Malware Signed With Microsoft Trusted Signing Certificates Detected In Wild

Microsoft launched the Trusted Signing service in 2024 to offer developers a secure and efficient way to digitally sign applications and binaries. The goal was to simplify certificate management, reduce certificate theft risk, and enhance software trust by providing a reputation boost in Microsoft Defender SmartScreen and other security filters.

However, in early 2025, security researchers discovered that cybercriminals had begun abusing this very platform to sign malware with short-lived, three-day certificates, effectively making their malware appear trusted and bypassing traditional security controls.

Severity Level: High

HOW THE THREAT WORKS

1. Microsoft Trusted Signing issues 3-day validity certificates under the issuer name: “Microsoft ID Verified CS EOC CA 01”
2. Though the certificates expire after 3 days, any signed binaries remain valid post-expiry unless explicitly revoked.
3. Threat actors are exploiting this to distribute malware through signed EXEs and DLLs, helping them evade security measures. Once signed, these files are perceived as trusted, improving their chances of successful execution on target systems.

Unlike traditional Extended Validation (EV) certificates—which require extensive vetting and are expensive—Microsoft’s Trusted Signing service provides a more lenient, developer-friendly approach. This simplicity and trust model has now attracted malicious actors.

MALWARE CAMPAIGNS IDENTIFIED

• Malware samples such as Lumma Stealer and malicious DLLs used in Crazy Evil Traffers campaigns were discovered signed via Microsoft’s platform.
• MalwareHunterTeam discovered XWorm and QuasarRAT malwares also signed with a cert having “Microsoft ID Verified CS EOC CA 01” as issuer.

RISK OVERVIEW

• Trust Exploitation: Signed binaries appear legitimate, gaining trust and bypassing scrutiny.
• Evasion Capability: Antivirus and EDR solutions may allow signed malware to execute unchallenged.
• Rapid Abuse: Fast-cycle (3-day) certificates offer attackers rotating signing capability.
• Revocation Lag: Certificates are only revoked upon discovery, giving attackers a window of exploitation.
• Supply Chain Threat: Potential to embed signed malware into legitimate update processes.

MICROSOFT RESPONSE

• Certificate Revocation: Malicious certificates are revoked once abuse is detected.
• Threat Monitoring: Microsoft claims active monitoring and threat intel is in place.
• Policy Limitations: Only companies with 3+ years in business can sign under an org name, though individuals can register more easily.

Recommendations:

1. Implement behavioural-based detection and block execution of recently signed, uncommon executables unless explicitly whitelisted.
2. Monitor and flag new code-signing certificates, especially those issued from the “Microsoft ID Verified CS EOC CA 01” CA.
3. Train users to be cautious when running signed executables, especially those acquired outside official or trusted sources.
4. Enforce application control policies (e.g., AppLocker, WDAC) to restrict execution to approved applications and publishers.
5. Block the IOCs at their respective controls

SOURCES:

• https://www.virustotal.com/gui/collection/4aeadfec7f1c5e6440a866acc2c82c1fae0b594d29d9cd2120a3af2ceab91673/iocs
• https://www.bleepingcomputer.com/news/security/microsoft-trusted-signing-service-abused-to-code-sign-malware/
• https://x.com/malwrhunterteam/status/1898502421787365432

Enjoyed reading this Threat Intelligence Advisory? Stay updated with our latest exclusive content by following us on Twitter and LinkedIn.

No related posts found.