Skip to content

T1588.003 Code Signing Certificates

Adversaries may buy and/or steal code signing certificates that can be used during targeting. Code signing is the process of digitally signing executables and scripts to confirm the software author and guarantee that the code has not been altered or corrupted. Code signing provides a level of authenticity for a program from the developer and a guarantee that the program has not been tampered with.1 Users and/or security tools may trust a signed piece of code more than an unsigned piece of code even if they don’t know who issued the certificate or who the author is.

Prior to Code Signing, adversaries may purchase or steal code signing certificates for use in operations. The purchase of code signing certificates may be done using a front organization or using information stolen from a previously compromised entity that allows the adversary to validate to a certificate provider as that entity. Adversaries may also steal code signing materials directly from a compromised third-party.

Item Value
ID T1588.003
Sub-techniques T1588.001, T1588.002, T1588.003, T1588.004, T1588.005, T1588.006
Tactics TA0042
Platforms PRE
Version 1.1
Created 01 October 2020
Last Modified 17 October 2021

Procedure Examples

ID Name Description
G0098 BlackTech BlackTech has used stolen code-signing certificates for its malicious payloads.4
G1003 Ember Bear Ember Bear has stolen legitimate certificates to sign malicious payloads.3
S0576 MegaCortex MegaCortex has used code signing certificates issued to fake companies to bypass security controls.2
C0022 Operation Dream Job During Operation Dream Job, Lazarus Group used code signing certificates issued by Sectigo RSA for some of its malware and tools.7
G0027 Threat Group-3390 Threat Group-3390 has obtained stolen valid certificates, including from VMProtect and the Chinese instant messaging application Youdu, for their operations.5
G0102 Wizard Spider Wizard Spider obtained a code signing certificate signed by Digicert for some of its malware.6


ID Mitigation Description
M1056 Pre-compromise This technique cannot be easily mitigated with preventive controls since it is based on behaviors performed outside of the scope of enterprise defenses and controls.


ID Data Source Data Component
DS0004 Malware Repository Malware Metadata