Let’s talk about FUNKY BOOBSWEAT

By GAYINT Staff

Hey babes!

Yesterday, the suits over at CISA wrote a really boring post about some stuff they found happening in China.

In response, here’s GAYINT’s advisory. We’re like if CISA was TRANSA.

FUNKY BOOBSWEAT is our official name for this group. FUNKY BOOBSWEAT, according to the feds, is a Chinese group that’s been jiggling the doorknob on computers in the US, Australia, Canada, New Zealand, The UK­, "and other areas globally." We wish they would say what "other areas globally" means, but for now we’ll just assume they mean the Republic of Molossia.

FUNKY BOOBSWEAT has been stealing files, info, money, crypto, robux, and probably the emails of a bunch of ISP and phone companies. They’ve also been trying to get into the computers of transit agencies, which honestly? Transphobic.

If you or a loved one want to make sure you don’t get soaked by FUNKY BOOBSWEAT, you should install security updates on the following things:

• Ivanti Connect Secure and Ivanti Policy Secure but, tbh, probably everything Ivanti makes? Also consider throwing away your Ivanti devices thx.
• Palo Alto stuff, especially PAN-OS GlobalProtect
• Cisco IOS XE. The web management panel is ridiculously vulnerable lol
  • Look in your network logs for /webui_wsma_Http(s) bestie! If you see outside traffic trying to look at those URLs, you should block them if you don’t know who they are (:
  • Also look for that same URI, but URI encoded. If your firewall runs suricata, write your rules to include both the unencoded endpoint in http.uri and the encoded endpoint in http.uri.raw.

Once FUNKY BOOBSWEAT has girlbossed their way into your network, they really like moving into your VPSs and your routers. Probably their most toxic trait is how they will implant backdoors into random edge devices like firewalls and routers, just in case that becomes important later. Update the firmware on your fancy gamer routers!!! Look in your logs for any weird looking IPsec traffic. Double check any traffic with services you’re running and, if it fails the vibe check, ban and patch. Worst case scenario, you can always unban later if you accidentally blocked your coworker Fred from playing Umamusume on the company dime.

The scary thing is we don’t always know how they get in? Like presumably they’re also phishing people, because that’s a fun hobby for most of these groups, but if you have any info on how they got into YOUR network, you should probably tell your local authorities uwu.

Once FUNKY BOOBSWEAT is in your house and office, they like to update your access control lists. They like to name their list "access-list 20" but, honestly? Now that there’s a writeup about it they’re probably going to rename the file. Do yourself a favor and set up file update auditing on your access lists and hostfiles to keep an eye out for anything weird.

If you’ve got a web server running on your computer, and it starts behaving weird, LOOK INTO IT!FUNKY BOOBSWEAT sometimes messes with servers to turn them into command and control servers, or to turn into a reverse tunnel so they can get back into your computer later. Keep your stuff up to date and read through the bash_history for any service users you have to see if they slipped up and left footprints on your carpet.

When FUNKY BOOBSWEAT finds a juicy router to set up shop in, they like to set up SSH connections, weird web panels and SNMP-based command execution. If your ASUS gamer router is suddenly saying things to you other than how much time you’ve spent playing stardew valley, change your password and install updates! Also consider turning off SNMP. Who even uses it? We know we don’t. We checked.

Remember how Cisco runs a lot of their things through embedded Linux? That’s free real estate, babes. If you smell anything funky, check your cisco boxes and make sure they’re not installing random stuff or enabling guestshell. If you find a guestshell, run guestshell disable and guestshell destroy to kick them out and then, you guessed it, change your passwords and install updates and turn off anything you’re not using. Are you noticing a pattern here?

A lot of the time, when FUNKY BOOBSWEAT gets whatever they want from you, they try to send that info through peer to peer connections with other boxes. They use lots and lots of different ways of getting that info out. So, if you see a bunch of outbound IRC messages, or a bunch of email traffic to an address you don’t recognize or a usenet address you don’t know about, or like idk sometimes they just upload stuff directly to a lightbulb they control because the future is great. You already know my advice for this.

If you or a loved one find yourselves with an awkward case of FUNKY BOOBSWEAT, you should for sure ban them and also tell someone, but while you ban them can you do me a favor? Load up wireshark or tshark or some other pcap capturing service, and record the pcaps of what they’re doing for a bit. We have a bunch of big brain babes looking into FUNKY BOOBSWEAT, and the more data we have the better.

Okay that’s all we have. Stay safe out there! Remember that hot girls monitor for any sus config file changes, file permission changes or weird outbound traffic.

Updated: 28 August 2025