Squiblydoo's Avatar

Squiblydoo

@squiblydoo.bsky.social

Malware Analyst; creator of debloat, certReport, CertCentral.org Debloat Discord: http://discord.gg/dvGXKaY5qr squiblydoo.blog

224 Followers  |  195 Following  |  64 Posts  |  Joined: 31.07.2023  |  1.8097

Latest posts by squiblydoo.bsky.social on Bluesky

Post image

Cert Central has an unauthenticated API endpoint to return the database as a csv: certcentral[.]org/api/download_csv

It used in CCCS' AssembyLine as a blacklist.

@securityaura.bsky.social
uses it for threat hunting github.com/SecurityAura...

Looking forward to see what others do with it.

19.06.2025 10:22 โ€” ๐Ÿ‘ 2    ๐Ÿ” 0    ๐Ÿ’ฌ 0    ๐Ÿ“Œ 0
Preview
The scammers have tricked millions through text messages: Who are they and how do they scam us?

A team of journalists in Norway spent a year secretly monitoring a credit card fraud gang to uncover who's behind it and how they operate. Here's the story -- in English -- of how they unmasked Darcula and the crime-as-a-service software Magic Cat. www.nrk.no/dokumentar/x...

05.05.2025 15:03 โ€” ๐Ÿ‘ 43    ๐Ÿ” 22    ๐Ÿ’ฌ 1    ๐Ÿ“Œ 2

Again? :(

21.04.2025 21:01 โ€” ๐Ÿ‘ 3    ๐Ÿ” 0    ๐Ÿ’ฌ 0    ๐Ÿ“Œ 0
Post image

Scammers are happily abusing multiple platforms at once thanks to lack of controls.

Who's going to protect users here? Google? Facebook?

11.03.2025 17:49 โ€” ๐Ÿ‘ 2    ๐Ÿ” 1    ๐Ÿ’ฌ 0    ๐Ÿ“Œ 0
Preview
Malicious ads target Semrush users to steal Google account credentials - Help Net Security Cyber crooks are exploiting users' interest in Semrush, a popular SEO and market research SaaS platform, to steal Google account credentials.

Malicious ads target Semrush users to steal Google account credentials

๐Ÿ“– Read more: www.helpnetsecurity.com/2025/03/21/m...

#cybersecurity #cybersecuritynews #accountcredentials #SEO @malwarebytes.com @jeromesegura.com @semrushofficial.bsky.social

21.03.2025 12:58 โ€” ๐Ÿ‘ 1    ๐Ÿ” 2    ๐Ÿ’ฌ 0    ๐Ÿ“Œ 0
Post image

If you manage #wordpress sites using #managewp, watch out for this #phishing campaign via #googleads.

-> menagewp[.]com (ad URL and redirect)

-> orion[.]manaqewp[.]com (phishing page)

24.03.2025 22:36 โ€” ๐Ÿ‘ 1    ๐Ÿ” 1    ๐Ÿ’ฌ 0    ๐Ÿ“Œ 0
Preview
MalwareBazaar - Tag Yurisk LLC Hunt for malware samples tagged with tag 'Yurisk LLC'

bazaar.abuse.ch/browse/tag/Y...

04.04.2025 12:44 โ€” ๐Ÿ‘ 0    ๐Ÿ” 0    ๐Ÿ’ฌ 0    ๐Ÿ“Œ 0
Post image Post image

Impostor certificate:
EV Code-signing certificate "Yurisk LLC", used to sign fake NordPass installer.

Abused and revoked within 1 week of issuance. Company registration says they transport freight.

04.04.2025 12:44 โ€” ๐Ÿ‘ 2    ๐Ÿ” 1    ๐Ÿ’ฌ 1    ๐Ÿ“Œ 0
Post image

Fake PuTTy, signed "Eptins Enterprises Llp"

Sets scheduled task "Security Updater" and checks into IP address: 185.196.10.127

Triage: tria.ge/250401-wnbad...

www.virustotal.com/gui/file/7ca...

@jeromesegura.com

01.04.2025 18:58 โ€” ๐Ÿ‘ 0    ๐Ÿ” 1    ๐Ÿ’ฌ 0    ๐Ÿ“Œ 0
Post image

Fake SCPToolkit uploaded to MB by aachum:

Signed EXE "jmutanen software Oy" loads an MSI and the real SCPToolkit as a decoy. Installs ScreenConnect: microsoftnet[.]ru

Files from signer: bazaar.abuse.ch/browse/tag/j...

Zip with parts:
www.virustotal.com/gui/file/1df...

01.04.2025 12:16 โ€” ๐Ÿ‘ 1    ๐Ÿ” 1    ๐Ÿ’ฌ 0    ๐Ÿ“Œ 0
Post image Post image

Signed DLL, 2/70 hits on VT? virustotal.com/gui/file/224...

Actually easy to see it downloads from PasteBin and excludes C:

I created a course with KC7Cyber
to showcase and educate: kc7cyber.com/modules/VT101

I like to promote it because I know details like these get looked over.

19.03.2025 23:21 โ€” ๐Ÿ‘ 0    ๐Ÿ” 0    ๐Ÿ’ฌ 0    ๐Ÿ“Œ 0

Dang. Black Basta spending $500 to run a campaign and $4,000 for the Extended Validation certificate. ๐Ÿคฏ

Great to see the code-signing certificate abuse the other side. Great use of Cert Central: tying certificates BB talked about back to the actual malwares.

18.03.2025 17:12 โ€” ๐Ÿ‘ 0    ๐Ÿ” 0    ๐Ÿ’ฌ 0    ๐Ÿ“Œ 0
Post image Post image

Signed malware "Webber Air Investments LLC"
First seen 23 days ago targeting YouTubers, rip.

Vidar C2: 95.217.30.53
bazaar.abuse.ch/browse/tag/W...

18.03.2025 10:31 โ€” ๐Ÿ‘ 1    ๐Ÿ” 0    ๐Ÿ’ฌ 0    ๐Ÿ“Œ 0
Post image

Our SOC noticed that some attackers using the ClickFix and Fake Captcha technique are also providing text incase their payloads are read by AI or LLM.

Learn more about fake captchas: expel.com/blog/expel-q...

14.03.2025 16:44 โ€” ๐Ÿ‘ 5    ๐Ÿ” 3    ๐Ÿ’ฌ 0    ๐Ÿ“Œ 0
Post image

Ya'll will start seeing more files signed by Microsoft.
Please report them to centralpki@microsoft[.com or just tag me at a minimum, please.

Microsoft has been good at revoking them

This week I saw
Lumma Infostealer
QuasarRAT
CobaltStrike (C2: uuuqf[.]com)

www.virustotal.com/gui/file/401...

14.03.2025 11:05 โ€” ๐Ÿ‘ 1    ๐Ÿ” 0    ๐Ÿ’ฌ 1    ๐Ÿ“Œ 0
Post image

Fake MalwareBytes installer.
Installs Zoom as a decoy: tria.ge/250308-wyeqk...

Rhadamanthys, per VirusTotal's config extractor.
virustotal.com/gui/file/4c2...

C2: 185.33.87.209

08.03.2025 18:34 โ€” ๐Ÿ‘ 3    ๐Ÿ” 1    ๐Ÿ’ฌ 0    ๐Ÿ“Œ 0
Post image

Understanding the technique is important. This technique accounts for essentially 78% of bloated files (out of 1000).

Debloat handles 91% of examples but only PE files.
When attackers use this technique with other file types, you'll be on your own until debloat adds support.

08.03.2025 16:13 โ€” ๐Ÿ‘ 0    ๐Ÿ” 0    ๐Ÿ’ฌ 0    ๐Ÿ“Œ 0
Preview
Dealing with PE File Padding during Malware Analysis This is a blog post on explaining how to deal with File Padding or Overlay while doing Malware Analysis which is useful for Malware Analysts

www.malwr4n6.com/post/dealing... explains PE file padding and how to defeat one padding technique: manually and with tools (like with my debloat tool).
1/2

08.03.2025 16:13 โ€” ๐Ÿ‘ 0    ๐Ÿ” 0    ๐Ÿ’ฌ 1    ๐Ÿ“Œ 0
Post image

Fake Zoom reaches out to Namecheap domain ZoomInstaller[.]com

Fake MagicApp also installs Zoom; reaches out to Github and Namecheap domain MagicVision[.]io

Both suspiciously over 100MB due to .NET resource.
tria.ge/250308-mqs4j...
tria.ge/250308-mpm6x...

Certificate reported.

08.03.2025 11:00 โ€” ๐Ÿ‘ 1    ๐Ÿ” 0    ๐Ÿ’ฌ 0    ๐Ÿ“Œ 0

Code-signing certs reported this morning:
BlackmoonBanker signed by trading company "็ฆๅทž้š‹ๅพทๆด›่ดธๆ˜“ๆœ‰้™ๅ…ฌๅธ"

Fake DeepSeek signed by pharma company "TRUONG LUU THUY PHARMA COMPANY LIMITED"

Fake games, installs uTorrent, signed by construction company "MASTER SGDN BAU GMBH"

26.02.2025 12:25 โ€” ๐Ÿ‘ 1    ๐Ÿ” 1    ๐Ÿ’ฌ 0    ๐Ÿ“Œ 0
Post image

Ah yes, the Austrian construction company that makes my favorite games.

www.virustotal.com/gui/file/e48...

26.02.2025 11:37 โ€” ๐Ÿ‘ 0    ๐Ÿ” 0    ๐Ÿ’ฌ 0    ๐Ÿ“Œ 0
Post image Post image

I suspect that a lot of folk don't realize that a lot of the certificates Cert Central handles are for files that are not detected by any detection engine.

Today's example was a 1Password Setup application. The file downloads the real 1Password as a decoy

www.joesandbox.com/analysis/162...

21.02.2025 12:52 โ€” ๐Ÿ‘ 3    ๐Ÿ” 1    ๐Ÿ’ฌ 0    ๐Ÿ“Œ 0

Want experience doing malware analysis, categorizing threat actors, and other malware shaped things?

We need more individual contributors for Cert Central. DM or email admin at certcentral . org

As it turns out, we have a lot of malware to analyze.

21.02.2025 12:46 โ€” ๐Ÿ‘ 5    ๐Ÿ” 2    ๐Ÿ’ฌ 0    ๐Ÿ“Œ 0

Good to hear, I've been wondering about you guys. You 404Media folk have been hammering stuff out every day for the past few months.
I hope the rest of the team gets some rest too.

20.02.2025 21:22 โ€” ๐Ÿ‘ 1    ๐Ÿ” 0    ๐Ÿ’ฌ 0    ๐Ÿ“Œ 0
Post image

Certificate signing DarkGate malware reported: "BLVS Tech Inc."

DarkGate gets signed with a code-signing certificate fairly often. CertCentral.org is tracking 23 instances, I'm sure it happens more than that though.

www.virustotal.com/gui/file/e92...

bazaar.abuse.ch/browse/tag/B...

12.02.2025 09:46 โ€” ๐Ÿ‘ 0    ๐Ÿ” 0    ๐Ÿ’ฌ 0    ๐Ÿ“Œ 0

Website: certcentral.org

certReport has been updated to 3.2: you can use an API key and "-p" to submit reports to the database. Read more here: certcentral.org/reporting_to...

We can handle submitting your reports too. See the website for more details. :)

10.02.2025 13:53 โ€” ๐Ÿ‘ 2    ๐Ÿ” 0    ๐Ÿ’ฌ 0    ๐Ÿ“Œ 0
Post image Post image

Cert Central .org is live!
We track and report abused code-signing certs.

By submitting to the website, you contribute to the DB of >800 certsโ€”a DB you can access and view.

Want to get more involved? Check out the Training and Research pages to learn more. 1/2

10.02.2025 13:53 โ€” ๐Ÿ‘ 14    ๐Ÿ” 7    ๐Ÿ’ฌ 1    ๐Ÿ“Œ 0

I am working on a public platform to make it even easier for people to report code-signing certificates.

My goal is to continue to raise awareness on the abuse and the impact revocation has on malware distributors. Keep an eye on my socials for more news.

28.01.2025 13:39 โ€” ๐Ÿ‘ 9    ๐Ÿ” 3    ๐Ÿ’ฌ 0    ๐Ÿ“Œ 0
Post image

#Signed #Reported "44.211.848 NICOLAS SAMUEL DE ALMEIDA"

Fake Open AI Sora downloads. User receives file "video_for_you.mp4 - openai\.com"

You always know it is going to be a special time when the VT comments are stories.
www.virustotal.com/gui/file/acd...

27.01.2025 13:11 โ€” ๐Ÿ‘ 2    ๐Ÿ” 1    ๐Ÿ’ฌ 0    ๐Ÿ“Œ 0

@squiblydoo is following 20 prominent accounts