Squiblydoo
LightNews LightNews
banner
squiblydoo.bsky.social
Squiblydoo
@squiblydoo.bsky.social
240 followers 200 following 64 posts
Malware Analyst; creator of debloat, certReport, CertCentral.org
Debloat Discord: http://discord.gg/dvGXKaY5qr
squiblydoo.blog
Posts Replies Media Videos
squiblydoo.bsky.social
Cert Central has an unauthenticated API endpoint to return the database as a csv: certcentral[.]org/api/download_csv

It used in CCCS' AssembyLine as a blacklist.

@securityaura.bsky.social
uses it for threat hunting github.com/SecurityAura...

Looking forward to see what others do with it.
June 19, 2025 at 10:22 AM
squiblydoo.bsky.social
Impostor certificate:
EV Code-signing certificate "Yurisk LLC", used to sign fake NordPass installer.

Abused and revoked within 1 week of issuance. Company registration says they transport freight.
April 4, 2025 at 12:44 PM
squiblydoo.bsky.social
Fake PuTTy, signed "Eptins Enterprises Llp"

Sets scheduled task "Security Updater" and checks into IP address: 185.196.10.127

Triage: tria.ge/250401-wnbad...

www.virustotal.com/gui/file/7ca...

@jeromesegura.com
April 1, 2025 at 6:58 PM
squiblydoo.bsky.social
Fake SCPToolkit uploaded to MB by aachum:

Signed EXE "jmutanen software Oy" loads an MSI and the real SCPToolkit as a decoy. Installs ScreenConnect: microsoftnet[.]ru

Files from signer: bazaar.abuse.ch/browse/tag/j...

Zip with parts:
www.virustotal.com/gui/file/1df...
April 1, 2025 at 12:16 PM
squiblydoo.bsky.social
Signed DLL, 2/70 hits on VT? virustotal.com/gui/file/224...

Actually easy to see it downloads from PasteBin and excludes C:

I created a course with KC7Cyber
to showcase and educate: kc7cyber.com/modules/VT101

I like to promote it because I know details like these get looked over.
March 19, 2025 at 11:21 PM
squiblydoo.bsky.social
Signed malware "Webber Air Investments LLC"
First seen 23 days ago targeting YouTubers, rip.

Vidar C2: 95.217.30.53
bazaar.abuse.ch/browse/tag/W...
March 18, 2025 at 10:31 AM
squiblydoo.bsky.social
Ya'll will start seeing more files signed by Microsoft.
Please report them to centralpki@microsoft[.com or just tag me at a minimum, please.

Microsoft has been good at revoking them

This week I saw
Lumma Infostealer
QuasarRAT
CobaltStrike (C2: uuuqf[.]com)

www.virustotal.com/gui/file/401...
March 14, 2025 at 11:06 AM
squiblydoo.bsky.social
Fake MalwareBytes installer.
Installs Zoom as a decoy: tria.ge/250308-wyeqk...

Rhadamanthys, per VirusTotal's config extractor.
virustotal.com/gui/file/4c2...

C2: 185.33.87.209
March 8, 2025 at 6:34 PM
squiblydoo.bsky.social
Understanding the technique is important. This technique accounts for essentially 78% of bloated files (out of 1000).

Debloat handles 91% of examples but only PE files.
When attackers use this technique with other file types, you'll be on your own until debloat adds support.
March 8, 2025 at 4:13 PM
squiblydoo.bsky.social
Fake Zoom reaches out to Namecheap domain ZoomInstaller[.]com

Fake MagicApp also installs Zoom; reaches out to Github and Namecheap domain MagicVision[.]io

Both suspiciously over 100MB due to .NET resource.
tria.ge/250308-mqs4j...
tria.ge/250308-mpm6x...

Certificate reported.
March 8, 2025 at 11:00 AM
squiblydoo.bsky.social
Ah yes, the Austrian construction company that makes my favorite games.

www.virustotal.com/gui/file/e48...
February 26, 2025 at 11:37 AM
squiblydoo.bsky.social
I suspect that a lot of folk don't realize that a lot of the certificates Cert Central handles are for files that are not detected by any detection engine.

Today's example was a 1Password Setup application. The file downloads the real 1Password as a decoy

www.joesandbox.com/analysis/162...
February 21, 2025 at 12:52 PM
squiblydoo.bsky.social
Certificate signing DarkGate malware reported: "BLVS Tech Inc."

DarkGate gets signed with a code-signing certificate fairly often. CertCentral.org is tracking 23 instances, I'm sure it happens more than that though.

www.virustotal.com/gui/file/e92...

bazaar.abuse.ch/browse/tag/B...
February 12, 2025 at 9:46 AM
squiblydoo.bsky.social
Cert Central .org is live!
We track and report abused code-signing certs.

By submitting to the website, you contribute to the DB of >800 certs—a DB you can access and view.

Want to get more involved? Check out the Training and Research pages to learn more. 1/2
February 10, 2025 at 1:53 PM
squiblydoo.bsky.social
#Signed #Reported "44.211.848 NICOLAS SAMUEL DE ALMEIDA"

Fake Open AI Sora downloads. User receives file "video_for_you.mp4 - openai\.com"

You always know it is going to be a special time when the VT comments are stories.
www.virustotal.com/gui/file/acd...
January 27, 2025 at 1:11 PM
squiblydoo.bsky.social
Signer "DRSSOFT INC" is pushing a lot of fake meeting software.
Teams, Wechat, Zoom, etc
bazaar.abuse.ch/browse/tag/D...

RemcosRAT 185.42.12.75, 90MB "calc" 🥲
tria.ge/250127-l7pa9...

Their files use a CloudFlare CAPTCHA before unpacking.
January 27, 2025 at 10:59 AM
squiblydoo.bsky.social
Anyone know what is up with the stealers that someone keep uploading as "random[#]"?

#Signed PREMERA LLC
Talks with telegram, installs netsupport, flagged as "RustyStealer"
bazaar.abuse.ch/sample/1b173...
www.virustotal.com/gui/file/1b1...
January 27, 2025 at 2:39 AM
squiblydoo.bsky.social
Low detection CobaltStrike masquerading as MS_Teams installer. Connects to C2: 217.148.142.17

#Signed "ANALYZER ENTERPRISES LLP" #Reported

www.virustotal.com/gui/file/23d...
bazaar.abuse.ch/browse/tag/A...
January 21, 2025 at 11:55 PM
squiblydoo.bsky.social
Dear YouTubers, keep an eye out still for fake agreements.
I'm doing my part in reporting the code-signing certificates on signed malware.

Low detection Lumma Stealer: www.virustotal.com/gui/file/24a...

bazaar.abuse.ch/sample/24a26...
January 11, 2025 at 10:58 AM
squiblydoo.bsky.social
I see PDFSkills has a new code-signing certificate "BLACK INDIGO LTD".
#EV #ImpostorCert #Reported

Please don't let your employees use "Free" PDF editing tools.

virustotal.com/gui/file/1c3...
December 20, 2024 at 3:55 PM
squiblydoo.bsky.social
Reminds me of the "Please Subscribe" I used when demo-ing my debloat tool with John Hammond. 72 MB of garbage.

youtube.com/watch?v=q4Y5...

More 🔗 in comments
December 12, 2024 at 11:58 AM
squiblydoo.bsky.social
700MB signed Lumma uploaded to MalwareBazaar. (Too big for VirusTotal).
To my amusement, someone had already used my debloat tool, deflated it to 12MB, uploaded it to VT 6 days ago.

Thanks for everyone that shares my tool, I hope even more people will use it. :)
🔗 in comment
December 11, 2024 at 12:18 AM
squiblydoo.bsky.social
More great examples why you need to give employees a trusted PDF tool
pdfskillspro[.]com
pdskillsapp[.]com
Literally uploads files to their servers while saying they don't.
December 4, 2024 at 12:33 PM
squiblydoo.bsky.social
This Russian targeting PUP keeps showing up in my feed.

However, they follow the honest practice of having you formally agree to the dozen browsers and other junk that you install with their installers.

Example installer for roblox: app.any.run/tasks/32f5d5...

Example list of files in img
December 3, 2024 at 1:19 PM
squiblydoo.bsky.social
"Word to PDF" converter. "HOTEL FATAZ (PRIVATE) LIMITED" signed the installer and the app is unsigned.

The app can create firewall exclusions, Windows Defender exclusions, and execute arbitrary PowerShell.
Everything you could ask for from a productivity tool. /s

🔗 in comment
December 1, 2024 at 11:43 PM