Belarus-based #APT #WhiteLynx is using a #CAPTCHAmacro technique, enticing users to enable macros on Office docs, generating a CAPTCHA verification window to proceed. We found follow-up malware that communicates with agelessinvesting[.]xyz. Details at bit.ly/4rRgFa9

CertCentral is now TheCertGraveyard[.]org & CertGraveyard[.]org. The CertCentral API returns an error directing to use the new domains. Please give me a like or a share to get the word out. Also use the site to report and investigate certificates used to sign malware. :)

From 2020-2024, I tracked the SolarMarker malware, and in 2024, monitored a self-infection for months to learn their actions-on-objectives: on-device fraud. I didn't publish the details of my months long investigation until now. Check the link the the attached comment.

'SSA_Yearly_Templater.msi' seen from Australia abuse.ch bazaar.abuse.ch/sample/5bef26a… hxxps://sas-portal(.)com/check/SSA_Yearly_Commander.msi

Mintsloader Finger protocol Hashtable obfuscation -- blackpointcyber.com/blog/mintsload…

#100DaysofYARA - Day 2 YARA rule to detect the default Delphi darkmode dib icon. I've seen this icon excessively over the years. Using UNPACME 's YARA hunting tools, I saw 0 known goodware and 800 packed junk. Rule at end 1/4

🚨 PHISH ALERT: When Legitimate Software Becomes First-Stage Payload: The RMM Problem" KnowBe4 ThreatLabs tracking sophisticated campaign weaponizing Social Security notifications to deploy RMM tools (SimpleHelp Remote Access Client) as persistent backdoors. No traditional

Thorough analysis of AnyPDF malware by rifteyy The code-signing certificate has been reported for revocation; was signed by "Lupus Tech Limited" and added to TheCertGraveyard.

Popular Text Editor Notepad++ was compromised by a nation state attacker presumably from June through December 2, 2025. The state actor used the access to reroute software update traffic to attacker controlled servers making this a supply chain attack. notepad-plus-plus.org/news/hijacked-…

MalasadaTech YAPA... Galacticpdf (97e814385de850e7dbc934e2c8cdce46).

MalasadaTech this relation in virustotal (b7e3b66d28429c07714bb0b8e9487bc9) suggests another browser search hijacker

MalasadaTech Rust based, the embedded PE file is pdfium.dll. app.any.run/tasks/b71ca08e… HTTP comms to hopinpoint[.]com. Some custom encoded traffic here that I have not played with yet.

rifteyy ܛܔܔܔܛܔܛܔܛ Thanks! Certificate has been reported. In regards to funny certificates, my favorite signer has been "Just Add Water Italian Pizza Bread Pasta Mix Ltd." ea18b965ab43d927a1d690f395f4e2b55a15db9744f68454a86b5508b302c404 The payload was a fake Adobe installer.

MalasadaTech also has same URI structures and talks to pdfappup[.]com and starrtlightspirit[.]com

MalasadaTech kingsearchresults..... hmmmmm

GalacticPDF Analysis: blog.lukeacha.com/2026/02/galact…

🚨Tax Season is Phishing Season: How IRS Lures are Dropping RMM Backdoors In our last report blog.knowbe4.com/the-skeleton-k… we highlighted how threat actors weaponized Social Security notifications to deploy RMM tools. Now, they’ve pivoted to the next seasonal hook: IRS and Tax