zlacker

[parent] [thread] 4 comments
1. lionko+(OP)[view] [source] 2025-12-04 12:03:11
I'm not who you asked, but essentially, when you write malware that infects someone's PC, that in itself doesn't really help you much. You usually want to get out passwords and other data that you might have stolen.

This is where an exfil (exfiltration) route is needed. You could just send the data to a server you own, but you have to make sure that there are fallbacks once that one gets taken down. You also need to ensure that your exfiltration won't be noticed by a firewall and blocked.

Hosting a server locally, easily, on the infected PC, that can expose data under a specific address is (to my understanding) the holy grail of exfiltration; you just connect to it and it gives you the data, instead of having to worry much about hosting your own infrastructure.

replies(2): >>ale42+U1 >>skrebb+q3
2. ale42+U1[view] [source] 2025-12-04 12:15:04
>>lionko+(OP)
> Hosting a server locally, easily, on the infected PC, that can expose data under a specific address is (to my understanding) the holy grail of exfiltration; you just connect to it and it gives you the data, instead of having to worry much about hosting your own infrastructure.

A permanent SSH connection is not exactly discreet, though...

3. skrebb+q3[view] [source] 2025-12-04 12:27:30
>>lionko+(OP)
Thanks!

Though the public address is going to be random here so how will the hacker figure out which tunnl.gg subdomain to gobble up?

replies(2): >>rany_+2w >>gnfarg+Tc1
◧◩
4. rany_+2w[view] [source] [discussion] 2025-12-04 15:24:29
>>skrebb+q3
I've seen lots of weird tricks malware authors use, people are creative. My favorite is that they'd load up a text file with a modified base64 table from Dropbox which points to the URL to exfiltrate to. When you report it to Dropbox, they typically ignore the report because it just seems like random nonsense instead of being actually malicious.
◧◩
5. gnfarg+Tc1[view] [source] [discussion] 2025-12-04 18:51:13
>>skrebb+q3
That's actually a fair defence against this kind of abuse. If the attacker has to get some information (the tunnel ID) out of the victim's machine before they can abuse this service, then it is less useful to them because getting the tunnel ID out is about as hard as just getting the actual data out.

However, if "No signup required for random subdomains" implies that stable subdomains can be obtained with a signup, then the bad guys are just going to sign up.

[go to top]