In a concerning development, cybercriminals have been abusing Microsoft’s Trusted Signing platform to code-sign malware executables with short-lived, three-day certificates. This abuse allows malicious software to appear legitimate, bypassing security filters that would typically block unsigned or suspicious executables. The Trusted Signing service, which was launched in 2024 to simplify code-signing for developers, has become a target for threat actors seeking to legitimize their malware campaigns12.
TL;DR
- Cybercriminals are exploiting Microsoft’s Trusted Signing platform to sign malware with short-lived, three-day certificates.
- The abuse allows malware to bypass security filters and appear legitimate.
- Microsoft has revoked the certificates and suspended accounts involved in the abuse.
- The Trusted Signing service, launched in 2024, is designed for developers but has been misused by threat actors.
- This incident highlights the ongoing challenges of securing code-signing processes.
The Abuse of Trusted Signing
Microsoft’s Trusted Signing service is a cloud-based platform that allows developers to sign their software with certificates issued by Microsoft. The service is designed to provide a secure and efficient way for developers to ensure their software is trusted by operating systems and security tools. However, cybercriminals have found a way to exploit this system to sign their malware, giving it the appearance of legitimacy13.
The certificates issued through the Trusted Signing service are valid for only 72 hours, which is intended to reduce the impact of misuse. However, even these short-lived certificates can be used to sign malware that remains valid until the certificate is revoked. Microsoft has confirmed that it uses active threat intelligence monitoring to detect and revoke certificates used in malicious activities4.
How It Works
The process involves threat actors submitting malware to the Trusted Signing service, which then issues a certificate for the malicious software. These certificates are signed by “Microsoft ID Verified CS EOC CA 01,” and the malware is then distributed with the appearance of being from a legitimate source. This technique has been used in various malware campaigns, including those involving the Crazy Evil Traffers crypto-theft campaign and Lumma Stealer1.
Once the malware is signed, it can bypass security filters that rely on code-signing as a trust indicator. This is particularly dangerous because many security tools and operating systems treat signed executables with less suspicion than unsigned ones. The abuse of Trusted Signing highlights the challenges of securing code-signing processes, even when they are designed with security in mind56.
Microsoft’s Response
Microsoft has taken steps to mitigate the abuse of its Trusted Signing service. The company has revoked the certificates used in these campaigns and suspended the accounts responsible for the abuse. Additionally, Microsoft has implemented blocking detections to prevent Windows from trusting the compromised certificates. The company has also urged customers to ensure their anti-virus and endpoint detection products are up to date with the latest signatures78.
Red-Team Relevance
For red-teamers, the abuse of Microsoft’s Trusted Signing service presents an interesting opportunity for offensive engagements. By leveraging similar techniques, red teams can simulate advanced threat actors who use signed malware to bypass security controls. This can help organizations test their defenses against sophisticated attacks that rely on code-signing abuse. Red teams can also use this method to demonstrate the importance of monitoring and validating code-signing certificates, even those issued by trusted authorities910.
C-Suite Summary
For senior executives, this incident underscores the importance of robust security measures and continuous monitoring of trusted systems. The abuse of Microsoft’s Trusted Signing service highlights how even well-designed security mechanisms can be exploited by cybercriminals. Organizations should ensure their security teams are aware of these threats and are equipped to detect and respond to signed malware. Additionally, this incident serves as a reminder of the need for ongoing collaboration with vendors like Microsoft to address emerging security challenges12.
Conclusion
The abuse of Microsoft’s Trusted Signing service is a stark reminder of the ongoing challenges in securing code-signing processes. While Microsoft has taken steps to mitigate the issue, the incident highlights the need for continuous vigilance and robust security measures. As cybercriminals continue to find new ways to exploit trusted systems, organizations must remain proactive in defending against these threats.
References
- Lawrence Abrams (2025-03-22). “Microsoft Trust Signing service abused to code-sign malware”. BleepingComputer.
- “Trusted Signing certificate management”. Microsoft Learn.
- “Microsoft Trust Signing service abused to code-sign malware”. Threads.
- “Trusted Signing FAQ”. Microsoft Learn.
- Graham CLULEY (2022-12-15). “Microsoft-approved and digitally-signed malicious drivers used in ransomware attacks”. Bitdefender.
- Dan Goodin (2022-12-13). “Microsoft digital certificates have once again been abused to sign malware”. Ars Technica.
- “Microsoft Certificates Used to Authenticate Malware”. Spiceworks.
- “Certified evil: Investigating signed malicious binaries”. Red Canary.
- Andreas Klopsch, Andrew Brandt (2022-12-13). “Signed driver malware moves up the software trust chain”. Sophos News.
- “Understanding Code Signing Abuse in Malware Campaigns”. Trend Micro.
