Author | Lightnews

Squiblydoo @squiblydoo.bsky.social · Jun 19

Cert Central has an unauthenticated API endpoint to return the database as a csv: certcentral[.]org/api/download_csv

It used in CCCS' AssembyLine as a blacklist.

@securityaura.bsky.social
uses it for threat hunting github.com/SecurityAura...

Looking forward to see what others do with it.

2

Reposted by Squiblydoo

Runa Sandvik @runasand.bsky.social · May 5

A team of journalists in Norway spent a year secretly monitoring a credit card fraud gang to uncover who's behind it and how they operate. Here's the story -- in English -- of how they unmasked Darcula and the crime-as-a-service software Magic Cat. www.nrk.no/dokumentar/x...

The scammers have tricked millions through text messages:

Who are they and how do they scam us?

www.nrk.no

1 22 43

Squiblydoo @squiblydoo.bsky.social · Apr 21

Again? :(

3

Reposted by Squiblydoo

Jérôme Segura @jeromesegura.com · Mar 11

Scammers are happily abusing multiple platforms at once thanks to lack of controls.

Who's going to protect users here? Google? Facebook?

1 2

Reposted by Squiblydoo

Help Net Security @helpnetsecurity.com · Mar 21

Malicious ads target Semrush users to steal Google account credentials

📖 Read more: www.helpnetsecurity.com/2025/03/21/m...

#cybersecurity #cybersecuritynews #accountcredentials #SEO @malwarebytes.com @jeromesegura.com @semrushofficial.bsky.social

Malicious ads target Semrush users to steal Google account credentials - Help Net Security

Cyber crooks are exploiting users' interest in Semrush, a popular SEO and market research SaaS platform, to steal Google account credentials.

www.helpnetsecurity.com

2 1

Reposted by Squiblydoo

Jérôme Segura @jeromesegura.com · Mar 24

If you manage #wordpress sites using #managewp, watch out for this #phishing campaign via #googleads.

-> menagewp[.]com (ad URL and redirect)

-> orion[.]manaqewp[.]com (phishing page)

1 1

Squiblydoo @squiblydoo.bsky.social · Apr 4

bazaar.abuse.ch/browse/tag/Y...

MalwareBazaar - Tag Yurisk LLC

Hunt for malware samples tagged with tag 'Yurisk LLC'

bazaar.abuse.ch

Squiblydoo @squiblydoo.bsky.social · Apr 4

Impostor certificate:
EV Code-signing certificate "Yurisk LLC", used to sign fake NordPass installer.

Abused and revoked within 1 week of issuance. Company registration says they transport freight.

1 1 2

Squiblydoo @squiblydoo.bsky.social · Apr 1

Fake PuTTy, signed "Eptins Enterprises Llp"

Sets scheduled task "Security Updater" and checks into IP address: 185.196.10.127

Triage: tria.ge/250401-wnbad...

www.virustotal.com/gui/file/7ca...

@jeromesegura.com

1

Squiblydoo @squiblydoo.bsky.social · Apr 1

Fake SCPToolkit uploaded to MB by aachum:

Signed EXE "jmutanen software Oy" loads an MSI and the real SCPToolkit as a decoy. Installs ScreenConnect: microsoftnet[.]ru

Files from signer: bazaar.abuse.ch/browse/tag/j...

Zip with parts:
www.virustotal.com/gui/file/1df...

1 1

Squiblydoo @squiblydoo.bsky.social · Mar 19

Signed DLL, 2/70 hits on VT? virustotal.com/gui/file/224...

Actually easy to see it downloads from PasteBin and excludes C:

I created a course with KC7Cyber
to showcase and educate: kc7cyber.com/modules/VT101

I like to promote it because I know details like these get looked over.

Squiblydoo @squiblydoo.bsky.social · Mar 18

Dang. Black Basta spending $500 to run a campaign and $4,000 for the Extended Validation certificate. 🤯

Great to see the code-signing certificate abuse the other side. Great use of Cert Central: tying certificates BB talked about back to the actual malwares.

Expel @expelsecurity.bsky.social · Mar 18

We recently got the opportunity to see the inner workings of the Black Basta ransomware gang 🕵️🔎 We examined how the ransomware gang used their skill & finances to abuse a core security concept: code-signing certificates.

Here's how to leverage this for your own defenses 🛡️ expel.com/blog/code-si...

Code-signing certificate abuse in the Black Basta chat leaks (and how to fight back)

Ransomware gang Black Basta's chats were recently leaked, proving how they abuse code-signing certificates. Here's how to defend against it.

expel.com

Squiblydoo @squiblydoo.bsky.social · Mar 18

Signed malware "Webber Air Investments LLC"
First seen 23 days ago targeting YouTubers, rip.

Vidar C2: 95.217.30.53
bazaar.abuse.ch/browse/tag/W...

1

Reposted by Squiblydoo

Expel @expelsecurity.bsky.social · Mar 14

Our SOC noticed that some attackers using the ClickFix and Fake Captcha technique are also providing text incase their payloads are read by AI or LLM.

Learn more about fake captchas: expel.com/blog/expel-q...

3 5

Squiblydoo @squiblydoo.bsky.social · Mar 14

Ya'll will start seeing more files signed by Microsoft.
Please report them to centralpki@microsoft[.com or just tag me at a minimum, please.

Microsoft has been good at revoking them

This week I saw
Lumma Infostealer
QuasarRAT
CobaltStrike (C2: uuuqf[.]com)

www.virustotal.com/gui/file/401...

1 1

Squiblydoo @squiblydoo.bsky.social · Mar 8

Fake MalwareBytes installer.
Installs Zoom as a decoy: tria.ge/250308-wyeqk...

Rhadamanthys, per VirusTotal's config extractor.
virustotal.com/gui/file/4c2...

C2: 185.33.87.209

1 3

Squiblydoo @squiblydoo.bsky.social · Mar 8

Understanding the technique is important. This technique accounts for essentially 78% of bloated files (out of 1000).

Debloat handles 91% of examples but only PE files.
When attackers use this technique with other file types, you'll be on your own until debloat adds support.

Squiblydoo @squiblydoo.bsky.social · Mar 8

www.malwr4n6.com/post/dealing... explains PE file padding and how to defeat one padding technique: manually and with tools (like with my debloat tool).
1/2

Dealing with PE File Padding during Malware Analysis

This is a blog post on explaining how to deal with File Padding or Overlay while doing Malware Analysis which is useful for Malware Analysts

www.malwr4n6.com

1

Squiblydoo @squiblydoo.bsky.social · Mar 8

Fake Zoom reaches out to Namecheap domain ZoomInstaller[.]com

Fake MagicApp also installs Zoom; reaches out to Github and Namecheap domain MagicVision[.]io

Both suspiciously over 100MB due to .NET resource.
tria.ge/250308-mqs4j...
tria.ge/250308-mpm6x...

Certificate reported.

1

Squiblydoo @squiblydoo.bsky.social · Feb 26

Code-signing certs reported this morning:
BlackmoonBanker signed by trading company "福州隋德洛贸易有限公司"

Fake DeepSeek signed by pharma company "TRUONG LUU THUY PHARMA COMPANY LIMITED"

Fake games, installs uTorrent, signed by construction company "MASTER SGDN BAU GMBH"

1 1

Squiblydoo @squiblydoo.bsky.social · Feb 26

Ah yes, the Austrian construction company that makes my favorite games.

www.virustotal.com/gui/file/e48...

Squiblydoo @squiblydoo.bsky.social · Feb 21

I suspect that a lot of folk don't realize that a lot of the certificates Cert Central handles are for files that are not detected by any detection engine.

Today's example was a 1Password Setup application. The file downloads the real 1Password as a decoy

www.joesandbox.com/analysis/162...

1 3

Squiblydoo @squiblydoo.bsky.social · Feb 21

Want experience doing malware analysis, categorizing threat actors, and other malware shaped things?

We need more individual contributors for Cert Central. DM or email admin at certcentral . org

As it turns out, we have a lot of malware to analyze.

2 5

Squiblydoo @squiblydoo.bsky.social · Feb 20

Good to hear, I've been wondering about you guys. You 404Media folk have been hammering stuff out every day for the past few months.
I hope the rest of the team gets some rest too.

1