Squiblydoo
@squiblydoo.bsky.social
Malware Analyst; creator of debloat, certReport, CertCentral.org
Debloat Discord: http://discord.gg/dvGXKaY5qr
squiblydoo.blog
Debloat Discord: http://discord.gg/dvGXKaY5qr
squiblydoo.blog
Cert Central has an unauthenticated API endpoint to return the database as a csv: certcentral[.]org/api/download_csv
It used in CCCS' AssembyLine as a blacklist.
@securityaura.bsky.social
uses it for threat hunting github.com/SecurityAura...
Looking forward to see what others do with it.
It used in CCCS' AssembyLine as a blacklist.
@securityaura.bsky.social
uses it for threat hunting github.com/SecurityAura...
Looking forward to see what others do with it.
June 19, 2025 at 10:22 AM
Cert Central has an unauthenticated API endpoint to return the database as a csv: certcentral[.]org/api/download_csv
It used in CCCS' AssembyLine as a blacklist.
@securityaura.bsky.social
uses it for threat hunting github.com/SecurityAura...
Looking forward to see what others do with it.
It used in CCCS' AssembyLine as a blacklist.
@securityaura.bsky.social
uses it for threat hunting github.com/SecurityAura...
Looking forward to see what others do with it.
Reposted by Squiblydoo
A team of journalists in Norway spent a year secretly monitoring a credit card fraud gang to uncover who's behind it and how they operate. Here's the story -- in English -- of how they unmasked Darcula and the crime-as-a-service software Magic Cat. www.nrk.no/dokumentar/x...
The scammers have tricked millions through text messages:
Who are they and how do they scam us?
www.nrk.no
May 5, 2025 at 3:03 PM
A team of journalists in Norway spent a year secretly monitoring a credit card fraud gang to uncover who's behind it and how they operate. Here's the story -- in English -- of how they unmasked Darcula and the crime-as-a-service software Magic Cat. www.nrk.no/dokumentar/x...
Reposted by Squiblydoo
Scammers are happily abusing multiple platforms at once thanks to lack of controls.
Who's going to protect users here? Google? Facebook?
Who's going to protect users here? Google? Facebook?
March 11, 2025 at 5:50 PM
Scammers are happily abusing multiple platforms at once thanks to lack of controls.
Who's going to protect users here? Google? Facebook?
Who's going to protect users here? Google? Facebook?
Reposted by Squiblydoo
Malicious ads target Semrush users to steal Google account credentials
📖 Read more: www.helpnetsecurity.com/2025/03/21/m...
#cybersecurity #cybersecuritynews #accountcredentials #SEO @malwarebytes.com @jeromesegura.com @semrushofficial.bsky.social
📖 Read more: www.helpnetsecurity.com/2025/03/21/m...
#cybersecurity #cybersecuritynews #accountcredentials #SEO @malwarebytes.com @jeromesegura.com @semrushofficial.bsky.social
Malicious ads target Semrush users to steal Google account credentials - Help Net Security
Cyber crooks are exploiting users' interest in Semrush, a popular SEO and market research SaaS platform, to steal Google account credentials.
www.helpnetsecurity.com
March 21, 2025 at 12:58 PM
Malicious ads target Semrush users to steal Google account credentials
📖 Read more: www.helpnetsecurity.com/2025/03/21/m...
#cybersecurity #cybersecuritynews #accountcredentials #SEO @malwarebytes.com @jeromesegura.com @semrushofficial.bsky.social
📖 Read more: www.helpnetsecurity.com/2025/03/21/m...
#cybersecurity #cybersecuritynews #accountcredentials #SEO @malwarebytes.com @jeromesegura.com @semrushofficial.bsky.social
Reposted by Squiblydoo
If you manage #wordpress sites using #managewp, watch out for this #phishing campaign via #googleads.
-> menagewp[.]com (ad URL and redirect)
-> orion[.]manaqewp[.]com (phishing page)
-> menagewp[.]com (ad URL and redirect)
-> orion[.]manaqewp[.]com (phishing page)
March 24, 2025 at 10:36 PM
If you manage #wordpress sites using #managewp, watch out for this #phishing campaign via #googleads.
-> menagewp[.]com (ad URL and redirect)
-> orion[.]manaqewp[.]com (phishing page)
-> menagewp[.]com (ad URL and redirect)
-> orion[.]manaqewp[.]com (phishing page)
Impostor certificate:
EV Code-signing certificate "Yurisk LLC", used to sign fake NordPass installer.
Abused and revoked within 1 week of issuance. Company registration says they transport freight.
EV Code-signing certificate "Yurisk LLC", used to sign fake NordPass installer.
Abused and revoked within 1 week of issuance. Company registration says they transport freight.
April 4, 2025 at 12:44 PM
Impostor certificate:
EV Code-signing certificate "Yurisk LLC", used to sign fake NordPass installer.
Abused and revoked within 1 week of issuance. Company registration says they transport freight.
EV Code-signing certificate "Yurisk LLC", used to sign fake NordPass installer.
Abused and revoked within 1 week of issuance. Company registration says they transport freight.
Fake PuTTy, signed "Eptins Enterprises Llp"
Sets scheduled task "Security Updater" and checks into IP address: 185.196.10.127
Triage: tria.ge/250401-wnbad...
www.virustotal.com/gui/file/7ca...
@jeromesegura.com
Sets scheduled task "Security Updater" and checks into IP address: 185.196.10.127
Triage: tria.ge/250401-wnbad...
www.virustotal.com/gui/file/7ca...
@jeromesegura.com
April 1, 2025 at 6:58 PM
Fake PuTTy, signed "Eptins Enterprises Llp"
Sets scheduled task "Security Updater" and checks into IP address: 185.196.10.127
Triage: tria.ge/250401-wnbad...
www.virustotal.com/gui/file/7ca...
@jeromesegura.com
Sets scheduled task "Security Updater" and checks into IP address: 185.196.10.127
Triage: tria.ge/250401-wnbad...
www.virustotal.com/gui/file/7ca...
@jeromesegura.com
Fake SCPToolkit uploaded to MB by aachum:
Signed EXE "jmutanen software Oy" loads an MSI and the real SCPToolkit as a decoy. Installs ScreenConnect: microsoftnet[.]ru
Files from signer: bazaar.abuse.ch/browse/tag/j...
Zip with parts:
www.virustotal.com/gui/file/1df...
Signed EXE "jmutanen software Oy" loads an MSI and the real SCPToolkit as a decoy. Installs ScreenConnect: microsoftnet[.]ru
Files from signer: bazaar.abuse.ch/browse/tag/j...
Zip with parts:
www.virustotal.com/gui/file/1df...
April 1, 2025 at 12:16 PM
Fake SCPToolkit uploaded to MB by aachum:
Signed EXE "jmutanen software Oy" loads an MSI and the real SCPToolkit as a decoy. Installs ScreenConnect: microsoftnet[.]ru
Files from signer: bazaar.abuse.ch/browse/tag/j...
Zip with parts:
www.virustotal.com/gui/file/1df...
Signed EXE "jmutanen software Oy" loads an MSI and the real SCPToolkit as a decoy. Installs ScreenConnect: microsoftnet[.]ru
Files from signer: bazaar.abuse.ch/browse/tag/j...
Zip with parts:
www.virustotal.com/gui/file/1df...
Signed DLL, 2/70 hits on VT? virustotal.com/gui/file/224...
Actually easy to see it downloads from PasteBin and excludes C:
I created a course with KC7Cyber
to showcase and educate: kc7cyber.com/modules/VT101
I like to promote it because I know details like these get looked over.
Actually easy to see it downloads from PasteBin and excludes C:
I created a course with KC7Cyber
to showcase and educate: kc7cyber.com/modules/VT101
I like to promote it because I know details like these get looked over.
March 19, 2025 at 11:21 PM
Signed DLL, 2/70 hits on VT? virustotal.com/gui/file/224...
Actually easy to see it downloads from PasteBin and excludes C:
I created a course with KC7Cyber
to showcase and educate: kc7cyber.com/modules/VT101
I like to promote it because I know details like these get looked over.
Actually easy to see it downloads from PasteBin and excludes C:
I created a course with KC7Cyber
to showcase and educate: kc7cyber.com/modules/VT101
I like to promote it because I know details like these get looked over.
Dang. Black Basta spending $500 to run a campaign and $4,000 for the Extended Validation certificate. 🤯
Great to see the code-signing certificate abuse the other side. Great use of Cert Central: tying certificates BB talked about back to the actual malwares.
Great to see the code-signing certificate abuse the other side. Great use of Cert Central: tying certificates BB talked about back to the actual malwares.
We recently got the opportunity to see the inner workings of the Black Basta ransomware gang 🕵️🔎 We examined how the ransomware gang used their skill & finances to abuse a core security concept: code-signing certificates.
Here's how to leverage this for your own defenses 🛡️ expel.com/blog/code-si...
Here's how to leverage this for your own defenses 🛡️ expel.com/blog/code-si...
Code-signing certificate abuse in the Black Basta chat leaks (and how to fight back)
Ransomware gang Black Basta's chats were recently leaked, proving how they abuse code-signing certificates. Here's how to defend against it.
expel.com
March 18, 2025 at 5:12 PM
Dang. Black Basta spending $500 to run a campaign and $4,000 for the Extended Validation certificate. 🤯
Great to see the code-signing certificate abuse the other side. Great use of Cert Central: tying certificates BB talked about back to the actual malwares.
Great to see the code-signing certificate abuse the other side. Great use of Cert Central: tying certificates BB talked about back to the actual malwares.
Signed malware "Webber Air Investments LLC"
First seen 23 days ago targeting YouTubers, rip.
Vidar C2: 95.217.30.53
bazaar.abuse.ch/browse/tag/W...
First seen 23 days ago targeting YouTubers, rip.
Vidar C2: 95.217.30.53
bazaar.abuse.ch/browse/tag/W...
March 18, 2025 at 10:31 AM
Signed malware "Webber Air Investments LLC"
First seen 23 days ago targeting YouTubers, rip.
Vidar C2: 95.217.30.53
bazaar.abuse.ch/browse/tag/W...
First seen 23 days ago targeting YouTubers, rip.
Vidar C2: 95.217.30.53
bazaar.abuse.ch/browse/tag/W...
Reposted by Squiblydoo
Our SOC noticed that some attackers using the ClickFix and Fake Captcha technique are also providing text incase their payloads are read by AI or LLM.
Learn more about fake captchas: expel.com/blog/expel-q...
Learn more about fake captchas: expel.com/blog/expel-q...
March 14, 2025 at 4:44 PM
Our SOC noticed that some attackers using the ClickFix and Fake Captcha technique are also providing text incase their payloads are read by AI or LLM.
Learn more about fake captchas: expel.com/blog/expel-q...
Learn more about fake captchas: expel.com/blog/expel-q...
Ya'll will start seeing more files signed by Microsoft.
Please report them to centralpki@microsoft[.com or just tag me at a minimum, please.
Microsoft has been good at revoking them
This week I saw
Lumma Infostealer
QuasarRAT
CobaltStrike (C2: uuuqf[.]com)
www.virustotal.com/gui/file/401...
Please report them to centralpki@microsoft[.com or just tag me at a minimum, please.
Microsoft has been good at revoking them
This week I saw
Lumma Infostealer
QuasarRAT
CobaltStrike (C2: uuuqf[.]com)
www.virustotal.com/gui/file/401...
March 14, 2025 at 11:06 AM
Ya'll will start seeing more files signed by Microsoft.
Please report them to centralpki@microsoft[.com or just tag me at a minimum, please.
Microsoft has been good at revoking them
This week I saw
Lumma Infostealer
QuasarRAT
CobaltStrike (C2: uuuqf[.]com)
www.virustotal.com/gui/file/401...
Please report them to centralpki@microsoft[.com or just tag me at a minimum, please.
Microsoft has been good at revoking them
This week I saw
Lumma Infostealer
QuasarRAT
CobaltStrike (C2: uuuqf[.]com)
www.virustotal.com/gui/file/401...
Fake MalwareBytes installer.
Installs Zoom as a decoy: tria.ge/250308-wyeqk...
Rhadamanthys, per VirusTotal's config extractor.
virustotal.com/gui/file/4c2...
C2: 185.33.87.209
Installs Zoom as a decoy: tria.ge/250308-wyeqk...
Rhadamanthys, per VirusTotal's config extractor.
virustotal.com/gui/file/4c2...
C2: 185.33.87.209
March 8, 2025 at 6:34 PM
Fake MalwareBytes installer.
Installs Zoom as a decoy: tria.ge/250308-wyeqk...
Rhadamanthys, per VirusTotal's config extractor.
virustotal.com/gui/file/4c2...
C2: 185.33.87.209
Installs Zoom as a decoy: tria.ge/250308-wyeqk...
Rhadamanthys, per VirusTotal's config extractor.
virustotal.com/gui/file/4c2...
C2: 185.33.87.209
www.malwr4n6.com/post/dealing... explains PE file padding and how to defeat one padding technique: manually and with tools (like with my debloat tool).
1/2
1/2
Dealing with PE File Padding during Malware Analysis
This is a blog post on explaining how to deal with File Padding or Overlay while doing Malware Analysis which is useful for Malware Analysts
www.malwr4n6.com
March 8, 2025 at 4:13 PM
www.malwr4n6.com/post/dealing... explains PE file padding and how to defeat one padding technique: manually and with tools (like with my debloat tool).
1/2
1/2
Fake Zoom reaches out to Namecheap domain ZoomInstaller[.]com
Fake MagicApp also installs Zoom; reaches out to Github and Namecheap domain MagicVision[.]io
Both suspiciously over 100MB due to .NET resource.
tria.ge/250308-mqs4j...
tria.ge/250308-mpm6x...
Certificate reported.
Fake MagicApp also installs Zoom; reaches out to Github and Namecheap domain MagicVision[.]io
Both suspiciously over 100MB due to .NET resource.
tria.ge/250308-mqs4j...
tria.ge/250308-mpm6x...
Certificate reported.
March 8, 2025 at 11:00 AM
Fake Zoom reaches out to Namecheap domain ZoomInstaller[.]com
Fake MagicApp also installs Zoom; reaches out to Github and Namecheap domain MagicVision[.]io
Both suspiciously over 100MB due to .NET resource.
tria.ge/250308-mqs4j...
tria.ge/250308-mpm6x...
Certificate reported.
Fake MagicApp also installs Zoom; reaches out to Github and Namecheap domain MagicVision[.]io
Both suspiciously over 100MB due to .NET resource.
tria.ge/250308-mqs4j...
tria.ge/250308-mpm6x...
Certificate reported.
Code-signing certs reported this morning:
BlackmoonBanker signed by trading company "福州隋德洛贸易有限公司"
Fake DeepSeek signed by pharma company "TRUONG LUU THUY PHARMA COMPANY LIMITED"
Fake games, installs uTorrent, signed by construction company "MASTER SGDN BAU GMBH"
BlackmoonBanker signed by trading company "福州隋德洛贸易有限公司"
Fake DeepSeek signed by pharma company "TRUONG LUU THUY PHARMA COMPANY LIMITED"
Fake games, installs uTorrent, signed by construction company "MASTER SGDN BAU GMBH"
February 26, 2025 at 12:25 PM
Code-signing certs reported this morning:
BlackmoonBanker signed by trading company "福州隋德洛贸易有限公司"
Fake DeepSeek signed by pharma company "TRUONG LUU THUY PHARMA COMPANY LIMITED"
Fake games, installs uTorrent, signed by construction company "MASTER SGDN BAU GMBH"
BlackmoonBanker signed by trading company "福州隋德洛贸易有限公司"
Fake DeepSeek signed by pharma company "TRUONG LUU THUY PHARMA COMPANY LIMITED"
Fake games, installs uTorrent, signed by construction company "MASTER SGDN BAU GMBH"
Ah yes, the Austrian construction company that makes my favorite games.
www.virustotal.com/gui/file/e48...
www.virustotal.com/gui/file/e48...
February 26, 2025 at 11:37 AM
Ah yes, the Austrian construction company that makes my favorite games.
www.virustotal.com/gui/file/e48...
www.virustotal.com/gui/file/e48...
I suspect that a lot of folk don't realize that a lot of the certificates Cert Central handles are for files that are not detected by any detection engine.
Today's example was a 1Password Setup application. The file downloads the real 1Password as a decoy
www.joesandbox.com/analysis/162...
Today's example was a 1Password Setup application. The file downloads the real 1Password as a decoy
www.joesandbox.com/analysis/162...
February 21, 2025 at 12:52 PM
I suspect that a lot of folk don't realize that a lot of the certificates Cert Central handles are for files that are not detected by any detection engine.
Today's example was a 1Password Setup application. The file downloads the real 1Password as a decoy
www.joesandbox.com/analysis/162...
Today's example was a 1Password Setup application. The file downloads the real 1Password as a decoy
www.joesandbox.com/analysis/162...
Want experience doing malware analysis, categorizing threat actors, and other malware shaped things?
We need more individual contributors for Cert Central. DM or email admin at certcentral . org
As it turns out, we have a lot of malware to analyze.
We need more individual contributors for Cert Central. DM or email admin at certcentral . org
As it turns out, we have a lot of malware to analyze.
February 21, 2025 at 12:46 PM
Want experience doing malware analysis, categorizing threat actors, and other malware shaped things?
We need more individual contributors for Cert Central. DM or email admin at certcentral . org
As it turns out, we have a lot of malware to analyze.
We need more individual contributors for Cert Central. DM or email admin at certcentral . org
As it turns out, we have a lot of malware to analyze.
Certificate signing DarkGate malware reported: "BLVS Tech Inc."
DarkGate gets signed with a code-signing certificate fairly often. CertCentral.org is tracking 23 instances, I'm sure it happens more than that though.
www.virustotal.com/gui/file/e92...
bazaar.abuse.ch/browse/tag/B...
DarkGate gets signed with a code-signing certificate fairly often. CertCentral.org is tracking 23 instances, I'm sure it happens more than that though.
www.virustotal.com/gui/file/e92...
bazaar.abuse.ch/browse/tag/B...
February 12, 2025 at 9:46 AM
Certificate signing DarkGate malware reported: "BLVS Tech Inc."
DarkGate gets signed with a code-signing certificate fairly often. CertCentral.org is tracking 23 instances, I'm sure it happens more than that though.
www.virustotal.com/gui/file/e92...
bazaar.abuse.ch/browse/tag/B...
DarkGate gets signed with a code-signing certificate fairly often. CertCentral.org is tracking 23 instances, I'm sure it happens more than that though.
www.virustotal.com/gui/file/e92...
bazaar.abuse.ch/browse/tag/B...
Cert Central .org is live!
We track and report abused code-signing certs.
By submitting to the website, you contribute to the DB of >800 certs—a DB you can access and view.
Want to get more involved? Check out the Training and Research pages to learn more. 1/2
We track and report abused code-signing certs.
By submitting to the website, you contribute to the DB of >800 certs—a DB you can access and view.
Want to get more involved? Check out the Training and Research pages to learn more. 1/2
February 10, 2025 at 1:53 PM
Cert Central .org is live!
We track and report abused code-signing certs.
By submitting to the website, you contribute to the DB of >800 certs—a DB you can access and view.
Want to get more involved? Check out the Training and Research pages to learn more. 1/2
We track and report abused code-signing certs.
By submitting to the website, you contribute to the DB of >800 certs—a DB you can access and view.
Want to get more involved? Check out the Training and Research pages to learn more. 1/2
I am working on a public platform to make it even easier for people to report code-signing certificates.
My goal is to continue to raise awareness on the abuse and the impact revocation has on malware distributors. Keep an eye on my socials for more news.
My goal is to continue to raise awareness on the abuse and the impact revocation has on malware distributors. Keep an eye on my socials for more news.
January 28, 2025 at 1:39 PM
I am working on a public platform to make it even easier for people to report code-signing certificates.
My goal is to continue to raise awareness on the abuse and the impact revocation has on malware distributors. Keep an eye on my socials for more news.
My goal is to continue to raise awareness on the abuse and the impact revocation has on malware distributors. Keep an eye on my socials for more news.
#Signed #Reported "44.211.848 NICOLAS SAMUEL DE ALMEIDA"
Fake Open AI Sora downloads. User receives file "video_for_you.mp4 - openai\.com"
You always know it is going to be a special time when the VT comments are stories.
www.virustotal.com/gui/file/acd...
Fake Open AI Sora downloads. User receives file "video_for_you.mp4 - openai\.com"
You always know it is going to be a special time when the VT comments are stories.
www.virustotal.com/gui/file/acd...
January 27, 2025 at 1:11 PM
#Signed #Reported "44.211.848 NICOLAS SAMUEL DE ALMEIDA"
Fake Open AI Sora downloads. User receives file "video_for_you.mp4 - openai\.com"
You always know it is going to be a special time when the VT comments are stories.
www.virustotal.com/gui/file/acd...
Fake Open AI Sora downloads. User receives file "video_for_you.mp4 - openai\.com"
You always know it is going to be a special time when the VT comments are stories.
www.virustotal.com/gui/file/acd...