T1553.002: T1553.002

Search IOCs, vulnerabilities, APT…

216.73.216.6

← Back to attack patterns

View on MITRE ATT&CK The MITRE Corporation · Published 05/02/2020 17:27 · Modified 27/03/2026 01:09

Essential information

MITRE technique ID: T1553.002
Confidence: 100/100
Revoked: No
Published: 05/02/2020 17:27
Modified: 27/03/2026 01:09
Author / Source: The MITRE Corporation

Aliases

Code Signing

Platforms

windows macos

Description

Adversaries may create, acquire, or steal code signing materials to sign their malware or tools. Code signing provides a level of authenticity on a binary from the developer and a guarantee that the binary has not been tampered with. (Citation: Wikipedia Code Signing) The certificates used during an operation may be created, acquired, or stolen by the adversary. (Citation: Securelist Digital Certificates) (Citation: Symantec Digital Certificates) Unlike [Invalid Code Signature](https://attack.mitre.org/techniques/T1036/001), this activity will result in a valid signature. Code signing to verify software on first run can be used on modern Windows and macOS systems. It is not used on Linux due to the decentralized nature of the platform. (Citation: Wikipedia Code Signing)(Citation: EclecticLightChecksonEXECodeSigning) Code signing certificates may be used to bypass security policies that require signed code to execute on a system.

Kill chain phases

Kill chain	Phase
mitre-attack	defense-evasion

Marking (TLP)

External references

Securelist Digital Certificates
Symantec Digital Certificates
Wikipedia Code Signing
mitre-attack (T1553.002)
EclecticLightChecksonEXECodeSigning

Related entities

Intrusion sets, malware, reports, vulnerabilities, indicators and other entities linked to this technique.

Intrusion sets (APT) (59)

Banana Squad uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
Suckfly uses

The MITRE Corporation Confidence 100

[Suckfly](https://attack.mitre.org/groups/G0039) is a China-based threat group that has been active since at least 2014. (Citation: Symantec Suckfly March 2016)

First seen 01/01/1970 · Last seen 16/11/5138 ·
TransparentTribe uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
APT-Q-27 uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
Storm-3075 uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
CoinLurker uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
StaryDobry uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
UNC4487 uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
AMOS related

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
APT-C-53 (Gamaredon) related

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
APT32 related SeaLotusAPT-C-00

The MITRE Corporation Confidence 100

[APT32](https://attack.mitre.org/groups/G0050) is a suspected Vietnam-based threat group that has been active since at least 2014. The group has targeted multiple private sector industries as well as foreign governments,…

First seen 01/01/1970 · Last seen 16/11/5138 ·
CL-CRI-1014 related

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·

← Previous

Page / 5

13–24 of 59

PHOREAL - S0158 uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
Rhadamanthys uses

Family
Katz Stealer uses

Family
CHIMNEYSWEEP uses
Hyrax uses

Family
DeskRAT uses

Family
TINYSHELL uses

Family
PeckBirdy uses

Family
Trinper uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
AdaptixC2 uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
HermeticWiper uses

Family
Nitrogen uses

Family

← Previous

Page / 7

25–36 of 75

PHISH ALERT: From a Simple Phishing Email to … related

AlienVault Confidence 100 20 MITREs 6 IOCs 3 Observables
Operation FlutterBridge: The FlutterShell macOS Backdoor related

AlienVault Confidence 100 12 MITREs 1 Malware 30 IOCs 21 Observables
New APT-Q-27 sample spotted related

AlienVault Confidence 100 8 MITREs 2 IOCs 2 Observables 1 APT
From external espionage to domestic targeting related

1 CVE 16 MITREs 5 Malwares 16 Observables 1 APT
AI brands as bait: How threat actors are … related

20 MITREs 5 Malwares 9 Observables 1 APT
Operation FlutterBridge: macOS Malvertising Campaign Spreads New FlutterShell … related

20 MITREs 4 Malwares 9 Observables 1 APT
Tracking TamperedChef Clusters via Certificate and Code Reuse related

1 CVE 21 MITREs 22 Malwares 3 Observables
Infostealer Campaign Using Trading App as Lure related

20 MITREs 2 Malwares 4 Observables 1 APT
Exposing Fox Tempest: A malware-signing service operation related

AlienVault Confidence 100 20 MITREs 9 Malwares 4 IOCs 4 Observables 1 APT
Live off the Land? How About Bringing Your … related

2 CVEs 20 MITREs 10 Malwares 5 Observables 1 APT
Beyond the breach: inside a cargo theft actor's … related

AlienVault Confidence 100 24 MITREs 19 IOCs 19 Observables
Copyright Lures Mask a Multi-Stage PureLog Stealer Attack … related

AlienVault Confidence 100 18 MITREs 1 Malware 18 IOCs 18 Observables

← Previous

Page / 5

1–12 of 50

Vulnerabilities (CVE) (23)

CVE-2017-11882 KEV targets

7.8 High

Microsoft Office contains a memory corruption vulnerability that allows remote code execution in the context of the current user.

Attack vector: Local
Complexity: Low
Published: 15/11/2017
Modified: 29/05/2026

CWE-119

CVE-2021-21166 KEV targets

Google Chromium contains a race condition vulnerability that allows a remote attacker to potentially exploit heap corruption via a crafted HTML page. …

Published: 03/11/2021
Modified: 21/12/2025

CVE-2025-59287 KEV targets

9.8 Critical

Microsoft Windows Server Update Service (WSUS) contains a deserialization of untrusted data vulnerability that allows for remote code execution.

Attack vector: Network
Published: 24/10/2025
Modified: 21/12/2025

Undergoing Analysis

CVE-2024-38196 targets

7.8 High

Windows Common Log File System Driver Elevation of Privilege Vulnerability

Attack vector: LOCAL
Published: 13/08/2024
Modified: 21/12/2025

Received

CVE-2021-30551 KEV targets

Google Chromium V8 Engine contains a type confusion vulnerability that allows a remote attacker to potentially exploit heap corruption via a crafted …

Published: 03/11/2021
Modified: 21/12/2025

CVE-2024-6473 targets

7.8 High

Yandex Browser for Desktop before 24.7.1.380 has a DLL Hijacking Vulnerability because an untrusted search path is used.

Attack vector: LOCAL
Published: 03/09/2024
Modified: 21/12/2025

Analyzed

CVE-2019-0708 KEV targets

Microsoft Remote Desktop Services, formerly known as Terminal Service, contains an unspecified vulnerability that allows an unauthenticated attacker to connect to the …

Published: 03/11/2021
Modified: 29/05/2026

CVE-2020-14871 KEV targets

Oracle Solaris and Oracle ZFS Storage Appliance Kit contain an unspecified vulnerability causing high impacts to confidentiality, integrity, and availability of affected …

Published: 03/11/2021
Modified: 20/04/2026

CVE-2020-16040 targets

6.5 Medium

Insufficient data validation in V8 in Google Chrome prior to 87.0.4280.88 allowed a remote attacker to potentially exploit heap corruption via a …

Attack vector: NETWORK
Published: 08/01/2021
Modified: 27/01/2026

CVE-2025-41244 KEV targets

7.8 High

Broadcom VMware Aria Operations and VMware Tools contain a privilege defined with unsafe actions vulnerability. A malicious local actor with non-administrative privileges …

Attack vector: Local
Published: 30/10/2025
Modified: 21/12/2025

Awaiting Analysis

CVE-2026-1731 KEV targets

9.9 Critical

BeyondTrust Remote Support (RS) and Privileged Remote Access (PRA)contain an OS command injection vulnerability. Successful exploitation could allow an unauthenticated remote attacker …

Attack vector: Network
Published: 13/02/2026
Modified: 20/02/2026

Received

CVE-2022-2294 KEV targets

WebRTC, an open-source project providing web browsers with real-time communication, contains a heap buffer overflow vulnerability that allows an attacker to perform …

Published: 25/08/2022
Modified: 20/12/2025

← Previous

Page / 2

1–12 of 23

T1553 subtechnique-of

Subvert Trust Controls MITRE

Campaign (3)

SolarWinds Compromise uses
RedDelta Modified PlugX Infection Chain Operations uses
Operation AkaiRyū uses

Tool (2)

CSPY Downloader uses

The MITRE Corporation Confidence 100

[CSPY Downloader](https://attack.mitre.org/software/S0527) is a tool designed to evade analysis and download additional payloads used by [Kimsuky](https://attack.mitre.org/groups/G0094).(Citation: Cybereason Kimsuky November 2020)
QuasarRAT uses

The MITRE Corporation Confidence 100

[QuasarRAT](https://attack.mitre.org/software/S0262) is an open-source, remote access tool that has been publicly available on GitHub since at least 2014. [QuasarRAT](https://attack.mitre.org/software/S0262) is developed in the C# language.(Citation: GitHub QuasarRAT)(Citation: Volexity…

Contact About Legal notice Privacy policy Terms of use