Squiblydoo

Why, hello there, #solarmarker. virustotal.com/gui/file/1e791…

@rmoskovy Can you help me understand the 2025 date on the post? Is the whole post new or just a portion of it?

(EXCLUSIVE) New investigation: Who runs Cl0p ransomware? Months of reporting, cross-referencing forum records, dossiers, and confidential sources identifies the group's operators, developers, access brokers, and infrastructure. rmoskovy.github.io/posts/who-runs… #Ransomware #Cl0p #ThreatIntel #osint #clop #security #research

@JAMESWT_WT @struppigel Maybe I missed it, but what does it do?

@struppigel 👇 bazaar.abuse.ch/browse/tag/Chr…

@andrewdanis An actor had obtained a certificate from Certum the same month for the same company. It was used to sign ZhongStealer.

Appears to be a .NET browser search hijacker, specifically looks for MSEdge running on host, installs malicious chrome extension. IoC's: s.speedtoolmetrics[.]com search.connectionperformance[.]com

Signer: "Wuhan Liansitong Technology Co., Ltd." Serial: 63 CA 75 8A DC 38 8C 2C 35 ED FF BE 86 59 1A 55 "Setup.exe" virustotal.com/gui/file/2e775…

"gozofeliz4-guerrainfinita.exe" signed "ZHEJIANG WILLING FOREIGN TR CO MAKİNA TİCARET LİMİTED ŞİRKETİ" 808fa714b5308a813df21094c1f8e8b0 "gozofeliz4-guerrainfinita.exe" signed by "Lway Firmware" f13b26c2d4c8f1d536519b947c7300e0 what could go wrong C2: pinpadat[.]com

AnyRun Sandbox analysis: app.any.run/tasks/e47c35e4…

Reported to CertGraveyard: 143fa9567ebbccacceb58201dd85b7206fdf22882ff2cea0da994a513572f14e signed by "Mann Technologies LLC" Fake Citrix installer, FUD on VirusTotal, installs Zoho Meeting.

"Certificado_2026_283821345.exe" signed by "Mariah Lingle" Uploaded to MalwareBazaar by @johnk3r C2: oficiospolicia[.]com 1/61 detections on VT Added to the CertGraveyard

@luke92881 I saw the comments, but I'm also having difficulty validating what activity NovaViewer does to help justify reporting the certificate.

#YAPA NovaViewer, similar to GalacticPDF and GFileViewer. virustotal.com/gui/file/a63cb…

In my own investigation, I downloaded the decrypted PCAP, giving me easy access to poke at and investigate the JS myself: app.any.run/tasks/73fb8a10… AnyRun published about the feature here: any.run/cybersecurity-… 3/3

AnyRun themselves are using this to build out their automated analysis around phishing; once decrypted, they run Suricata rules against the traffic and easily identify malicious JavaScript and traffic. Used for analysis and it goes into their intel feed. 2/3

Nice update to @anyrun_app that seems easy to miss: HTTPS decryption. If you look at the network traffic, click Network Threats, you can click into the analysis to see the decrypted traffic You can also just download the entire decrypted PCAP. 1/3

@malwrhunterteam Certificate reported. Uploaded to Triage for analysis and available for others to download: tria.ge/260316-qyhvbsg… Also made available on Mega NZ: #Id-ichinwCbfOOCJHT-USys2xO4hnxf32XXCxtWLagM" target="_blank" rel="nofollow noopener">mega.nz/file/tntjDKpY#…

There are these totally legit sites: https://tralert[.]online/ https://tralert7[.]com/ You can be sure that the "AgilusTech LLC" (SSL Corp given cert) signed files that are coming from these sites are also very legit, totally not malicious, but especially no North Korean malware can be found in them... 😂 🤷‍♂️

@luke92881 @HuntYethHounds @rifteyy @andrewdanis @s1dhy I feel like LIGHTNER TOK has been at this for a while. AI generated analysis of b18e84c03195b6e8e4b92c59a2845d7118e915c2638c2ca524fbeb10c81ea83b Signed:"Kartos Gale LTD" github.com/Squiblydoo/Rem…

@HuntYethHounds @rifteyy @SquiblydooBlog @andrewdanis @s1dhy flashtestapp[.]com advertiser:LIGHTNER TOK LTD signature:"Kartos Gale LTD"

any thoughts on pdfpageflip (f6048095f50b3c8af513738ceec5aec1)? Advertiser Buzz Boost Advertisers LLC. I think I'm going to give this one a look later. @rifteyy @SquiblydooBlog @andrewdanis @s1dhy

A kind message from threat actors, not funny))

My favorite malware analysis tool has become better. Now Mac support and MCP availability? Amazing.

⚠️Watch out for a SEO poisoning campaign impersonating VMware vSphere downloads leveraging MeshCentral RMM tool bundled into fake installers targeting enterprise environments. Sample: dbfe1f915f40122a336cd5d0de802a6f3ec0204ab75321934a06dafbc1964446 Detonation: app.any.run/tasks/e0937ead… From malicious search results -> vmware-vsphere[.]com (associates, vmwarevsphere[.]com, vmware-remote-console[.]com, remote-console-vmware[.]com, vsphere-client[.]com, vsphere-client[.]org ) leading to vmware-repository[.]com A malicious build with EV signature issued to malicious signer "Pacex Learning Private Limited" (Globalsign) is delivered from Dropbox. The build connects to 103.65.230.86 (MeshCentral RMM C2) and installs legit VMware product as decoy

@JAMESWT_WT @smica83 @500mk500 I myself am not convinced that the certs "Amy Cherne" and "Donald Gay" are being used exclusively by MuddyWater, I think they are still being used for some Russian cybercrime. While they could be trying to blend in with Cybercrime, it looks more like certificate sharing.

#muddywater related samples ✅bazaar.abuse.ch/browse/tag/Don… ✅bazaar.abuse.ch/browse/tag/maz… ✅bazaar.abuse.ch/browse/tag/ser… ✅bazaar.abuse.ch/browse/tag/moo… @SquiblydooBlog @smica83 @500mk500

@Kostastsale Glad you're giving it a spin. I used it for Speakeasy's emulation, but hadn't thought about using it for memory dumps. I'll be looking forward to hearing what you do with it.

Testing the new GPT-5.4 inside REMnux with real malicious artifacts, memory dumps, and the custom analysis skill I built for it. Honestly… this is next level. The speed at which it pivots through artifacts, correlates behavior, and surfaces relevant findings is something I haven’t seen before. Still early testing, but very impressive so far.

@d4rksystem @luke92881 I've personally had good success with it. I've instructed it to do things like use Speakeasy etc; stuff that I myself hadn't learned to use well. It can dump a file or domain for additional analysis easily. I don't have the volunteers I need, so it fills a gap.

@SquiblydooBlog @luke92881 Nice usage of Remnux MCP! I gotta get this set up, been hearing goood things 👍

"NotAWord.exe" signed "Astro Bright LTD" MD5: 7be1f9a968c5b1567570e12738392d7c Yet Another PDF Application (YAPA) App contains reversed and chunked domains. I'm now using Remnux MCP to generate reports for these apps and confirming the findings. 1/2

News - February 19, 2026 Five residents of Yugra, the Republic of Komi, and the Tyumen region, aged 21 to 36 (Russia 🇷🇺) are accused of spreading malware worldwide and will face trial. "The criminals engaged in illegal activities from September 2021 to May 2022. The organizer ,a 21 year old resident of Surgut, involved four accomplices in the criminal scheme through closed communities" "On a popular video hosting platform, the accomplices posted videos in which they offered to download a program under the guise of game add-ons, supposedly giving a gaming advantage. Users, by clicking on the links specified in the description, downloaded not only the plug-in but also a malicious application that did not require installation and ran covertly on their computers. This allowed the defendants to gain access to the players' personal data. Then the accomplices collected various information about the citizens and handed it over to unidentified individuals for a fee. According to investigators, more than a thousand computers belonging to users not only from Russia, but also from countries near and far abroad, were infected." Source: t.me/police_ugra/89… Summarizing, caught after committing crimes spreading infostealers on YouTube as game cheats 4 years ago. It is interesting to see the images that police officers shared, showing the devices seized, but most important the two telegram screenshots showing a chat (with images of a Redline stealer advertisement) and also a screenshot of a bot of a traffer team (MMM) that I tried to profile it a bit in the past here -> @g0njxa/profiling-%D1%82%D1%80%D0%B0%D1%84%D1%84%D0%B5%D1%80%D1%8B-ghostbusters-mmm-0a0c341533c2" target="_blank" rel="nofollow noopener">medium.com/@g0njxa/profil… As I show in the blog, MMM team offered META (the Redline stealer variant that had no GEO block and could have stolen information from all computers worldwide) to their "workers". As police details, this cybercriminals spread the builds to generate infostealer logs (shown in the screenshot in zip format) for the usage on further criminal activities This traffer team closed, their administrator started developing and selling their new malware solution (D3F@CKLoader malware) and then become GlobalMan, one of the biggest EV cert sellers. No further information about this old traffer team is provided