Joined November 2020
- Tweets 2,026
- Following 98
- Followers 4,922
- Likes 12,254
656 Photos and videos
Jun 11
I'm glad Claude can help me figure out DNS. /s
--------------
I've moved how the Cert Graveyard database is downloaded. It should automatically redirect.
In May, it was downloaded 10k/day, causing 507GB of data transfer.
Also, if you are so inclined: ko-fi.com/squiblydoo
14
1,105
Jun 10
We see 70 certificates per month issued to cybercriminals.
I don't have time to tweet about all of them.
If you're interested in analyzing malware actors spend 3-5k USD to sign or want social credit for tweeting about them, join the discord discord.gg/dvGXKaY5qr and hit me up
The amazing thing about @SquiblydooBlog, is the simple share of "hey this is out there", then I go and look at our @magicswordio Intel feed and there is a pandora box of items added.
7
23
2,501
Jun 10
Low detection CobaltStrike, signed "Meltytech, LLC"
C2: HTTPS @ 8[.]219[.]158[.]30:443
C2 Server: google[.]dns-1[.]help, /dot[.]gif
POST URI: /submit[.]php
Watermark: 666666666
Also flagged by @anyrun_app app.any.run/tasks/06408554-a…
MB: bazaar.abuse.ch/sample/1d3bc…
h/t @malwrhunterteam
1
7
24
3,880
Jun 9
This is the result of so many malware using code-signing certificates. We're constantly adding entries.
For those who want to support CertGraveyard: use my affiliate link and for MagicSword (magicsword.io/?utm_source=ce…), or support via GitHub sponsors: github.com/sponsors/Squiblyd…
The amazing thing about @SquiblydooBlog, is the simple share of "hey this is out there", then I go and look at our @magicswordio Intel feed and there is a pandora box of items added.
5
17
1,323
Jun 8
Low detection CastleLoader signed "SOFTWARE ANALYTICS LIMITED":
f50f825a64cb9c0435bc11db9225445687f8d1a44dba972a50ffa4dff600e72f
They changed from EXE to MSI
C2: arqeluno[.]com
14
40
4,749
Jun 1
People still have a problem with this statement because we identify with Nightmare-Eclipse and can easily see ourselves in him.
He's still demonized as a criminal and not treated as a security researcher here, and so the statement still says "We will pursue Nightmare-Eclipse."
Over the past several days, we have been listening to the conversation around coordinated disclosure and the relationship between security researchers and vendors. We recognize that this relationship is both critical and, at times, fragile. We deeply value the security community, and will continue to take your feedback seriously.
To be clear about our approach to legal matters, we have no intention to pursue action against individuals conducting or publishing their security research. When an individual breaks the law and engages in malicious activity causing real harm to our customers, we will work with law enforcement as appropriate.
We recognize the work that goes into researching and submitting a vulnerability. We are committed to approaching every interaction with transparency, clear communication, and professionalism. We continue to believe strongly in Coordinated Vulnerability Disclosure as the foundation for protecting customers and improving our products. Each year we process a high volume of vulnerability reports. That volume continues to grow and will continue with the rise of AI-enabled research. We acknowledge that some interactions have fallen short and are working to learn from them.
Many of us have experience on both sides of this work, as researchers reporting vulnerabilities and as responders triaging and assessing them. That perspective informs how we approach this feedback and the importance we place on getting it right, particularly as the volume and complexity of research continues to grow.
The security community plays a vital role in helping us protect customers. We are committed to maintaining a constructive and respectful relationship and growing together. We know that, given the nature of this work, there will at times be misunderstandings. We remain committed to engaging in good faith and to providing a respectful and professional experience for all researchers, regardless of past interactions.
Community note
This claim, however comes after they threatened to take legal action against Nightmare Eclipse a security researcher, over Zero Day exploits. The security researcher was also banned on Github for their research and a consequent ban from Gitlab as well.
theverge.com/tech/940416/mi…
tomshardware.com/tech-industry/…
1
3
25
3,350
May 26
We identified a new version of this Go Backconnect Proxyware. Here is the latest Client.dll: 2c253d8131cf8a948115884467aeeba28f43a85a289b730b5e490fb59ad4c921 signed "OC Agro ApS"
We found "OC Agro ApS" received certs from Verokey, Microsoft, and Sectigo for different malware campaigns.
The lures on the Microsoft store are distributed by "Hobby Apps" and include "ScreenShot Tool", "PC Cleaner'", "Clean My PC", "Auto Clicker"
My AI analysis lab had connected it to the previous campaign noting that it was very much the same campaign.
5/10 analysis: github.com/Squiblydoo/Remnux…
5/26 analysis: github.com/Squiblydoo/Remnux…
New C2:
app1[.]storeappsupdatesapi[.]xyz
app2[.]storeappsupdateapi[.]xyz
May 7
Interesting: Microsoft App Store possibly delivering GO Backconnect Proxyware. blog.lukeacha.com/2026/05/fa…
2
10
38
4,922
May 22
Off-topic
My favorite game studio has announced their new game: Knuckle Paradise.
I absolutely loved their last game, ScourgeBringer: beautiful pixel art, amazing game play and game feel.
In their discord discord.gg/flyingoak we also have a little joke contest today, where I am pitted against another character.
If you could join the Discord and vote for me in the "chicken-fight-club" channel, it would be greatly appreciated.
Game trailer below.
Did you catch us on Second Wind? We're thrilled to officially announce KNUCKLE PARADISE, after 5 years of hard work!! 🥊🐔🔥 youtu.be/Syu6TZ7xVE8
1
6
1,039
May 22
The latest LoremIpsumLoader is JS instead of an MSI file.
They still use the same dead drop technique. They decode text from
https[:]//www[.]letsdiskuss[.]com/user/stevenseagal4596
C2: https[:]//loginrestforest[.]com/api/init/bf428ad4-cb18-44b1-87f7-7047da02c592
https[:]//grapesinlife[.]com/api/cl/b6bac461-9d5d-49b8-958a-5bf9ce07f667
virustotal.com/gui/file/247b…
tria.ge/260521-sdr9dagv5l/be…
10
28
2,833
May 22
c9e0e6985dca3a179c9bdea4e7b38f7dc57fe00ecedc2fd634256fc53bf2de2d
Signed "NETWORK CONNECTIONS PROJECT SRL"
This is a malware we track as UNK-50, who often uses AI app or NSFW themes.
MB: https://bazaar.abuse .ch/sample/c9e0e6985dca3a179c9bdea4e7b38f7dc57fe00ecedc2fd634256fc53bf2de2d/
C2: 188.137.246.189
app.any.run/tasks/26bfe7cf-7…
@JAMESWT_WT @CyberRaiju
2
7
13
1,749
May 21
Annoyingly, we had reported malware signed by "Lway Firmware" two months ago.
The certs used to sign malware were revoked, but they didn't revoke others from the signer.
Lastest file was b03f5eba41b74cef1ac2926d4ac13c0b7b36e3df414796b11920bb89a077de77
h/t @malwrhunterteam
May 21
5
11
1,854
May 20
Amazing analysis and writeup on Tampered-Chef activity by @Unit42_Intel .
Several of us have been tracking these clusters as hobbyists, so it is good to see someone dig deep and produce a report.
unit42.paloaltonetworks.com/…
1
7
27
1,626
Squiblydoo retweeted
May 19
Today Microsoft announces OpFauxSign, an action against of "Fox Tempest" aka "SamCodeSign" infrastructure and "Vanilla Tempest", allegedly "members of an organized cybercriminal enterprise that has fraudulently obtained code signing certificates from Microsoft's Artifact Signing service, using those certificates to sign malware, and deploying the malware to gain unauthorized access to victim computers for the purpose of stealing information, deploying ransomware, and extorting victims".
It is reported that "SamCodeSign was involved into the fraudulent creation of more than 580 Microsoft tenants", as I understand, 580 different EV signers that were used to generate 1 or more EV certificates per signer (as observed and tracked), and then sold to other threat actors like Vanilla Tempest that used these EV certificates, for example, in Oyster malware campaigns masqueraded as popular software including Microsoft Teams.
More info:
blogs.microsoft.com/on-the-i…
and documents: aka.ms/OpFauxSign
On the CertGraveyard platform, certgraveyard.org , @SquiblydooBlog and I (and few other contributors) have been tracking this kind of abuse of EV certs and their usage in malware campaigns in the wild, being Microsoft-issued EV certs one of the most used assets by threat actors in the recent times, in multiple and different unrelated campaigns.
The complaint and related documents shared by Microsoft gives some rich visibility into the cybercrime ecosystem involving the abuse of EV certificates, a problem that has been around for years.
1
11
32
3,230
May 14
FUD backdoor signed "Gansu Shishida Information Technology Co., Ltd."
85456be1c9b293aa8ad788d27ffc6f8bb2118b5cbfce1522c9168ac1236a88e2
Maybe RomCom adjacent? We've seen this actor 7 times, consistently low detection malware, but consistent toolkit.
AI analysis report: github.com/Squiblydoo/Remnux…
CertGraveyard listing of related samples: certgraveyard.org/lookup?os=…
h/t @malwrhunterteam
1
10
31
7,752
May 14
Low detection backdoor signed "Pingxiang De'a Zhiyun Technology Co., Ltd."
Both an ARM and x64 variant.
The CA didn't think they had high enough VirusTotal score to revoke, but whatever. A little backdoor never hurt anyone.
Added to CertGraveyard and blocked if you're using magicsword.io/?utm_source=ce…
959dca4b7989546a18a3f5e016c4bd78cfd825a1e679cefe0a355e739605937f ;
6210caacd4c7a3219ad6327b714c53d286443104ba06e3c4270f7e9a5d25ecee
AI analysis of them:
github.com/Squiblydoo/Remnux…
github.com/Squiblydoo/Remnux…
1
8
22
2,535
May 11
Thats no small update. 👀
Glad to see LOLRMM include certificates for RMM tools. That has always seemed like great win in terms of identifying RMM tools with high confidence.
May 11
LOLRMM just got a serious upgrade under the hood. ✅
Code-signing certificate data, schema validation, and safety warnings are now part of the dataset. That means better trust signals, cleaner detections, and clearer context on what's legitimate vs what's being abused.
This is the kind of foundational work that makes everything else in the project more reliable.
github.com/magicsword-io/LOL…
3
16
2,431
May 8
BlueVoyant published their analysis of the LoremIpsumLoader that I've been tweeting about. bluevoyant.com/blog/lorem-ip…
The CertGraveyard had recorded 13 code-signing certificates, mostly Microsoft Trusted Signing certs used for the campaigns.
h/t @tsnikle
8
28
7,885
May 7
We found the fake 1Password site and payload for one of the certs we saw 'warming'.
1pasword[.]at
1Password.exe - 69eaaa0e2f0b414b96b50b088d978cfe56a074a626d7179a67a5ee02b1830662
The malware is one we track as APXLoader
@g0njxa
May 7
We report certificates for revocation when they sign malware.
What about before they sign malware?
I've started adding certificates to Cert Graveyard that are being used to "warm" the certificate and improve it's score before being sign malware.
1/4
1
6
15
2,464
May 7
See the other files we've reported for APXLoader on CertGraveyard with the search below:
certgraveyard.org/lookup?os=…
1
2
6
8,831