[Aurornis]

> the variety of malware would make the script not so simple, and not so effective.

The article is about using scripts to identify and download the malware. They identified over 1000 matching repos, which would contain Discord webhooks in the script.

Scanning and identifying has already been done. That’s literally what the article is about.

It’s right in the second paragraph:

> As soon as you download and launch any of these, all the data from your computer is collected and sent to some discord server

[catsma21]

yes, they identified spammy repos. you'd also need to identify which repos belong to which spammer groups, it's not just one person doing this (as mentioned in the article) -> they don't use the same malware. saying "sent to some discord server" is like saying "playing games on my nintendo". the malware is also obfuscated (as mentioned in the article) which makes identifying the home server harder with static analysis.

why don't we just send bad people to jail?

[Aurornis]

The web hook is in the templated script

From the article:

> The "trust" value, when base64-decoded, turns out to be a discord webhook link: myhook = 'https://discord.com/api/webhooks/1050437982584324138/VJByvmB...'

Collect all the scripts matching the template. Extract the “trust” variable. Decode base64. Send to Discord with proof of how it was obtained.

Discord then identifies the Discords matching those webhooks.

It’s not some hard static analysis problem. These are python scripts with a base64 encoded variable. I don’t understand why you’re making it out to be something other than what the article says.

[catsma21]

the article details how github is spammed by multiple people who read one guide. not every single one of the 1000 repos is THE SAME breed of malware. some overlap, maybe. but some is c#, some is rust, some is python. out of those that are python, some are obfuscated with this love/trust/joy obfuscator, some use pyarmor, some are compiled with nuitka. no, the guide does not instruct you which malware strain to use, only how to game github for traffic.

if it was that simple it would be a solved problem. i encourage you to give it a shot

[Aurornis]

> not every single one of the 1000 repos is THE SAME breed of malware. some overlap, maybe. but some is c#, some is rust, some is python

No, the article is specifically about 1115 malware repos built from the same template

This is taken from the intro of the article:

> Wrote a script that helped me find 1115 repositories built based on the instructions from the guide.

I don’t know what you think you’re talking about, but you’re not talking about the article that I’m talking about.

The template repo is here: https://github.com/Jalynn0922/steal-cook

It contains the main.py script that the article is talking about.

[catsma21]

NOT the same malware template. article only details how "This first repo I found" works, not all of them. look at how his github searching script works in "Scraping Github" - there is no way to determine what malware is in the repo, only that it is doing keyword stuffing.