DocSend.exe signed "Taiyuan Yuqianhan Network Technology Co., Ltd."; Certificate reported
b409adb785f58f1de1cdf12e5c7c51a2
C2: 185.174.133.12
https://tria[.]ge/260211-2qa1ascw9d/behavioral1
#StealC
h/t @malwrhunterteam
12.02.2026 12:32 β π 2 π 0 π¬ 0 π 0
Previous RomCom: 9f69db123eb43e6b0ab300f645c15817
MB uploads: bazaar.abuse.ch/brow...
(See VT for 2 payloads too large for MB)
bazaar.abuse.ch/brow...
AnyRun: app.any.run/tasks/71...
2/2
11.02.2026 12:43 β π 0 π 0 π¬ 0 π 0
ScreenConnect as "LiveChat.msi" signed by "XRYUS TECHNOLOGIES LIMITED"
C2: boriserton27[.]anondns[.]net
e69c9a6742466a2770711804291f3fcf
FUD fake PDF, new serial #:
705f570e89ccbbcb32b8bb304537a2e9 suspected Romcom
"XRYUS TECHNOLOGIES CORPORATION" was used by RomCom
1/2
11.02.2026 12:43 β π 3 π 1 π¬ 1 π 0
"document_725299d2.msi" signed by "ALTERNATIVE HOME HEALTHCARE SERVICES LLC"
Loads ScreenConnect configured to connect to the domain zkyhgfvluyvjh[.]im
edbb4d8d6b549ea5ec04e8a43e51d5fffad9276a52dacad8bba4ea09d9b41063
h/t @malwrhunterteam
1/2
10.02.2026 16:33 β π 1 π 0 π¬ 1 π 1
"Purchase Agreement.pif" signed "HYPERBOLA TRADECOM LIMITED"
a08293e23e09d53692aca4b20974f270e48c58c53532c6cc715993d24e928e35
Probably not a purchasing agreement and probably not a CrowdStrike Falcon sensor.
Cert was reported for revocation
h/t @malwrhunterteam
10.02.2026 09:49 β π 1 π 1 π¬ 0 π 1
Using AI Agents to Analyze Malware on REMnux
To analyze malware effectively, AI agents need practitioners' expertise and access to the analysis tools. The REMnux MCP server provides both, connecting AI to 200+ tools on REMnux with guidance on wh...
The new REMnux MCP server connects AI agents to 200+ malware analysis tools on REMnux. I was surprised at the depth of investigation it delivers. Most of my time went into capturing how I approach the analysis and providing guidance to AI at the right time, so it can think and adapt as it works.
09.02.2026 14:22 β π 8 π 5 π¬ 0 π 1
Zabbix resigned by "Xiamen Xinke Youxuan Software Technology Co., Ltd."
7ab39ede4268a615c04ef39b1b30cee3
Reaches out to zabbxsoftware[.]com
Interesting lures:
oficio20452026PCAP.exe
PCAP Police Request Response.exe
h/t @g0njxa
06.02.2026 12:18 β π 4 π 1 π¬ 0 π 0
VirusTotal
VirusTotal
The installer downloaded from the site is 680MB, which is larger than VirusTotal's allowed file size. However, it has a sub component that is 2MB, but doesn't fully run without the larger installer:
www.virustotal.com/g...
2/2
02.02.2026 12:01 β π 0 π 0 π¬ 0 π 0
Fake Multibit wallet website multibit[.]info
The real website, multibit[.]org, mentions that multibit was discontinued in 2017
The fake installer is signed by "Anhui Shanxian Tongxin Technology Co., Ltd."
More details in thread
h/t @malwrhunterteam
1/2
02.02.2026 12:01 β π 0 π 0 π¬ 1 π 1
RMM Tools (Syncro, SuperOps, NinjaOne, etc.) Being Distributed Disguised as Video Files - ASEC
RMM Tools (Syncro, SuperOps, NinjaOne, etc.) Being Distributed Disguised as Video Files ASEC
AhnLabs reports seeing evidence of the campaign going back as far as October 2025.
Thanks to folk who upload such files to MalwareBazaar, VT, and help report the certificates.
Thanks @AhnLab_SecuInfo for publishing the analysis:
asec.ahnlab.com/en/9...
2/2
28.01.2026 13:40 β π 0 π 0 π¬ 0 π 0
AhnLab published an analysis of a campaign observed by the CertGraveyard in December. Great to see more details.
An actor using signer "CΓNG TY TNHH XB FLOW TECHNOLOGIES" leveraged a range of RMM tools and regularly contested abuse complaints.
Blogpost in thread
1/2
28.01.2026 13:40 β π 1 π 1 π¬ 1 π 0
Thorough analysis of AnyPDF (signed by "Lupus Tech Limited")
rifteyy.org/report/a...
Certificate has been reported and added to the CertGraveyard.
28.01.2026 09:51 β π 2 π 0 π¬ 0 π 0
New FUD #Transferloader "Hangzhou Wenyu Technology Co., Ltd."
Seems identical to the last one.
Reaches out to the same domain: mstiserviceconfig[.]com
2c70e3b4af65679fc4f4c135dc1c03bd7ec2ae8065e2e5c50db3aaec0effc11f
27.01.2026 17:54 β π 1 π 1 π¬ 0 π 0
The CertGraveyard is now being leveraged by MagicSword.
MagicSword makes use of certificates we report and blocks them within your environment.
I was really amazed by the work they do to block RMM and bad drivers. Now this further enables orgs to block malicious signers.
x.com/magicswordio/s...
27.01.2026 16:16 β π 1 π 1 π¬ 0 π 0
MB: bazaar.abuse.ch/samp...
AnyRun: app.any.run/tasks/4a...
Triage: tria.ge/260126-wxm1j...
Thanks to everyone who has volunteered analyzing files, making submissions, or used the database.
Special thanks to @anyrun_app for a sandbox that is easy to use and review.
2/2
26.01.2026 18:43 β π 1 π 0 π¬ 0 π 0
We've reached 2,000 entries in the CertGraveyard database.
The 2,000th entry was "Auto Posto Silvestre Comercio de Combustiveis LTDA" (fuel sales), a certificate issued to a cybercriminal, used to target Brazil with a fake PDF "Requisitos_para_regularizar_sua_empresa.exe".
1/2
26.01.2026 18:43 β π 4 π 0 π¬ 1 π 0
Does anyone know VirusTotal user "bsforvt727" (pronounced "bs for vt 727")?
I feel like we could be friends, if we aren't already.
They consistently leave comments and downvote stuff that I then see a day or two later.
www[.]virustotal[.]com/gui/user/bsforvt727
26.01.2026 11:34 β π 2 π 1 π¬ 0 π 0
100DaysofYARA/Squiblydoo/Day14.yara at main Β· Squiblydoo/100DaysofYARA
Rules shared by the community from 100 Days of YARA 2026 - Squiblydoo/100DaysofYARA
Since it was in development, almost nothing is obfuscated. Almost too many detection opportunities.
I focused the rule around debugging strings, cred theft, and "stealth_manager"
We'll evaluate options to go beyond strings in day 15.
github.com/Squiblydo...
2/2
17.01.2026 15:13 β π 0 π 0 π¬ 0 π 0
#100DaysofYARA Day 14
Checkpoint published research on VoidLink C2 framework.
They call it "advanced malware framework"; but maybe I'm not sure what "advanced" means in this context.
Rule at end
1/2
17.01.2026 15:13 β π 3 π 2 π¬ 1 π 0
100DaysofYARA/Squiblydoo/Day13.yara at main Β· Squiblydoo/100DaysofYARA
Rules shared by the community from 100 Days of YARA 2026 - Squiblydoo/100DaysofYARA
My rule just uses the pe module to check for the ndata pe section.
However, this gave us some opportunity to poke at and practice analyzing NSIS installers using Malcat.
Would love to see other methods for detecting this malware.
github.com/Squiblydo...
7/7
16.01.2026 13:09 β π 0 π 0 π¬ 0 π 0
While comparing the two binaries above, I also found that NSIS installers have a PE section ".ndata"
The .ndata PE section has a size of 0, but exists and helps us identify NSIS installers.
www.hexacorn.com/blo...
6/7
16.01.2026 13:08 β π 0 π 0 π¬ 1 π 0
For YARA, I investigate other options. One is being able to identify NSIS installers.
The classic way is looking for the Nullsoft magic bytes in the compressed data or other classic strings.
Malcat has some built in YARA rules that do this.
5/7
16.01.2026 13:08 β π 0 π 0 π¬ 1 π 0
Once unpacked, we can click into the Setup file and view it in the Disassembly view to see what the setup script does. It essentially unpacks its dependencies and then executes a base64 string.
In the video, I show inspecting the setup and decoding the base64 within malcat
4/7
16.01.2026 13:07 β π 0 π 0 π¬ 1 π 0
The malware is an NSIS installer. With #malcat, we can click into the NSIS Installer's compressed object to expand it and see its contents. These contents are compressed, which is what makes a YARA rule practically impossible.
Video showing expanding the NSIS contents
3/7
16.01.2026 13:05 β π 0 π 0 π¬ 1 π 0
I have two recent examples of the malware:
a252b2e2e1eb1423cb2781dd194fd5758817157847b3eb18bc86486c2f366643
164421af114cb376d86e8c28d1b3749a3dbfa12328e928c22735930ff200aa28
The code-signing signature; revoked thanks to CertGraveyard friends.
Both have 2/68 detections on VT.
2/7
16.01.2026 13:05 β π 0 π 0 π¬ 1 π 0
#100DaysofYara - day 13
Came across a low detection malware which seems YARA resistant. Currently in use by ransomware actor.
I'll post some thoughts, but would love suggestions from others.
I'll explain the malware and show the best I could come up with.
Rule at bottom
1/7
16.01.2026 13:05 β π 2 π 0 π¬ 1 π 0
100DaysofYARA/Squiblydoo/Day13.yara at main Β· Squiblydoo/100DaysofYARA
Rules shared by the community from 100 Days of YARA 2026 - Squiblydoo/100DaysofYARA
My rule just uses the pe module to check for the ndata pe section.
However, this gave us some opportunity to poke at and practice analyzing NSIS installers using Malcat.
Would love to see other methods for detecting this malware.
github.com/Squiblydo...
7/7
16.01.2026 13:04 β π 0 π 0 π¬ 0 π 0
While comparing the two binaries above, I also found that NSIS installers have a PE section ".ndata"
The .ndata PE section has a size of 0, but exists and helps us identify NSIS installers.
www.hexacorn.com/blo...
6/7
16.01.2026 13:04 β π 0 π 0 π¬ 1 π 0
For YARA, I investigate other options. One is being able to identify NSIS installers.
The classic way is looking for the Nullsoft magic bytes in the compressed data or other classic strings.
Malcat has some built in YARA rules that do this.
5/7
16.01.2026 13:04 β π 0 π 0 π¬ 1 π 0
Reverse engineering, files formats and crypto.
https://github.com/lclevy
macOS Threat and Detections Researcher @ Jamf
GCIH, GCFE | DFIR, Threat Hunting, Detection Engineering | @CuratedIntel DFIR Member
SecurityAura.com
http://infosec.exchange/@SecurityAura
Threat Hunter at SentinelOne | curatedintel.org Member | k3yp0d.blogspot.com | Opinions are of my own voices inside my own head | memes and music are welcome
Journalist at Bloomberg News in DC. Signal: @howelloneill.01, email: patoneill1@bloomberg.net https://www.bloomberg.com/authors/AXb8dLPHBFc/patrick-howell-oneill
computer security person. former helpdesk
President of Signal, Chief Advisor to AI Now Institute
reverse engineering, cryptography, exploits, hardware, file formats, and generally giving computers a hard time
Fedi: @retr0id@retr0.id
Macroblog: https://www.da.vidbuchanan.co.uk/blog/
Founder & CEO LutaSecurity @payequitynow MIT&Harvard visiting scholar, @MasonNatSec fellow, 1/2 Chamoru, 1/2 Greek all-American hacker
Writer for WIRED. Author of SANDWORM. Latest book, TRACERS IN THE DARK: The Global Hunt for the Crime Lords of Cryptocurrency, out now. agreenberg@wired.com. Andy.01 on Signal.
Washington Post reporter covering hacking, disinformation and whatβs left of privacy. Author of books on the Cult of the Dead Cow, organized criminal hacking, and Napster. Pulitzer co-finalist 2024. Signal joemenn.01
Geopolitics, Russia, China, Cyber
Chairman @silverado.org
Author of WorldOnTheBrink.com
Host GeopoliticsDecanted.com podcast
Founder Alperovitch Institute for Cybersecurity Studies at Johns Hopkins SAIS
Co-Founder CrowdStrike
@DAlperovitch elsewhere
Real-time historian of the late cyber capitalist era @TechCrunch, writing about the intersection of hackers, human rights, and spies.
Also writing a book about Hacking Team and the history of government spyware.
βοΈ Signal: +1 917 257 1382
cybersecurity weather man. scanning the horizons for cloudy cyber. Expert at nothing except computer rubbish. Anti-ransomware since 2015.
Founder of Granitt, securing journalists and at-risk people around the world.
Journalist - cyber/natn'l security. Speaker. Georgetown adjunct prof. Author - COUNTDOWN TO ZERO DAY: Stuxnet and the Launch of the World's First Digital Weapon
Signal: KimZ.42
https://www.zetter-zeroday.com
CPO/CSO of Corridor.dev, teaching at Stanford.
I teach cryptography at Johns Hopkins. https://blog.cryptographyengineering.com
