T1553.002: T1553.002

Search IOCs, vulnerabilities, APT…

216.73.217.22

← Back to attack patterns

View on MITRE ATT&CK The MITRE Corporation · Published 16/12/2025 19:37 · Modified 27/03/2026 01:09

Essential information

MITRE technique ID: T1553.002
Confidence: 100/100
Revoked: No
Published: 16/12/2025 19:37
Modified: 27/03/2026 01:09
Author / Source: The MITRE Corporation

Aliases

Code Signing

Platforms

windows macos

Description

Adversaries may create, acquire, or steal code signing materials to sign their malware or tools. Code signing provides a level of authenticity on a binary from the developer and a guarantee that the binary has not been tampered with. (Citation: Wikipedia Code Signing) The certificates used during an operation may be created, acquired, or stolen by the adversary. (Citation: Securelist Digital Certificates) (Citation: Symantec Digital Certificates) Unlike [Invalid Code Signature](https://attack.mitre.org/techniques/T1036/001), this activity will result in a valid signature. Code signing to verify software on first run can be used on modern Windows and macOS systems. It is not used on Linux due to the decentralized nature of the platform. (Citation: Wikipedia Code Signing)(Citation: EclecticLightChecksonEXECodeSigning) Code signing certificates may be used to bypass security policies that require signed code to execute on a system.

Kill chain phases

Kill chain	Phase
mitre-attack	defense-evasion

Marking (TLP)

External references

Securelist Digital Certificates
Symantec Digital Certificates
Wikipedia Code Signing
mitre-attack (T1553.002)
EclecticLightChecksonEXECodeSigning

Related entities

Intrusion sets, malware, reports, vulnerabilities, indicators and other entities linked to this technique.

Intrusion sets (APT) (63)

CL-STA-0048 uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
Moses Staff uses DEV-0500Marigold Sandstorm

The MITRE Corporation Confidence 100

[Moses Staff](https://attack.mitre.org/groups/G1009) is a suspected Iranian threat group that has primarily targeted Israeli companies since at least September 2021. [Moses Staff](https://attack.mitre.org/groups/G1009) openly stated their motivation in attacking Israeli…

First seen 01/01/1970 · Last seen 16/11/5138 ·
SHADOW-VOID-044 uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
rhysida uses

Ransomware.Live Confidence 100

Rhysida is a ransomware-as-a-service (RAAS) group that emerged in May 2023. The group utilizes a namesake ransomware through phishing attacks and Cobalt Strike to breach the targets' networks…

First seen 01/01/1970 · Last seen 16/11/5138 ·
GALLIUM uses Granite Typhoon

The MITRE Corporation Confidence 100

[GALLIUM](https://attack.mitre.org/groups/G0093) is a cyberespionage group that has been active since at least 2012, primarily targeting telecommunications companies, financial institutions, and government entities in Afghanistan, Australia, Belgium, Cambodia, Malaysia,…

First seen 01/01/1970 · Last seen 16/11/5138 ·
Chinese APT (possibly APT41 subgroup) uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
Candiru uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
OLYMPO uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
RansomHub uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
Storm-2561 uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
TA505 uses Hive0065Spandex Tempest

The MITRE Corporation Confidence 100

[TA505](https://attack.mitre.org/groups/G0092) is a cyber criminal group that has been active since at least 2014. [TA505](https://attack.mitre.org/groups/G0092) is known for frequently changing malware, driving global trends in criminal malware distribution,…

First seen 01/01/1970 · Last seen 16/11/5138 ·
FIN7 uses GOLD NIAGARAITG14

The MITRE Corporation Confidence 100

[FIN7](https://attack.mitre.org/groups/G0046) is a financially-motivated threat group that has been active since 2013. [FIN7](https://attack.mitre.org/groups/G0046) has targeted the retail, restaurant, hospitality, software, consulting, financial services, medical equipment, cloud services, media,…

First seen 01/01/1970 · Last seen 16/11/5138 ·

← Previous

Page / 6

1–12 of 63

Rust backdoor uses

Family
TeviRat uses

Family
FRIENDLYFERRET_SECD uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
HuaweiHiSuiteService64.exe uses

Family
Chrysalis backdoor uses

Family
Redline uses

Family
DevilsTongue uses
Pikabot uses

Family
Brave Prince - S0252 uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
AppSuite PDF uses

Family
HotPage uses

Family
Clop uses

← Previous

Page / 11

1–12 of 132

PHISH ALERT: From a Simple Phishing Email to … related

AlienVault Confidence 100 20 MITREs 6 IOCs 3 Observables
Operation FlutterBridge: The FlutterShell macOS Backdoor related

AlienVault Confidence 100 12 MITREs 1 Malware 30 IOCs 21 Observables
New APT-Q-27 sample spotted related

AlienVault Confidence 100 8 MITREs 2 IOCs 2 Observables 1 APT
From external espionage to domestic targeting related

1 CVE 16 MITREs 5 Malwares 16 Observables 1 APT
AI brands as bait: How threat actors are … related

20 MITREs 5 Malwares 9 Observables 1 APT
Operation FlutterBridge: macOS Malvertising Campaign Spreads New FlutterShell … related

20 MITREs 4 Malwares 9 Observables 1 APT
Tracking TamperedChef Clusters via Certificate and Code Reuse related

1 CVE 21 MITREs 22 Malwares 3 Observables
Infostealer Campaign Using Trading App as Lure related

20 MITREs 2 Malwares 4 Observables 1 APT
Exposing Fox Tempest: A malware-signing service operation related

AlienVault Confidence 100 20 MITREs 9 Malwares 4 IOCs 4 Observables 1 APT
Live off the Land? How About Bringing Your … related

2 CVEs 20 MITREs 10 Malwares 5 Observables 1 APT
Beyond the breach: inside a cargo theft actor's … related

AlienVault Confidence 100 24 MITREs 19 IOCs 19 Observables
Copyright Lures Mask a Multi-Stage PureLog Stealer Attack … related

AlienVault Confidence 100 18 MITREs 1 Malware 18 IOCs 18 Observables

← Previous

Page / 5

1–12 of 50

Vulnerabilities (CVE) (23)

CVE-2017-11882 KEV targets

7.8 High

Microsoft Office contains a memory corruption vulnerability that allows remote code execution in the context of the current user.

Attack vector: Local
Complexity: Low
Published: 15/11/2017
Modified: 29/05/2026

CWE-119

CVE-2021-21166 KEV targets

Google Chromium contains a race condition vulnerability that allows a remote attacker to potentially exploit heap corruption via a crafted HTML page. …

Published: 03/11/2021
Modified: 21/12/2025

CVE-2025-59287 KEV targets

9.8 Critical

Microsoft Windows Server Update Service (WSUS) contains a deserialization of untrusted data vulnerability that allows for remote code execution.

Attack vector: Network
Published: 24/10/2025
Modified: 21/12/2025

Undergoing Analysis

CVE-2024-38196 targets

7.8 High

Windows Common Log File System Driver Elevation of Privilege Vulnerability

Attack vector: LOCAL
Published: 13/08/2024
Modified: 21/12/2025

Received

CVE-2021-30551 KEV targets

Google Chromium V8 Engine contains a type confusion vulnerability that allows a remote attacker to potentially exploit heap corruption via a crafted …

Published: 03/11/2021
Modified: 21/12/2025

CVE-2024-6473 targets

7.8 High

Yandex Browser for Desktop before 24.7.1.380 has a DLL Hijacking Vulnerability because an untrusted search path is used.

Attack vector: LOCAL
Published: 03/09/2024
Modified: 21/12/2025

Analyzed

CVE-2019-0708 KEV targets

Microsoft Remote Desktop Services, formerly known as Terminal Service, contains an unspecified vulnerability that allows an unauthenticated attacker to connect to the …

Published: 03/11/2021
Modified: 29/05/2026

CVE-2020-14871 KEV targets

Oracle Solaris and Oracle ZFS Storage Appliance Kit contain an unspecified vulnerability causing high impacts to confidentiality, integrity, and availability of affected …

Published: 03/11/2021
Modified: 20/04/2026

CVE-2020-16040 targets

6.5 Medium

Insufficient data validation in V8 in Google Chrome prior to 87.0.4280.88 allowed a remote attacker to potentially exploit heap corruption via a …

Attack vector: NETWORK
Published: 08/01/2021
Modified: 27/01/2026

CVE-2025-41244 KEV targets

7.8 High

Broadcom VMware Aria Operations and VMware Tools contain a privilege defined with unsafe actions vulnerability. A malicious local actor with non-administrative privileges …

Attack vector: Local
Published: 30/10/2025
Modified: 21/12/2025

Awaiting Analysis

CVE-2026-1731 KEV targets

9.9 Critical

BeyondTrust Remote Support (RS) and Privileged Remote Access (PRA)contain an OS command injection vulnerability. Successful exploitation could allow an unauthenticated remote attacker …

Attack vector: Network
Published: 13/02/2026
Modified: 20/02/2026

Received

CVE-2022-2294 KEV targets

WebRTC, an open-source project providing web browsers with real-time communication, contains a heap buffer overflow vulnerability that allows an attacker to perform …

Published: 25/08/2022
Modified: 20/12/2025

← Previous

Page / 2

1–12 of 23

T1553 subtechnique-of

Subvert Trust Controls MITRE

Campaign (4)

SolarWinds Compromise uses
RedDelta Modified PlugX Infection Chain Operations uses
Operation AkaiRyū uses
Operation Dream Job uses

Tool (2)

CSPY Downloader uses

The MITRE Corporation Confidence 100

[CSPY Downloader](https://attack.mitre.org/software/S0527) is a tool designed to evade analysis and download additional payloads used by [Kimsuky](https://attack.mitre.org/groups/G0094).(Citation: Cybereason Kimsuky November 2020)
QuasarRAT uses

The MITRE Corporation Confidence 100

[QuasarRAT](https://attack.mitre.org/software/S0262) is an open-source, remote access tool that has been publicly available on GitHub since at least 2014. [QuasarRAT](https://attack.mitre.org/software/S0262) is developed in the C# language.(Citation: GitHub QuasarRAT)(Citation: Volexity…

Contact About Legal notice Privacy policy Terms of use