it seems someone decided to prove you really can just publish any nonsense protocol draft with the IETF
https://www.ietf.org/archive/id/draft-meow-mrrp-00.htmlMeow
Meow meow meow meow Meow Meow Meow (MEOW). MEOW meow meow meow meow-meow meow meow
meow Meow meow meow, meow meow meow meow meow meow meow meow meow meow meow meow
meow Meow. Meow meow meow, mrrp meow meow meow meow meow meow meow MEOW meow meow
meow meow meow MEOW MEOW, meow meow meow meow meow meow meow mrow meow meow. Meow
meow meow meow meow meow meow meow meow meow meow meow meow MEOW MEOW. Meow meow
meow MEOW MEOW, meow meow meow Meow MEOW, MEOW, MEOW, MEOW, MEOW, meow MEOW meow
meow meow meow MEOW MEOW. Meow meow Meow MEOW meow MEOW, meow meow meow meow meow
meow moew meow meow meow meow meow meow meow meow meow MEOW meow. Meow meow meow
MEOW MEOW meow meow nya meow meow meow meow meow meow meow meow MEOW-MEOW meow. Meow
MEOW meow meow meow meow MEOW MEOW meow meow meow meow meow meow MEOW MEOW.
ok it's up now and...uh...is that the supersymmetric partner of a region or
Bluesky's status page is down ahahahahahahaha oh my god they expect people to take them seriously
Anyway yeah if a malware analyst follows me and wants any of the stages involved, from the raw Python script to the machine code payload lmk
I don't think it actually injects this machine code as a payload actually, it just loads it into memory as a bytestring in Python, remaps the memory as executable, and then calls directly into it, with some malware-prevention bypass stuff in the middle.
Ok, it looks like it starts the CLR...in the Python process I think? Some code is run next that I don't know exactly what that does, but it seems to monkeypatch the clr DLL in the current process, which I think specifically is to bypass the Anti-Malware Scan Interface by replacing a reference to amsi.dll with ansi.dll. And then it invokes the payload in the process itself using LdrCallEnclave, I think.
So to summarize: Disguised Python loader loads a base85 Python script, which itself loads a base64 zlib-compressed Python script, which injects some machine code into another process, which likely contains further obfuscations.
I suspect this stage is just a payload injector that is installed into something else. The payload itself is a 781579 byte blob of x86 machine code. I suspect that payload isn't even the main payload but instead an encrypted blob and decryption stage for the final payload. But I really don't feel like tossing the blob into ghidra. SHA-256 of the machine code blob is 64f70a4cfdf24b817c795ea28b90cad23af92f640c616464bbea365d4c1c89aa.
wait sorry it's not just their age assurance breaking it; that's just the first casualty. If that one resolves some other requests to hygrophorus still break. e.g. querying notifications.
502 errors on hygrophorus.us-west.host.bsky.network
abadidea