Malware analysis (mostly SolarMarker)
In depth analysis at: Squiblydoo.Blog
Creator of bloated malware handling tool "Debloat": https://github.com/Squiblydoo/debloat
Previous RomCom: 9f69db123eb43e6b0ab300f645c15817
MB uploads: https://bazaar.abuse.ch/browse.php?search=serial_number:0d81d7da42e51386cc146e9c255d942b
(See VT for 2 payloads too large for MB)
https://bazaar.abuse.ch/browse.php?search=serial_number:07b749f7c9e5021a1ef5b61ae96a6c46
AnyRun: https://app.any.run/tasks/71512d4e-a454-4336-a5cf-4d00cdce424f
2/2
ScreenConnect as "LiveChat.msi" signed by "XRYUS TECHNOLOGIES LIMITED"
C2: boriserton27[.]anondns[.]net
e69c9a6742466a2770711804291f3fcf
FUD fake PDF, new serial #:
705f570e89ccbbcb32b8bb304537a2e9 suspected Romcom
"XRYUS TECHNOLOGIES CORPORATION" was used by RomCom
1/2
"document_725299d2.msi" signed by "ALTERNATIVE HOME HEALTHCARE SERVICES LLC"
Loads ScreenConnect configured to connect to the domain zkyhgfvluyvjh[.]im
edbb4d8d6b549ea5ec04e8a43e51d5fffad9276a52dacad8bba4ea09d9b41063
h/t @malwrhunterteam
1/2
"Purchase Agreement.pif" signed "HYPERBOLA TRADECOM LIMITED"
a08293e23e09d53692aca4b20974f270e48c58c53532c6cc715993d24e928e35
Probably not a purchasing agreement and probably not a CrowdStrike Falcon sensor.
Cert was reported for revocation
h/t @malwrhunterteam
The new REMnux MCP server connects AI agents to 200+ malware analysis tools. I was surprised at the depth of investigation it can deliver: https://zeltser.com/ai-malware-analysis-remnux
Most of my time on this project went into capturing how I approach malware analysis and making sure the server provides the right guidance at the right time, so that AI can think and adapt as it creates the workflow. The post includes interactive replays of real analysis sessions.
#malware #malwareanalysis #infosec #cybersecurity #tools #artificialintelligence #AI
Zabbix resigned by "Xiamen Xinke Youxuan Software Technology Co., Ltd."
7ab39ede4268a615c04ef39b1b30cee3
Reaches out to zabbxsoftware[.]com
Interesting lures:
oficio20452026PCAP.exe
PCAP Police Request Response.exe
h/t @g0njxa
The installer downloaded from the site is 680MB, which is larger than VirusTotal's allowed file size. However, it has a sub component that is 2MB, but doesn't fully run without the larger installer:
Fake Multibit wallet website multibit[.]info
The real website, multibit[.]org, mentions that multibit was discontinued in 2017
The fake installer is signed by "Anhui Shanxian Tongxin Technology Co., Ltd."
More details in thread
h/t @malwrhunterteam
1/2
AhnLabs reports seeing evidence of the campaign going back as far as October 2025.
Thanks to folk who upload such files to MalwareBazaar, VT, and help report the certificates.
Thanks @AhnLab_SecuInfo for publishing the analysis:
https://asec.ahnlab.com/en/91995/
2/2
AhnLab published an analysis of a campaign observed by the CertGraveyard in December. Great to see more details.
An actor using signer "CÔNG TY TNHH XB FLOW TECHNOLOGIES" leveraged a range of RMM tools and regularly contested abuse complaints.
Blogpost in thread
1/2
Thorough analysis of AnyPDF (signed by "Lupus Tech Limited")
https://rifteyy.org/report/anypdf-malware-analysis
Certificate has been reported and added to the CertGraveyard.
New FUD #Transferloader "Hangzhou Wenyu Technology Co., Ltd."
Seems identical to the last one.
Reaches out to the same domain: mstiserviceconfig[.]com
2c70e3b4af65679fc4f4c135dc1c03bd7ec2ae8065e2e5c50db3aaec0effc11f
The CertGraveyard is now being leveraged by MagicSword.
MagicSword makes use of certificates we report and blocks them within your environment.
I was really amazed by the work they do to block RMM and bad drivers. Now this further enables orgs to block malicious signers.
https://x.com/magicswordio/status/2016176029316825180
MB: https://bazaar.abuse.ch/sample/37d154eb57de4a123528d53a6cc829da2ddf64532e52048a07fc569076ec6783/
AnyRun: https://app.any.run/tasks/4aba1631-80b4-4265-a4e4-47d20695ea60
Triage: https://tria.ge/260126-wxm1jsdx6h/behavioral1
Thanks to everyone who has volunteered analyzing files, making submissions, or used the database.
Special thanks to @anyrun_app for a sandbox that is easy to use and review.
2/2
We've reached 2,000 entries in the CertGraveyard database.
The 2,000th entry was "Auto Posto Silvestre Comercio de Combustiveis LTDA" (fuel sales), a certificate issued to a cybercriminal, used to target Brazil with a fake PDF "Requisitos_para_regularizar_sua_empresa.exe".
1/2
Does anyone know VirusTotal user "bsforvt727" (pronounced "bs for vt 727")?
I feel like we could be friends, if we aren't already.
They consistently leave comments and downvote stuff that I then see a day or two later.
www[.]virustotal[.]com/gui/user/bsforvt727
Since it was in development, almost nothing is obfuscated. Almost too many detection opportunities.
I focused the rule around debugging strings, cred theft, and "stealth_manager"
We'll evaluate options to go beyond strings in day 15.
https://github.com/Squiblydoo/100DaysofYARA/blob/main/Squiblydoo/Day14.yara
2/2
#100DaysofYARA Day 14
Checkpoint published research on VoidLink C2 framework.
They call it "advanced malware framework"; but maybe I'm not sure what "advanced" means in this context.
Rule at end
1/2
My rule just uses the pe module to check for the ndata pe section.
However, this gave us some opportunity to poke at and practice analyzing NSIS installers using Malcat.
Would love to see other methods for detecting this malware.
https://github.com/Squiblydoo/100DaysofYARA/blob/main/Squiblydoo/Day13.yara
7/7
