- Isn't this really non-viable in practice? The "few headers" that were shown include an Authorization header, that would presumable rotate every ~24 hours and would have to rotate for all the malware clients as well.
- Are centralized Command and Control Severs still a thing in the malware space? I would have assumed that this function mainly migrated onto one of the popular blockchains with clients using one of thousands of available gateways for reading.
Yes, centralised C2 is definitely still a thing in the malware space, for commodity malware it works well enough that there's little real incentive to move to anything more complex.
Also thanks for bringing up the blockchain C2 use, that's cool and news to me.
I have built dead simple bots on both session/simplex trying both of them out and session was the more ergonomic one to build on but simplex is more decentralized considering session's more crypto related and wants to ask you for money for node whereas simplex doesn't
Although on the other hand, simplex wants to do client side verification on their official client and their bot creation was really painful to start with so but I do feel like its more decentralized but not sure, Both have consequences but honestly I just really end up shilling signal in the end for most people's usual use cases which is communication but its super great to know that there are alternatives.
Matrix is really cool as well. especially cinny's ui (https://cinny.in)
Why would you want to use blockchains for this? DHT has been used for distributed c&c for ages and is generally a much lighter option.
But no, P2P C&C is still not really typical. In practice, there's mostly not that much need for it. Also, FWIW, for practically all use-cases P2P C&C discovery is a vastly better option.
I found it when I realized that nano had 0 fees and I realized that by using a nano vanity address generator, I can embed data into a series of transactions and then basically embed data into the chain (for free) since there is 0 gas fees
Now I created it as a way of getting timestamps of any data onto the chain but you can embed any information and create c2c's on top of that
There is also a way that I vibe coded once to embed data directly into the vanity address and so you can lose 10^-32 nano or basically negligble which is more efficient as well
If you have any questions, I'd love to answer (also even if I like the tech, I think that crypto's fundamentally really really volatile and I prefer things like index funds being honest)
Is this you? https://github.com/Koeng101/nanotimestamps
> also even if I like the tech, I think that crypto's fundamentally really really volatile and I prefer things like index funds being honest
At the risk of derailing the thread, I agree. However, I think "tokenization" is probably crypto's killer app if the messy problem of legal finality rectifying assets on the blockchain with their real-world counterparts can be solved. I touched upon this in a separate post on my blog.
If you are interested in L2's, polygon's cheap as well fwiw
No its not, I have the domain nanotimestamps.org but its not really doing much (its called laziness from my side)
https://github.com/SerJaimeLannister/nanotimestamp/blob/main...
Here you go! (the video starts as a gif but there is also a .mp4)
Ended up finding that the best way to upload videos is probably github wiki pages
https://github.com/SerJaimeLannister/nanotimestamp/wiki
So let me know how you like this project, Y'know making this project had to make me build some abstractions which you might be interested to look at as well and could be used for multiple purposes.
Create an issue in my github repo if you want to talk to me if you have any questions as well and I would love to answer there and here as well if you wish! Glad my project could be of interest to ya! If you have any use cases for my project, then let me know as well
have a nice day! Looking forward to talk to ya
You really don't need to spend any money at all and that's actually how I built it. I recommend you to contact me if you wish to run it locally for experiments purposes as it requires bao and nano-vanity-generator, you can take the look at the code
Also I would like to disclose that the code is AI generated. I have no expertise in this field but I found this idea fascinating and saw nobody doing it so did it. But still, I am just proud of my idea and I get good reception whenever I mention this idea (which is quite a lot, tbh I am proud of it a little) so yeah, I love talking about this project's idea fascinating as well and I have expanded upon this work privately to even build ways of creating ones own tokens on top of nano etc. but creating wallet etc. and more abstractions felt wrong and I just wanted to prove it was possible
To be honest, you creating a c2 server on hinge was similar to this feeling of "proving" as well.
To me, its just that if I can prove something, then I can figure out the practical uses of it later (like discussing it right now) etc.
I guess we both are similar in the "proving" way reading your article which is nice to hear, Let me know if you have any questions as I would love to answer!
So that you can then use that account, which is tied to your biometrics, for lawbreaking?
Wut?
There is an extremely profitable company (whose data hoard keeps geting hacked but why should they care?) built around this:
https://www.au10tix.com/
Fundamentally no amount of front facing camera on a physical device or other shenanigan a company might do can really do anything about it?
Account creation requires biometric face-scan.
https://redlib.catsarch.com/r/SwipeHelper/search?q=hinge+sel...
Maybe you're getting lucky and not tickling their risk-based nonsense, but now that this article has been posted they'll certainly crank that knob up to 11.
You probably don't use Hinge. The verification is not necessary at all. It's merely used to "verify" your identity to other users. It has no bearing on what I cover in the post.
Edit: e.g. via residential proxy IPs and a bunch of cheap Android phones
levzettelin•20h ago
kls0e•20h ago
litheon•20h ago
The author basically found a creative use of Hinge’s infrastructure and proved it could be used to control malware.
lisbbb•16h ago
richbell•15h ago
A secondary goal is to do so while evading detection. This is why many threat actors piggy-back off of legitimate services, it disguises the malware communications and avoids directly exposing the upstream C2 instance.
tanduv•20h ago