T1553.002: T1553.002

Search IOCs, vulnerabilities, APT…

216.73.216.226

← Back to attack patterns

View on MITRE ATT&CK The MITRE Corporation · Published 05/02/2020 17:27 · Modified 27/03/2026 01:09

Essential information

MITRE technique ID: T1553.002
Confidence: 100/100
Revoked: No
Published: 05/02/2020 17:27
Modified: 27/03/2026 01:09
Author / Source: The MITRE Corporation

Aliases

Code Signing

Platforms

windows macos

Description

Adversaries may create, acquire, or steal code signing materials to sign their malware or tools. Code signing provides a level of authenticity on a binary from the developer and a guarantee that the binary has not been tampered with. (Citation: Wikipedia Code Signing) The certificates used during an operation may be created, acquired, or stolen by the adversary. (Citation: Securelist Digital Certificates) (Citation: Symantec Digital Certificates) Unlike [Invalid Code Signature](https://attack.mitre.org/techniques/T1036/001), this activity will result in a valid signature. Code signing to verify software on first run can be used on modern Windows and macOS systems. It is not used on Linux due to the decentralized nature of the platform. (Citation: Wikipedia Code Signing)(Citation: EclecticLightChecksonEXECodeSigning) Code signing certificates may be used to bypass security policies that require signed code to execute on a system.

Kill chain phases

Kill chain	Phase
mitre-attack	defense-evasion

Marking (TLP)

External references

Securelist Digital Certificates
Symantec Digital Certificates
Wikipedia Code Signing
mitre-attack (T1553.002)
EclecticLightChecksonEXECodeSigning

Related entities

Intrusion sets, malware, reports, vulnerabilities, indicators and other entities linked to this technique.

Intrusion sets (APT) (59)

Banana Squad uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
Suckfly uses

The MITRE Corporation Confidence 100

[Suckfly](https://attack.mitre.org/groups/G0039) is a China-based threat group that has been active since at least 2014. (Citation: Symantec Suckfly March 2016)

First seen 01/01/1970 · Last seen 16/11/5138 ·
TransparentTribe uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
APT-Q-27 uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
Storm-3075 uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
CoinLurker uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
StaryDobry uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
UNC4487 uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
AMOS related

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
APT-C-53 (Gamaredon) related

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
APT32 related SeaLotusAPT-C-00

The MITRE Corporation Confidence 100

[APT32](https://attack.mitre.org/groups/G0050) is a suspected Vietnam-based threat group that has been active since at least 2014. The group has targeted multiple private sector industries as well as foreign governments,…

First seen 01/01/1970 · Last seen 16/11/5138 ·
CL-CRI-1014 related

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·

← Previous

Page / 5

13–24 of 59

Rust backdoor uses

Family
TeviRat uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
FRIENDLYFERRET_SECD uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
HuaweiHiSuiteService64.exe uses

Family
Chrysalis backdoor uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
Redline uses

Family
DevilsTongue uses
Pikabot uses

Family
Brave Prince - S0252 uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
AppSuite PDF uses

Family
HotPage uses

Family
Clop uses

Family The MITRE Corporation Confidence 100

[Clop](https://attack.mitre.org/software/S0611) is a ransomware family that was first observed in February 2019 and has been used against retail, transportation and logistics, education, manufacturing, engineering, automotive, energy, financial, aerospace,…

First seen 01/01/1970 · Last seen 16/11/5138 ·

← Previous

Page / 7

1–12 of 75

PHISH ALERT: From a Simple Phishing Email to … related

AlienVault Confidence 100 20 MITREs 6 IOCs 3 Observables
Operation FlutterBridge: The FlutterShell macOS Backdoor related

AlienVault Confidence 100 12 MITREs 1 Malware 30 IOCs 21 Observables
New APT-Q-27 sample spotted related

AlienVault Confidence 100 8 MITREs 2 IOCs 2 Observables 1 APT
From external espionage to domestic targeting related

1 CVE 16 MITREs 5 Malwares 16 Observables 1 APT
AI brands as bait: How threat actors are … related

20 MITREs 5 Malwares 9 Observables 1 APT
Operation FlutterBridge: macOS Malvertising Campaign Spreads New FlutterShell … related

20 MITREs 4 Malwares 9 Observables 1 APT
Tracking TamperedChef Clusters via Certificate and Code Reuse related

1 CVE 21 MITREs 22 Malwares 3 Observables
Infostealer Campaign Using Trading App as Lure related

20 MITREs 2 Malwares 4 Observables 1 APT
Exposing Fox Tempest: A malware-signing service operation related

AlienVault Confidence 100 20 MITREs 9 Malwares 4 IOCs 4 Observables 1 APT
Live off the Land? How About Bringing Your … related

2 CVEs 20 MITREs 10 Malwares 5 Observables 1 APT
Beyond the breach: inside a cargo theft actor's … related

AlienVault Confidence 100 24 MITREs 19 IOCs 19 Observables
Copyright Lures Mask a Multi-Stage PureLog Stealer Attack … related

AlienVault Confidence 100 18 MITREs 1 Malware 18 IOCs 18 Observables

← Previous

Page / 5

1–12 of 50

Vulnerabilities (CVE) (23)

CVE-2025-0283 targets

7.0 High

A stack-based buffer overflow in Ivanti Connect Secure before version 22.7R2.5, Ivanti Policy Secure before version 22.7R1.2, and Ivanti Neurons for ZTA …

Attack vector: LOCAL
Published: 09/01/2025
Modified: 21/12/2025

Analyzed

CVE-2021-1844 targets

8.8 High

A memory corruption issue was addressed with improved validation. This issue is fixed in iOS 14.4.1 and iPadOS 14.4.1, Safari 14.0.3 (v. …

Attack vector: NETWORK
Published: 02/04/2021
Modified: 21/12/2025

CVE-2021-33742 KEV targets

Microsoft Windows MSHTML Platform contains an unspecified vulnerability that allows for remote code execution.

Published: 03/11/2021
Modified: 21/12/2025

CVE-2024-1709 KEV targets

10.0 Critical

ConnectWise ScreenConnect contains an authentication bypass vulnerability that allows an attacker with network access to the management interface to create a new, …

Attack vector: Network
Published: 22/02/2024
Modified: 28/02/2026

CVE-2024-1708 KEV targets

8.4 High

ConnectWise ScreenConnect contains a path traversal vulnerability which could allow an attacker to execute remote code or directly impact confidential data and …

Attack vector: Network
Complexity: Low
Published: 21/02/2024
Modified: 29/04/2026

CWE-22

CVE-2025-61882 KEV targets

9.8 Critical

Vulnerability in the Oracle Concurrent Processing product of Oracle E-Business Suite (component: BI Publisher Integration). Supported versions that are affected are 12.2.3-12.2.14. …

Attack vector: Network
Published: 06/10/2025
Modified: 21/12/2025

Modified

CVE-2025-0411 KEV targets

7.0 High

7-Zip Mark-of-the-Web Bypass Vulnerability. This vulnerability allows remote attackers to bypass the Mark-of-the-Web protection mechanism on affected installations of 7-Zip. User interaction …

Attack vector: Local
Published: 06/02/2025
Modified: 21/12/2025

Analyzed

CVE-2025-8088 KEV targets

8.8 High

RARLAB WinRAR contains a path traversal vulnerability affecting the Windows version of WinRAR. This vulnerability could allow an attacker to execute arbitrary …

Attack vector: Network
Published: 12/08/2025
Modified: 27/05/2026

CVE-2025-0282 KEV targets

9.0 Critical

A stack-based buffer overflow in Ivanti Connect Secure before version 22.7R2.5, Ivanti Policy Secure before version 22.7R1.2, and Ivanti Neurons for ZTA …

Attack vector: Network
Published: 08/01/2025
Modified: 21/12/2025

Analyzed

CVE-2025-2783 KEV targets

8.3 High

Google Chromium Mojo on Windows contains a sandbox escape vulnerability caused by a logic error, which results from an incorrect handle being …

Attack vector: Network
Published: 27/03/2025
Modified: 21/12/2025

Analyzed

CVE-2024-47575 KEV targets

9.8 Critical

A missing authentication for critical function in FortiManager 7.6.0, FortiManager 7.4.0 through 7.4.4, FortiManager 7.2.0 through 7.2.7, FortiManager 7.0.0 through 7.0.12, FortiManager …

Attack vector: Network
Published: 23/10/2024
Modified: 21/12/2025

Analyzed

← Previous

Page / 2

13–23 of 23

T1553 subtechnique-of

Subvert Trust Controls MITRE

Campaign (3)

SolarWinds Compromise uses
RedDelta Modified PlugX Infection Chain Operations uses
Operation AkaiRyū uses

Tool (2)

CSPY Downloader uses

The MITRE Corporation Confidence 100

[CSPY Downloader](https://attack.mitre.org/software/S0527) is a tool designed to evade analysis and download additional payloads used by [Kimsuky](https://attack.mitre.org/groups/G0094).(Citation: Cybereason Kimsuky November 2020)
QuasarRAT uses

The MITRE Corporation Confidence 100

[QuasarRAT](https://attack.mitre.org/software/S0262) is an open-source, remote access tool that has been publicly available on GitHub since at least 2014. [QuasarRAT](https://attack.mitre.org/software/S0262) is developed in the C# language.(Citation: GitHub QuasarRAT)(Citation: Volexity…

Contact About Legal notice Privacy policy Terms of use