T1553.002: T1553.002

Search IOCs, vulnerabilities, APT…

216.73.216.233

← Back to attack patterns

View on MITRE ATT&CK The MITRE Corporation · Published 05/02/2020 17:27 · Modified 27/03/2026 01:09

Essential information

MITRE technique ID: T1553.002
Confidence: 100/100
Revoked: No
Published: 05/02/2020 17:27
Modified: 27/03/2026 01:09
Author / Source: The MITRE Corporation

Aliases

Code Signing

Platforms

windows macos

Description

Adversaries may create, acquire, or steal code signing materials to sign their malware or tools. Code signing provides a level of authenticity on a binary from the developer and a guarantee that the binary has not been tampered with. (Citation: Wikipedia Code Signing) The certificates used during an operation may be created, acquired, or stolen by the adversary. (Citation: Securelist Digital Certificates) (Citation: Symantec Digital Certificates) Unlike [Invalid Code Signature](https://attack.mitre.org/techniques/T1036/001), this activity will result in a valid signature. Code signing to verify software on first run can be used on modern Windows and macOS systems. It is not used on Linux due to the decentralized nature of the platform. (Citation: Wikipedia Code Signing)(Citation: EclecticLightChecksonEXECodeSigning) Code signing certificates may be used to bypass security policies that require signed code to execute on a system.

Kill chain phases

Kill chain	Phase
mitre-attack	defense-evasion

Marking (TLP)

External references

Securelist Digital Certificates
Symantec Digital Certificates
Wikipedia Code Signing
mitre-attack (T1553.002)
EclecticLightChecksonEXECodeSigning

Related entities

Intrusion sets, malware, reports, vulnerabilities, indicators and other entities linked to this technique.

Intrusion sets (APT) (59)

CL-STA-0048 uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
Moses Staff uses DEV-0500Marigold Sandstorm

The MITRE Corporation Confidence 100

[Moses Staff](https://attack.mitre.org/groups/G1009) is a suspected Iranian threat group that has primarily targeted Israeli companies since at least September 2021. [Moses Staff](https://attack.mitre.org/groups/G1009) openly stated their motivation in attacking Israeli…

First seen 01/01/1970 · Last seen 16/11/5138 ·
SHADOW-VOID-044 uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
rhysida uses

Ransomware.Live Confidence 100

Rhysida is a ransomware-as-a-service (RAAS) group that emerged in May 2023. The group utilizes a namesake ransomware through phishing attacks and Cobalt Strike to breach the targets' networks…

First seen 01/01/1970 · Last seen 16/11/5138 ·
GALLIUM uses Granite Typhoon

The MITRE Corporation Confidence 100

[GALLIUM](https://attack.mitre.org/groups/G0093) is a cyberespionage group that has been active since at least 2012, primarily targeting telecommunications companies, financial institutions, and government entities in Afghanistan, Australia, Belgium, Cambodia, Malaysia,…

First seen 01/01/1970 · Last seen 16/11/5138 ·
Chinese APT (possibly APT41 subgroup) uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
Candiru uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
OLYMPO uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
RansomHub uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
Storm-2561 uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
TA505 uses Hive0065Spandex Tempest

The MITRE Corporation Confidence 100

[TA505](https://attack.mitre.org/groups/G0092) is a cyber criminal group that has been active since at least 2014. [TA505](https://attack.mitre.org/groups/G0092) is known for frequently changing malware, driving global trends in criminal malware distribution,…

First seen 01/01/1970 · Last seen 16/11/5138 ·
FIN7 uses GOLD NIAGARAITG14

The MITRE Corporation Confidence 100

[FIN7](https://attack.mitre.org/groups/G0046) is a financially-motivated threat group that has been active since 2013. [FIN7](https://attack.mitre.org/groups/G0046) has targeted the retail, restaurant, hospitality, software, consulting, financial services, medical equipment, cloud services, media,…

First seen 01/01/1970 · Last seen 16/11/5138 ·

← Previous

Page / 5

1–12 of 59

Rust backdoor uses

Family
TeviRat uses

Family
FRIENDLYFERRET_SECD uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
HuaweiHiSuiteService64.exe uses

Family
Chrysalis backdoor uses

Family
Redline uses

Family
DevilsTongue uses
Pikabot uses

Family
Brave Prince - S0252 uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
AppSuite PDF uses

Family
HotPage uses

Family
Clop uses

← Previous

Page / 7

1–12 of 75

Storm-2561 uses SEO poisoning to distribute fake VPN … related

13 MITREs 1 Malware 12 Observables 1 APT
Iran conflict drives heightened espionage activity against Middle … related

26 MITREs 2 Malwares 19 Observables
Signed malware impersonating workplace apps deploys RMM backdoors related

14 MITREs 3 Malwares 20 Observables
Contagious Interview: Evolution of VS Code and Cursor … related

11 MITREs 2 Malwares 6 Observables 1 APT
Notepad++ supply chain attack breakdown related

12 MITREs 3 Malwares 36 Observables
Infostealers without borders: macOS, Python stealers, and platform … related

17 MITREs 5 Malwares 23 Observables
Inside MacSync's Script-Driven Stealer and Hardware Wallet App … related

16 MITREs 6 Observables
New Remcos Campaign Distributed Through Fake Shipping Document related

1 CVE 19 MITREs 1 Malware 13 Observables
MacSync Stealer Evolves: From ClickFix to Code-Signed Swift … related

11 MITREs 2 Malwares 11 Observables 1 APT
Indian Income Tax-Themed Phishing Campaign Targets Local Businesses related

14 MITREs 1 Malware 3 Observables
LummaStealer dropped via fake updates from itch.io and … related

11 MITREs 1 Malware 5 Observables
Inside DPRK's Fake Job Platform Targeting U.S. AI … related

14 MITREs 1 Malware 2 Observables 1 APT

← Previous

Page / 5

13–24 of 50

Vulnerabilities (CVE) (23)

CVE-2017-11882 KEV targets

7.8 High

Microsoft Office contains a memory corruption vulnerability that allows remote code execution in the context of the current user.

Attack vector: Local
Complexity: Low
Published: 15/11/2017
Modified: 29/05/2026

CWE-119

CVE-2021-21166 KEV targets

Google Chromium contains a race condition vulnerability that allows a remote attacker to potentially exploit heap corruption via a crafted HTML page. …

Published: 03/11/2021
Modified: 21/12/2025

CVE-2025-59287 KEV targets

9.8 Critical

Microsoft Windows Server Update Service (WSUS) contains a deserialization of untrusted data vulnerability that allows for remote code execution.

Attack vector: Network
Published: 24/10/2025
Modified: 21/12/2025

Undergoing Analysis

CVE-2024-38196 targets

7.8 High

Windows Common Log File System Driver Elevation of Privilege Vulnerability

Attack vector: LOCAL
Published: 13/08/2024
Modified: 21/12/2025

Received

CVE-2021-30551 KEV targets

Google Chromium V8 Engine contains a type confusion vulnerability that allows a remote attacker to potentially exploit heap corruption via a crafted …

Published: 03/11/2021
Modified: 21/12/2025

CVE-2024-6473 targets

7.8 High

Yandex Browser for Desktop before 24.7.1.380 has a DLL Hijacking Vulnerability because an untrusted search path is used.

Attack vector: LOCAL
Published: 03/09/2024
Modified: 21/12/2025

Analyzed

CVE-2019-0708 KEV targets

Microsoft Remote Desktop Services, formerly known as Terminal Service, contains an unspecified vulnerability that allows an unauthenticated attacker to connect to the …

Published: 03/11/2021
Modified: 29/05/2026

CVE-2020-14871 KEV targets

Oracle Solaris and Oracle ZFS Storage Appliance Kit contain an unspecified vulnerability causing high impacts to confidentiality, integrity, and availability of affected …

Published: 03/11/2021
Modified: 20/04/2026

CVE-2020-16040 targets

6.5 Medium

Insufficient data validation in V8 in Google Chrome prior to 87.0.4280.88 allowed a remote attacker to potentially exploit heap corruption via a …

Attack vector: NETWORK
Published: 08/01/2021
Modified: 27/01/2026

CVE-2025-41244 KEV targets

7.8 High

Broadcom VMware Aria Operations and VMware Tools contain a privilege defined with unsafe actions vulnerability. A malicious local actor with non-administrative privileges …

Attack vector: Local
Published: 30/10/2025
Modified: 21/12/2025

Awaiting Analysis

CVE-2026-1731 KEV targets

9.9 Critical

BeyondTrust Remote Support (RS) and Privileged Remote Access (PRA)contain an OS command injection vulnerability. Successful exploitation could allow an unauthenticated remote attacker …

Attack vector: Network
Published: 13/02/2026
Modified: 20/02/2026

Received

CVE-2022-2294 KEV targets

WebRTC, an open-source project providing web browsers with real-time communication, contains a heap buffer overflow vulnerability that allows an attacker to perform …

Published: 25/08/2022
Modified: 20/12/2025

← Previous

Page / 2

1–12 of 23

T1553 subtechnique-of

Subvert Trust Controls MITRE

Campaign (3)

SolarWinds Compromise uses
RedDelta Modified PlugX Infection Chain Operations uses
Operation AkaiRyū uses

Tool (2)

CSPY Downloader uses

The MITRE Corporation Confidence 100

[CSPY Downloader](https://attack.mitre.org/software/S0527) is a tool designed to evade analysis and download additional payloads used by [Kimsuky](https://attack.mitre.org/groups/G0094).(Citation: Cybereason Kimsuky November 2020)
QuasarRAT uses

The MITRE Corporation Confidence 100

[QuasarRAT](https://attack.mitre.org/software/S0262) is an open-source, remote access tool that has been publicly available on GitHub since at least 2014. [QuasarRAT](https://attack.mitre.org/software/S0262) is developed in the C# language.(Citation: GitHub QuasarRAT)(Citation: Volexity…

Contact About Legal notice Privacy policy Terms of use