Draft:OpenBullet

OpenBullet is an open source webtesting and penetration testing suite, available for Microsoft Windows, released in May 2019.

Requests
OpenBullet allows developers to send mass-requests, for the purpose of pentesting, on a target website. C

Stacker and LoliScript
Using it's programming language options, such as LoliScript, users can create custom scripts to perform penetration tests against a target. LoliScript also allows for users to parse the data into the "Hits" menu, which in the context of pentesting, can show valid credentials. Stacker is a simpler layout for users to create configs with LoliScript, without learning the language. It works by using the Stacker interface, and using blocks (similar to ones in simple programming languages, such as Scratch) to execute actions. It allows users to use features such as automated web browsing with Selenium or Puppeteer, and parsing JSON data pulled from the target.

Captcha Solving
OpenBullet cannot inherently solve CAPTCHA tests, though in OpenBullet 2, it can connect to several external "CAPTCHA farm" services to solve them, bypassing anti-bot measures on websites. This is typically a feature used in OpenBullet's usage in cybercrime, as it's legal applications are for personally-owned websites only.

Cybercrime
OpenBullet is commonly used by cybercriminals to execute large-scale attacks at ease, for free. These attacks mimic human behaviors, to make attacks look like they're coming from real users. Using Selenium and Puppeteer, these requests can look even more real, as mouse movements can be controlled simply by code, instead of by a human. The most common use of OpenBullet is credential stuffing attacks, which uses login data, taken from a data breach, to attempt to login to another service, where the user may potentially hold an account with.

DraftKings Hack
In May 2023, Joseph Garrison, an 18-year-old from Wisconsin is charged with 6 counts of fraud, for using OpenBullet to hack DraftKings Sportsbook accounts, selling the accounts on his website, "The Goat Shop". He was successful in hacking 60,000 DraftKings accounts, amounting to $600,000.

Malware
In August 2023, a malware campaign was distributed, pretending to be a legitimate, though illicit, OpenBullet configuration file, which was spread to several criminal networks. The campaign distributed a RAT, or a remote access trojan, which aimed to steal critical data from the victim's computer. The configuration file downloads the "Ocean" dropper from a GitHub repository, and when then downloaded the actual malware on the victim's computer, from the same GitHub repository.