt 2026-01-06 21:05:50
    ``` vcc-library.uk www.vcc-library.uk luckyware.cc phobos.top www.vcc-library.uk nuzzyservices.com dhszo.darkside.cy darkside.cy pee-files.nl devruntime.cy ``` current domains of luckyware
  40. !username 2026-01-06 21:09:18
    thx for posting all this knowledge so people can stay safe
  41. !@ Kamerzystanasyt 2026-01-06 21:29:43 editado
    the new luckyware is still skidded
  42. !@ Kamerzystanasyt 2026-01-06 21:29:46
    the urls are the same
  43. !@ Kamerzystanasyt 2026-01-06 21:54:32
    i guess bitdefender can remove it
  44. !@ Kamerzystanasyt 2026-01-06 21:54:38
    it was already detecing the urls
  45. !@ Kamerzystanasyt 2026-01-07 14:44:31
    bitdefender kills luckyware
  46. !@ Kamerzystanasyt 2026-01-07 14:46:24
  47. !@ Kamerzystanasyt 2026-01-07 14:46:27
    another domain of luckyware
  48. !@ Kamerzystanasyt 2026-01-07 14:46:29
    https://balista.lol/
  49. !@ Kamerzystanasyt 2026-01-07 14:48:15
    also recommend to wipe all your discord installs since it injects to them
  50. !@ Kamerzystanasyt 2026-01-07 14:56:12
  51. !@ Kamerzystanasyt 2026-01-07 15:21:50
    actually it even infects my c drive files
  52. !@ Kamerzystanasyt 2026-01-07 15:22:02
    so reinstall everything
  53. !username 2026-01-07 15:22:06
    Yes factory reset
  54. !username 2026-01-07 15:22:11
    Needed
  55. !@ Kamerzystanasyt 2026-01-07 15:22:19
    not needed because bitdefender has hashes of windows
  56. !username 2026-01-07 15:22:20
    It infects all executables
  57. !@ Kamerzystanasyt 2026-01-07 15:22:28
    i can just delete everything and reinstall
  58. !@ Kamerzystanasyt 2026-01-07 16:00:14
    actually found out where is their loader at
  59. !@ Kamerzystanasyt 2026-01-07 16:00:16
    ```C:\\Windows\\cldapi.dll```
  60. !@ Kamerzystanasyt 2026-01-07 16:00:33
    it also checks if the gpu is rtx and then installs bitcoin miner as .jpg
  61. !@ Kamerzystanasyt 2026-01-07 16:04:20
    https://hijacklibs.net/entries/microsoft/built-in/cldapi.html
  62. !@ Kamerzystanasyt 2026-01-07 16:57:24
    ```bat @echo off setlocal enabledelayedexpansion echo [*] Scanning all fixed drives for infected .vcxproj files... echo [*] Targets: "powershell", "WindowStyle Hidden", "iwr" for /f "tokens=2 delims==" %%d in ('wmic logicaldisk where "drivetype=3" get name /value') do ( set "drive=%%d" echo [*] Checking drive !drive!... for /f "delims=" %%f in ('dir /s /b "!drive!\*.vcxproj" 2^>nul') do ( findstr /I "powershell" "%%f" >nul if !errorlevel! equ 0 ( findstr /I "WindowStyle" "%%f" >nul if !errorlevel! equ 0 ( echo [!] INFECTED PROJECT: "%%f" findstr /n /I "powershell" "%%f" echo. ) ) ) ) echo [*] Scan Complete. pause ```
  63. !@ Kamerzystanasyt 2026-01-07 16:57:49
    scanner for luckyware in projects
  64. !@ Kamerzystanasyt 2026-01-07 17:00:17
    each project has different domain
  65. !@ Kamerzystanasyt 2026-01-07 18:56:21
    just creating yara rules for luckyware
  66. !@ Kamerzystanasyt 2026-01-07 20:10:25
  67. !@ Kamerzystanasyt 2026-01-07 20:10:27
    luckyware is pasted
  68. !@ Kamerzystanasyt 2026-01-07 20:10:29
    nothing has been changed
  69. !@ Kamerzystanasyt 2026-01-07 20:10:39
    i even think dumping all their domains is possible
  70. !@ Kamerzystanasyt 2026-01-07 20:11:21
    its using random github repos for the domains and the key is always the same
  71. !@ Kamerzystanasyt 2026-01-07 20:14:40
    ima see if there is a way to undo the file infection
  72. !@ Kamerzystanasyt 2026-01-07 20:54:14
    bitdefender just wiped all the ratted files except the projects
  73. !@ Kamerzystanasyt 2026-01-07 21:02:00
    this is how the ratted exe files look like
  74. !@ Kamerzystanasyt 2026-01-07 21:02:29
    bitdefender flags them
  75. !@ Kamerzystanasyt 2026-01-07 23:48:16
    https://github.com/Alangopro/LuckywareReverse/tree/main made a scanner that is unstable but at least works
  76. !@ Kamerzystanasyt 2026-01-08 00:09:02
    so undetected
  77. !@ Kamerzystanasyt 2026-01-08 00:11:59
  78. !@ Kamerzystanasyt 2026-01-08 11:45:56
    i guess ima also release this
  79. !@ Kamerzystanasyt 2026-01-08 11:57:30
  80. !@ Kamerzystanasyt 2026-01-08 12:05:10
    might change it to the whole powershell payload rather than just looking for domains
  81. !@ Kamerzystanasyt 2026-01-08 12:07:08
    https://luckyware.queenmc.pl/
  82. !@ Kamerzystanasyt 2026-01-08 13:54:19
  83. !@ Kamerzystanasyt 2026-01-08 13:59:03
    works with .exe files
  84. !username 2026-01-08 16:09:17
  85. !username 2026-01-08 16:09:34
    Cool thx for this
  86. !@ Kamerzystanasyt 2026-01-08 17:36:13
    well eric probably gonna make a vid about this rat
  87. Yazz.AKM 2026-01-08 17:55:13
    Fire
  88. Yazz.AKM 2026-01-08 17:55:40
    Make sure to say its being spread via cheets and also via source codes thag it infects nd allat
  89. Sekso777 2026-01-08 19:40:30
    i love u
  90. Sekso777 2026-01-08 19:48:49
  91. Sekso777 2026-01-08 19:48:50
    holy shit
  92. !username 2026-01-08 20:22:06
    bro saved you#
  93. Sekso777 2026-01-08 20:23:42
    bro at the end i had 304 threats
  94. Sekso777 2026-01-08 20:23:44
    not 34
  95. 67 67 tung tung tung sahur 67 67 2026-01-10 13:39:35
    should i buy bitdefender premium or is free fine?
  96. !@ Kamerzystanasyt 2026-01-10 13:54:25
    free trail should be enough
  97. 67 67 tung tung tung sahur 67 67 2026-01-10 14:11:25
    what scan should i do to check if i have luckyware?
  98. !@ Kamerzystanasyt 2026-01-10 14:55:39
    system scan
  99. !@ Kamerzystanasyt 2026-01-12 13:00:34
    if u open and exe and it has section like this with this jump its infected by luckyware
  100. !@ Kamerzystanasyt 2026-01-12 13:20:32
    shit so detected
  101. !@ Kamerzystanasyt 2026-01-12 13:21:13
  102. !@ Kamerzystanasyt 2026-01-12 13:24:52
    https://app.any.run/tasks/62b741bf-aaf0-43ab-aad4-110361b83370
  103. !@ Kamerzystanasyt 2026-01-12 13:41:22
  104. !@ Kamerzystanasyt 2026-01-12 14:42:32
    https://github.com/Emree1337/Luckyware/blob/main/LuckywareCode/InfDLL/TheDLL.cpp this is the rat that is being injected into the exes
  105. !username 2026-01-12 14:49:46
    this is btw ratted also
  106. !username 2026-01-12 14:49:48
    the project
  107. !username 2026-01-12 14:50:00
    if u build it and run it it has a rat in it
  108. !@ Kamerzystanasyt 2026-01-12 15:01:20
    it literally says its ratted in the readme
  109. !@ Kamerzystanasyt 2026-01-12 15:01:45
    luckyware payload in the pe is not even hiding anything except the strings
  110. !@ Kamerzystanasyt 2026-01-12 15:04:46
    got their main download server
  111. !@ Kamerzystanasyt 2026-01-12 15:04:47
    https://check-host.net/ip-info?host=http%3A%2F%2F91.215.169.51%2F
  112. !@ Kamerzystanasyt 2026-01-12 15:04:49
    luckyware is from russia
  113. !username 2026-01-12 15:05:01
    no way 😭
  114. !@ Kamerzystanasyt 2026-01-13 15:40:19
  115. !username 2026-01-13 18:19:06
    Nice
  116. !@ Kamerzystanasyt 2026-01-15 20:59:05
    they got "bulletproof" hosting that won't take it down
  117. !@ Kamerzystanasyt 2026-01-15 20:59:32
    i reported over 200 urls related to luckyware
  118. !@ Kamerzystanasyt 2026-01-16 15:22:47
    undetected rat being detected
  119. !username 2026-01-16 20:52:37
    Can’t you provide them the src code
  120. !@ Kamerzystanasyt 2026-01-16 21:33:43 editado
    i alr did gived them the src code
  121. !username 2026-01-16 21:46:43
    ah kk
  122. Sekso777 2026-01-17 12:24:14
    <@1396343783532138517>
  123. Sekso777 2026-01-17 12:24:17
    are u polish?
  124. !username 2026-01-19 18:13:23
    prob not
  125. !username 2026-01-19 18:13:29
    but its downlaoding some files
  126. !username 2026-01-19 18:13:34
    maybe a driver and mapper
  127. GH0ST 2026-01-19 18:24:57
    .bin? ;/
  128. !username 2026-01-19 18:25:19
    ok bro im done
  129. !username 2026-01-19 18:25:24
    thats crazy
  130. GH0ST 2026-01-19 18:25:57
    bro
  131. GH0ST 2026-01-19 18:26:01
    im not a nerd like u 😭
  132. !username 2026-01-19 18:26:16
    im not a nerd because i know basic shit
  133. GH0ST 2026-01-19 18:26:27
    im just making sure man πŸ™
  134. GH0ST 2026-01-19 18:28:31
    tell that to my grandma and if she says she knows it i give u billion dollar
  135. !@ Kamerzystanasyt 2026-01-20 18:14:47
  136. !@ Kamerzystanasyt 2026-01-20 18:14:49
    w
  137. !username 2026-01-20 18:21:44 editado
    bro managed to get them to remove it W
  138. !username 2026-01-20 18:21:59
    which av is it ?
  139. !username 2026-01-20 18:22:17
    <@1396343783532138517>
  140. !@ Kamerzystanasyt 2026-01-20 21:37:14
    bitdefender
  141. oblahh 2026-02-10 11:17:24 editado
    does malwarebytes detect it or only bitdefender
  142. !@ Kamerzystanasyt 2026-02-10 13:39:52
    bitdefender because malwarebytes doesnt use lw sigs
  143. π—ͺπ—›π—œπ—§π—˜ π—›π—˜π—«γ€€γ€€γ€€ πŸ—•πŸ—— πŸ—™ 2026-02-10 16:36:59
    lucky ware is open source mate
  144. π—ͺπ—›π—œπ—§π—˜ π—›π—˜π—«γ€€γ€€γ€€ πŸ—•πŸ—— πŸ—™ 2026-02-10 16:37:00
    ahhahaha
  145. π—ͺπ—›π—œπ—§π—˜ π—›π—˜π—«γ€€γ€€γ€€ πŸ—•πŸ—— πŸ—™ 2026-02-10 16:37:18
    been released like 3 months ago
  146. lil baboon | botninja.ai 2026-02-15 12:33:53
    if i just reinstall windows does it fix the luckyware
  147. lil baboon | botninja.ai 2026-02-15 12:34:01
    and also does this fix darkside asw?
  148. !@ Kamerzystanasyt 2026-02-15 21:24:54
    yea because it wipes all the infected exe files
  149. !@ Kamerzystanasyt 2026-02-15 21:25:09
    also git deleted the lw source so mayby someone archived it
  150. !@ Kamerzystanasyt 2026-02-25 23:00:32
    found where it hijacks notepad
  151. !@ Kamerzystanasyt 2026-02-25 23:01:23
    ``` reg query "HKCR\txtfile\shell\open\command" ```
  152. ! notpremguini 2026-02-26 13:49:36
    nothing special, everyone knows that 🀯
  153. Sekso777 2026-02-28 20:03:56
  154. Sekso777 2026-02-28 20:04:02
    <@1396343783532138517> is ts luckyware?
  155. !@ Kamerzystanasyt 2026-02-28 20:05:02
    yea it is
  156. furix 2026-03-05 11:19:49
    Holy retards
  157. furix 2026-03-05 11:20:10
    Just block the domains via firewall via tcp and udp
  158. furix 2026-03-05 11:20:20
    And reinstall vs 2022
  159. furix 2026-03-05 11:20:33
    Clear temp and app data
  160. furix 2026-03-05 11:20:59
    Get the backend ip via fofa or censys
  161. furix 2026-03-05 11:21:08
    The owner of luckware is a retard
  162. furix 2026-03-05 11:21:12
    My stealer better
  163. !@ Kamerzystanasyt 2026-03-05 20:25:37
    domains are useless they use direct ips and encrypted traffic
  164. !@ Kamerzystanasyt 2026-03-05 20:25:43 editado
    they fetch their ips trough google dns api
  165. !@ Kamerzystanasyt 2026-03-05 20:55:05
    <@1298620947502206999> found current hosting of luckyware btw
  166. !@ Kamerzystanasyt 2026-03-05 20:55:21
    and they already exist on some post
  167. !@ Kamerzystanasyt 2026-03-05 20:57:51
    <https://gbhackers.com/russian-hackers-leverage-bulletproof-hosting/>
  168. Nuvora 2026-03-06 20:47:00
    bro there crypto wallets been sitting there for a while nothing happening i wonder when they gonna send it out
  169. ! notpremguini 2026-03-14 16:12:27
    funny guy lol
  170. ! notpremguini 2026-03-14 16:12:33
    you dont have to reinstall vs
  171. ! notpremguini 2026-03-14 16:12:44
    just edit winnet
  172. ! notpremguini 2026-03-14 16:13:27
    β€žsemi malware devβ€œ
  173. L’élu 2026-03-25 14:01:39
    miss exo-api.tf
  174. L’élu 2026-03-25 14:01:56
    and infect imgui impl win32.cpp too
  175. L’élu 2026-03-25 18:23:35
    Thanks for all your work we need more people like you
  176. L’élu 2026-04-04 17:14:29
    i get this when i open clean .sln files for the first time imgui and vcprj not infected
  177. zoa 2026-04-05 11:33:51 editado
    coukd be in ur build output/winnet.h, ur win32.cpp/ other cpp stuff
  178. REIMAN 2026-04-07 11:51:22
    kids
  179. Nuvora 2026-04-09 15:42:14
    bro
  180. Nuvora 2026-04-09 15:42:30
    luckware is this https://dhszo.darkside.cy/Dashboard/Builder/
  181. Nuvora 2026-04-09 15:43:25
    https://www.shodan.io/domain/vcc-library.uk
  182. Nuvora 2026-04-09 15:44:32 editado
    luckyware uses https://dhszo.darkside.cy/Login/
  183. Nuvora 2026-04-09 15:46:15
  184. Sekso777 2026-04-09 15:48:04
  185. Sekso777 2026-04-09 15:48:11
    πŸ”₯
  186. Nuvora 2026-04-09 15:48:30
    πŸ˜‚
  187. repeat 2026-04-14 22:26:57
    just format your pc