SquiblydooBlog's profile picture. Malware Analysis
Creator of Debloat, certReport, and http://TheCertGraveyard.org
Want to chat? Join the Debloat discord: http://discord.gg/dvGXKaY5qr

Squiblydoo

@SquiblydooBlog

Malware Analysis Creator of Debloat, certReport, and http://TheCertGraveyard.org Want to chat? Join the Debloat discord: http://discord.gg/dvGXKaY5qr

I love reporting the same malware, day after day. Week after week. This is why I built the Cert Graveyard. I can look back and see the other 49 times I've reported the same exact malware. For more on UNK-50, see tweet below: x.com/g0njxa/status/…

SquiblydooBlog's tweet image. I love reporting the same malware, day after day. Week after week.

This is why I built the Cert Graveyard. I can look back and see the other 49 times I've reported the same exact malware. 

For more on UNK-50, see tweet below: x.com/g0njxa/status/…

In the past days I've been observing a malware campaign using X verified accounts affiliated to account @KindleBookVerse (I see +140 accounts, consider each one malicious) running malicious X ads redirecting users to a fake AI website delivering malware. While the ads redirect…

g0njxa's tweet image. In the past days I've been observing a malware campaign using X verified accounts affiliated to account @KindleBookVerse (I see +140 accounts, consider each one malicious) running malicious X ads redirecting users to a fake AI website delivering malware.

While the ads redirect…
g0njxa's tweet image. In the past days I've been observing a malware campaign using X verified accounts affiliated to account @KindleBookVerse (I see +140 accounts, consider each one malicious) running malicious X ads redirecting users to a fake AI website delivering malware.

While the ads redirect…
g0njxa's tweet image. In the past days I've been observing a malware campaign using X verified accounts affiliated to account @KindleBookVerse (I see +140 accounts, consider each one malicious) running malicious X ads redirecting users to a fake AI website delivering malware.

While the ads redirect…
g0njxa's tweet image. In the past days I've been observing a malware campaign using X verified accounts affiliated to account @KindleBookVerse (I see +140 accounts, consider each one malicious) running malicious X ads redirecting users to a fake AI website delivering malware.

While the ads redirect…


I love reporting the same malware, day after day. Week after week. This is why I built the Cert Graveyard. I can look back and see the other 26 times I've reported the same exact malware. It also helps build detections. Easy to find and compare samples.

SquiblydooBlog's tweet image. I love reporting the same malware, day after day. Week after week.

This is why I built the Cert Graveyard. I can look back and see the other 26 times I've reported the same exact malware. 

It also helps build detections. Easy to find and compare samples.

"泉州浩英科技有限公司" (Certum given cert) signed "HUoRONG.msi" sample: 35d221d282a772437c17e374f666dab1423d7af7377f9300baf3612db23874e4 yandi1188[.]com 103.112.99[.]226 🤷‍♂️

malwrhunterteam's tweet image. "泉州浩英科技有限公司" (Certum given cert) signed "HUoRONG.msi" sample: 35d221d282a772437c17e374f666dab1423d7af7377f9300baf3612db23874e4
yandi1188[.]com
103.112.99[.]226
🤷‍♂️


An awesome use of the Cert Graveyard: KQL queries to hunt for binaries within the environment. More about the TBS hashes soon. :)

Thanks to a PR from @IFLinfosec , the CertCentral, now CertGraveyard (from @SquiblydooBlog ) KQL queries have been updated in the repo. I also added afterwards the new fields (TBS hashes) if people want to leverage them somehow. github.com/SecurityAura/D…



OathboundLegends_Installer.exe signed by "SZVERES MARKETING SRL" 911 MB, too big for VirusTotal It's an infostealer. The traffer team DMs folk asking them to moderate a their community, and asks them to play the game.

SquiblydooBlog's tweet image. OathboundLegends_Installer.exe  signed by "SZVERES MARKETING SRL"

911 MB, too big for VirusTotal

It's an infostealer. 
The traffer team DMs folk asking them to moderate a their community, and asks them to play the game.
SquiblydooBlog's tweet image. OathboundLegends_Installer.exe  signed by "SZVERES MARKETING SRL"

911 MB, too big for VirusTotal

It's an infostealer. 
The traffer team DMs folk asking them to moderate a their community, and asks them to play the game.

I love reporting the same malware, day after day. Week after week. This is why I built the Cert Graveyard. I can look back and see the other 30 times I've reported the same exact malware. It also helps build detections. Easy to find and compare samples.

SquiblydooBlog's tweet image. I love reporting the same malware, day after day. Week after week.

This is why I built the Cert Graveyard. I can look back and see the other 30 times I've reported the same exact malware. 

It also helps build detections. Easy to find and compare samples.

"Taiyuan Chenyun Trading Co., Ltd." (Certum given cert) signed "Screenshot2025122068698m.pif" sample: 14d374ea0604f70e6f39306efd948e7962fdd21cdb3e187ba461312027ebd3f5 🤷‍♂️

malwrhunterteam's tweet image. "Taiyuan Chenyun Trading Co., Ltd." (Certum given cert) signed "Screenshot2025122068698m.pif" sample: 14d374ea0604f70e6f39306efd948e7962fdd21cdb3e187ba461312027ebd3f5
🤷‍♂️


ScreenConnect signed by "CÔNG TY TNHH XB FLOW TECHNOLOGIES". This signer name was previously used to sign NinjaOne RMM tools which were delivered using the similar mechanisms: fake Adobe PDFs, fake Canva Setup, etc.

SquiblydooBlog's tweet image. ScreenConnect signed by "CÔNG TY TNHH XB FLOW TECHNOLOGIES".

This signer name was previously used to sign NinjaOne RMM tools which were delivered using the similar mechanisms: fake Adobe PDFs, fake Canva Setup, etc.
SquiblydooBlog's tweet image. ScreenConnect signed by "CÔNG TY TNHH XB FLOW TECHNOLOGIES".

This signer name was previously used to sign NinjaOne RMM tools which were delivered using the similar mechanisms: fake Adobe PDFs, fake Canva Setup, etc.

"CÔNG TY TNHH XB FLOW TECHNOLOGIES" (Sectigo given cert) signed "screen_video_iphone.mp4 Drive\.google.com" / "Facebook_Video20251122.mp4 Facebook\.com" sample, seen from Poland: 88bcc4eacf3c0dd26c57dfdd42da085eeff0bcc4c1106eceeba466c0a05fc1e5 🤷‍♂️

malwrhunterteam's tweet image. "CÔNG TY TNHH XB FLOW TECHNOLOGIES" (Sectigo given cert) signed "screen_video_iphone.mp4 Drive\.google.com" / "Facebook_Video20251122.mp4   Facebook\.com" sample, seen from Poland: 88bcc4eacf3c0dd26c57dfdd42da085eeff0bcc4c1106eceeba466c0a05fc1e5
🤷‍♂️


CertCentral is now TheCertGraveyard[.]org & CertGraveyard[.]org. The CertCentral API returns an error directing to use the new domains. Please give me a like or a share to get the word out. Also use the site to report and investigate certificates used to sign malware. :)

I'm being required to give up the domain CertCentral[.]org; and the change has to happen by Monday. I'm noodling on alternative names. Keep an eye out for the change.



I'm being required to give up the domain CertCentral[.]org; and the change has to happen by Monday. I'm noodling on alternative names. Keep an eye out for the change.


Malware signed "JAMES BARRIERE FOUNDATION FOR THE UNDERPRIVILEGED" 8cb3a5a1a3ae192018049dcbf37f58678e0c21323f9ddd7e1201d695d1b1826b C2: 188.137.248.240 Uses same encoding scheme as quoted tweet below

Malware uses a custom captcha to prevent execution C2: 85.192.49.248 The maldev is a 1-trick pony... the http can get decoded with the following recipe to decode the c2 communication: From base64, reverse, from base64, fork, from base64, reverse, from base64 🤠

SquiblydooBlog's tweet image. Malware uses a custom captcha to prevent execution
C2: 85.192.49.248

The maldev is a 1-trick pony... the http can get decoded with the following recipe to decode the c2 communication:
From base64, reverse, from base64, fork, from base64, reverse, from base64 🤠
SquiblydooBlog's tweet image. Malware uses a custom captcha to prevent execution
C2: 85.192.49.248

The maldev is a 1-trick pony... the http can get decoded with the following recipe to decode the c2 communication:
From base64, reverse, from base64, fork, from base64, reverse, from base64 🤠


ParallaxRAT, signed by ALL-TECH LLC, being delivered disguised as a legal notice; see MHT's thread for legal notice and indicators👇

"ALL-TECH LLC" (SSL Corp given cert) signed "Separation Documentation.scr" sample, seen from France: 3348dbfa371efc25187b13641718fc93faafbc41571cc480b99ecbd54091e4c6 service-template0000[.]dad 69.67.172[.]7 🤷‍♂️

malwrhunterteam's tweet image. "ALL-TECH LLC" (SSL Corp given cert) signed "Separation Documentation.scr" sample, seen from France: 3348dbfa371efc25187b13641718fc93faafbc41571cc480b99ecbd54091e4c6
service-template0000[.]dad
69.67.172[.]7
🤷‍♂️


This appears to be a key compromise. Lydsec creates Keypasco, a MFA handling solution for enterprise and mobile. The stolen key (not EV, no hardware token) was used to sign CobaltStrike. Its not known how or who acquired the key, or what other damage was done.

"LYDSEC DIGITAL TECHNOLOGY CO., LTD." (Sectigo given cert) signed "RStone.exe" sample, seen from Taiwan: 4376f6c5bd63c9472dc1575b26f70cc2320682a47881e1a9283904bcdec43fd8 www.msupdate[.]online Cobalt... 🤷‍♂️ @1ZRR4H

malwrhunterteam's tweet image. "LYDSEC DIGITAL TECHNOLOGY CO., LTD." (Sectigo given cert) signed "RStone.exe" sample, seen from Taiwan: 4376f6c5bd63c9472dc1575b26f70cc2320682a47881e1a9283904bcdec43fd8
www.msupdate[.]online
Cobalt...
🤷‍♂️
@1ZRR4H
malwrhunterteam's tweet image. "LYDSEC DIGITAL TECHNOLOGY CO., LTD." (Sectigo given cert) signed "RStone.exe" sample, seen from Taiwan: 4376f6c5bd63c9472dc1575b26f70cc2320682a47881e1a9283904bcdec43fd8
www.msupdate[.]online
Cobalt...
🤷‍♂️
@1ZRR4H
malwrhunterteam's tweet image. "LYDSEC DIGITAL TECHNOLOGY CO., LTD." (Sectigo given cert) signed "RStone.exe" sample, seen from Taiwan: 4376f6c5bd63c9472dc1575b26f70cc2320682a47881e1a9283904bcdec43fd8
www.msupdate[.]online
Cobalt...
🤷‍♂️
@1ZRR4H
malwrhunterteam's tweet image. "LYDSEC DIGITAL TECHNOLOGY CO., LTD." (Sectigo given cert) signed "RStone.exe" sample, seen from Taiwan: 4376f6c5bd63c9472dc1575b26f70cc2320682a47881e1a9283904bcdec43fd8
www.msupdate[.]online
Cobalt...
🤷‍♂️
@1ZRR4H


Per Loader Insight Agency, this file is being dropped by Amadey: 18844d402ccdfcc6a1e7f5104ace53b62c517ac2f904dd75393fc1db0dc5af6a from 178.16.55.189 Signed "Taiyuan Banmin Trading Co., Ltd." 4 day old cert. Loads the legitimate VirtualHere for remote access to USB devices.


Pretends to be a ChatGPT installer. Launches ChatGPT in a browser as it sets a scheduled task to execute "gpt-ai.dll" hourly. Not completely sure what it is, but looks remarkably similar to a fake Notepad++ installer that MHT also tweeted about 9acbb1d7bdea949c3dc0014c00cbdf29

SquiblydooBlog's tweet image. Pretends to be a ChatGPT installer. Launches ChatGPT in a browser as it sets a scheduled task to execute "gpt-ai.dll" hourly.
 
Not completely sure what it is, but looks remarkably similar to a fake Notepad++ installer that MHT also tweeted about 9acbb1d7bdea949c3dc0014c00cbdf29
SquiblydooBlog's tweet image. Pretends to be a ChatGPT installer. Launches ChatGPT in a browser as it sets a scheduled task to execute "gpt-ai.dll" hourly.
 
Not completely sure what it is, but looks remarkably similar to a fake Notepad++ installer that MHT also tweeted about 9acbb1d7bdea949c3dc0014c00cbdf29
SquiblydooBlog's tweet image. Pretends to be a ChatGPT installer. Launches ChatGPT in a browser as it sets a scheduled task to execute "gpt-ai.dll" hourly.
 
Not completely sure what it is, but looks remarkably similar to a fake Notepad++ installer that MHT also tweeted about 9acbb1d7bdea949c3dc0014c00cbdf29

"Taiyuan Jiankang Technology Co., Ltd." (GlobalSign given cert) signed "Setup.msi" sample: b89bef3b118ba3fb9261962eaee144525ee4c5a109f5817d9172cb6e67129b42 🤷‍♂️

malwrhunterteam's tweet image. "Taiyuan Jiankang Technology Co., Ltd." (GlobalSign given cert) signed "Setup.msi" sample: b89bef3b118ba3fb9261962eaee144525ee4c5a109f5817d9172cb6e67129b42
🤷‍♂️


The RuralTechFund is one project I love supporting each year. The fund helps students access tech and consider it as a career. In addition to an amazing cause, Chris also makes it fun and adds incentive with his contest. Check it out: ruraltechfund[.]org/goldenticket/

My friends, the time has come. This holiday season, I'm giving away a golden ticket that grants free entry into ALL my training courses, a year's worth of chocolate, and tons of other amazing prizes.

chrissanders88's tweet image. My friends, the time has come. This holiday season, I'm giving away a golden ticket that grants free entry into ALL my training courses, a year's worth of chocolate, and tons of other amazing prizes.


CertCentral[.]org has 1,800 entries of code-signing certificates issued to cybercriminals. At the end of 2024, I had only documented 300. I combined my list with MalwareBazaar's to get 600. However, the project has just snowballed since then, with no sign of slowing down.

SquiblydooBlog's tweet image. CertCentral[.]org has 1,800 entries of code-signing certificates issued to cybercriminals.

At the end of 2024, I had only documented 300. 
I combined my list with MalwareBazaar's to get 600.

However, the project has just snowballed since then, with no sign of slowing down.

Loading...

Something went wrong.


Something went wrong.