Announcing Cert Graveyard Intelligence in MagicSword
MagicSword now integrates Cert Graveyard, a community project tracking real-world abuse of code-signing certificates. The feed helps defenders detect and block signed malware using certificate-based intelligence instead of brittle hashes.
We're excited to announce a new threat intelligence source in MagicSword: Cert Graveyard, curated by Squiblydoo.
Signed malware is one of the most frustrating realities defenders face. It looks legitimate to users, blends into environments filled with trusted software, and slips past "block unsigned" heuristics. Cert Graveyard focuses on this exact problem: real-world abuse of code-signing certificates by cybercriminals.
MagicSword now ingests Cert Graveyard and turns it into actionable intelligence for defenders, helping you stay ahead of fast-moving signed threats while keeping operations manageable.
What is Cert Graveyard?
The Cert Graveyard is a community project by Squiblydoo that documents code-signing certificate abuse associated with malware campaigns. It captures attacker tradecraft defenders see every day: initial access, infostealers, and ransomware ecosystem tooling, often shipped with valid signatures.
The project transforms scattered threat sightings into a curated, actionable dataset. Recent entries include certificates used by LummaC2 campaigns, AsyncRAT infrastructure, and various loader families that abuse legitimate signing infrastructure.
Why this matters: signed malware is a defender tax
When malicious binaries are signed, defenders hit predictable walls:
- Trust signals get inverted: "Signed" becomes a disguise rather than assurance
- Enterprise software noise is high: legitimate publishers are everywhere, making anomaly hunting harder
- Response time shrinks: by the time you manually block a new signer/cert, the campaign has already rotated
MagicSword's goal is to remove that tax by making signed-threat blocking and detection practical and repeatable.
How MagicSword operationalizes Cert Graveyard
With Cert Graveyard integrated, MagicSword helps you:
Block signed malicious software with WDAC-compatible rules We ingest certificate intelligence so you can enforce policy decisions at the signer/cert level.
Detect signed threats even outside enforcement MagicSword matches incoming telemetry against intelligence entries so you can spot malicious signers/certs as they appear in your fleet, even if you're running in audit mode.
Stay current without manual busywork MagicSword threat intelligence refreshes every 2 hours, so curated updates flow into the platform continuously. No spreadsheets, no manual hash lists, no policy XML wrestling.
Huge thanks to Squiblydoo
This integration exists because of Squiblydoo's sustained investment in defender-first tooling and open intelligence. Cert Graveyard is exactly the kind of practical, high-signal dataset that helps the community respond faster and helps defenders win.
If you haven't yet, check out the project: certgraveyard.org.
Want to see it in action?
Existing customers: The Cert Graveyard feed is available in your portal now.
Evaluating MagicSword? This is exactly the kind of threat-informed, operationalized intelligence that sets MagicSword apart from traditional application control. Schedule a demo to see how we turn threat intel into enforcement.
Want to keep up with how modern attacks actually work? Subscribe to the MagicSword newsletter for practical research, real-world attack tradecraft, and prevention-focused intelligence from the team tracking abused tools every day.
Written by
Michael Haag
Threat Researcher
In the intricate chessboard of cybersecurity, my role oscillates between a master tactician and a relentless hunter. As an expert in detection engineering and threat hunting, I don't just respond to the digital threats, I anticipate them, ensuring that the digital realm remains sovereign.
