T1553.002: T1553.002

Search IOCs, vulnerabilities, APT…

216.73.216.233

← Back to attack patterns

View on MITRE ATT&CK The MITRE Corporation · Published 05/02/2020 17:27 · Modified 27/03/2026 01:09

Essential information

MITRE technique ID: T1553.002
Confidence: 100/100
Revoked: No
Published: 05/02/2020 17:27
Modified: 27/03/2026 01:09
Author / Source: The MITRE Corporation

Aliases

Code Signing

Platforms

windows macos

Description

Adversaries may create, acquire, or steal code signing materials to sign their malware or tools. Code signing provides a level of authenticity on a binary from the developer and a guarantee that the binary has not been tampered with. (Citation: Wikipedia Code Signing) The certificates used during an operation may be created, acquired, or stolen by the adversary. (Citation: Securelist Digital Certificates) (Citation: Symantec Digital Certificates) Unlike [Invalid Code Signature](https://attack.mitre.org/techniques/T1036/001), this activity will result in a valid signature. Code signing to verify software on first run can be used on modern Windows and macOS systems. It is not used on Linux due to the decentralized nature of the platform. (Citation: Wikipedia Code Signing)(Citation: EclecticLightChecksonEXECodeSigning) Code signing certificates may be used to bypass security policies that require signed code to execute on a system.

Kill chain phases

Kill chain	Phase
mitre-attack	defense-evasion

Marking (TLP)

External references

Securelist Digital Certificates
Symantec Digital Certificates
Wikipedia Code Signing
mitre-attack (T1553.002)
EclecticLightChecksonEXECodeSigning

Related entities

Intrusion sets, malware, reports, vulnerabilities, indicators and other entities linked to this technique.

Intrusion sets (APT) (59)

CL-STA-0048 uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
Moses Staff uses DEV-0500Marigold Sandstorm

The MITRE Corporation Confidence 100

[Moses Staff](https://attack.mitre.org/groups/G1009) is a suspected Iranian threat group that has primarily targeted Israeli companies since at least September 2021. [Moses Staff](https://attack.mitre.org/groups/G1009) openly stated their motivation in attacking Israeli…

First seen 01/01/1970 · Last seen 16/11/5138 ·
SHADOW-VOID-044 uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
rhysida uses

Ransomware.Live Confidence 100

Rhysida is a ransomware-as-a-service (RAAS) group that emerged in May 2023. The group utilizes a namesake ransomware through phishing attacks and Cobalt Strike to breach the targets' networks…

First seen 01/01/1970 · Last seen 16/11/5138 ·
GALLIUM uses Granite Typhoon

The MITRE Corporation Confidence 100

[GALLIUM](https://attack.mitre.org/groups/G0093) is a cyberespionage group that has been active since at least 2012, primarily targeting telecommunications companies, financial institutions, and government entities in Afghanistan, Australia, Belgium, Cambodia, Malaysia,…

First seen 01/01/1970 · Last seen 16/11/5138 ·
Chinese APT (possibly APT41 subgroup) uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
Candiru uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
OLYMPO uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
RansomHub uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
Storm-2561 uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
TA505 uses Hive0065Spandex Tempest

The MITRE Corporation Confidence 100

[TA505](https://attack.mitre.org/groups/G0092) is a cyber criminal group that has been active since at least 2014. [TA505](https://attack.mitre.org/groups/G0092) is known for frequently changing malware, driving global trends in criminal malware distribution,…

First seen 01/01/1970 · Last seen 16/11/5138 ·
FIN7 uses GOLD NIAGARAITG14

The MITRE Corporation Confidence 100

[FIN7](https://attack.mitre.org/groups/G0046) is a financially-motivated threat group that has been active since 2013. [FIN7](https://attack.mitre.org/groups/G0046) has targeted the retail, restaurant, hospitality, software, consulting, financial services, medical equipment, cloud services, media,…

First seen 01/01/1970 · Last seen 16/11/5138 ·

← Previous

Page / 5

1–12 of 59

Rust backdoor uses

Family
TeviRat uses

Family
FRIENDLYFERRET_SECD uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
HuaweiHiSuiteService64.exe uses

Family
Chrysalis backdoor uses

Family
Redline uses

Family
DevilsTongue uses
Pikabot uses

Family
Brave Prince - S0252 uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
AppSuite PDF uses

Family
HotPage uses

Family
Clop uses

← Previous

Page / 7

1–12 of 75

PHISH ALERT: From a Simple Phishing Email to … related

AlienVault Confidence 100 20 MITREs 6 IOCs 3 Observables
Operation FlutterBridge: The FlutterShell macOS Backdoor related

AlienVault Confidence 100 12 MITREs 1 Malware 30 IOCs 21 Observables
New APT-Q-27 sample spotted related

AlienVault Confidence 100 8 MITREs 2 IOCs 2 Observables 1 APT
From external espionage to domestic targeting related

1 CVE 16 MITREs 5 Malwares 16 Observables 1 APT
AI brands as bait: How threat actors are … related

20 MITREs 5 Malwares 9 Observables 1 APT
Operation FlutterBridge: macOS Malvertising Campaign Spreads New FlutterShell … related

20 MITREs 4 Malwares 9 Observables 1 APT
Tracking TamperedChef Clusters via Certificate and Code Reuse related

1 CVE 21 MITREs 22 Malwares 3 Observables
Infostealer Campaign Using Trading App as Lure related

20 MITREs 2 Malwares 4 Observables 1 APT
Exposing Fox Tempest: A malware-signing service operation related

AlienVault Confidence 100 20 MITREs 9 Malwares 4 IOCs 4 Observables 1 APT
Live off the Land? How About Bringing Your … related

2 CVEs 20 MITREs 10 Malwares 5 Observables 1 APT
Beyond the breach: inside a cargo theft actor's … related

AlienVault Confidence 100 24 MITREs 19 IOCs 19 Observables
Copyright Lures Mask a Multi-Stage PureLog Stealer Attack … related

AlienVault Confidence 100 18 MITREs 1 Malware 18 IOCs 18 Observables

← Previous

Page / 5

1–12 of 50

Vulnerabilities (CVE) (23)

CVE-2025-0283 targets

7.0 High

A stack-based buffer overflow in Ivanti Connect Secure before version 22.7R2.5, Ivanti Policy Secure before version 22.7R1.2, and Ivanti Neurons for ZTA …

Attack vector: LOCAL
Published: 09/01/2025
Modified: 21/12/2025

Analyzed

CVE-2021-1844 targets

8.8 High

A memory corruption issue was addressed with improved validation. This issue is fixed in iOS 14.4.1 and iPadOS 14.4.1, Safari 14.0.3 (v. …

Attack vector: NETWORK
Published: 02/04/2021
Modified: 21/12/2025

CVE-2021-33742 KEV targets

Microsoft Windows MSHTML Platform contains an unspecified vulnerability that allows for remote code execution.

Published: 03/11/2021
Modified: 21/12/2025

CVE-2024-1709 KEV targets

10.0 Critical

ConnectWise ScreenConnect contains an authentication bypass vulnerability that allows an attacker with network access to the management interface to create a new, …

Attack vector: Network
Published: 22/02/2024
Modified: 28/02/2026

CVE-2024-1708 KEV targets

8.4 High

ConnectWise ScreenConnect contains a path traversal vulnerability which could allow an attacker to execute remote code or directly impact confidential data and …

Attack vector: Network
Complexity: Low
Published: 21/02/2024
Modified: 29/04/2026

CWE-22

CVE-2025-61882 KEV targets

9.8 Critical

Vulnerability in the Oracle Concurrent Processing product of Oracle E-Business Suite (component: BI Publisher Integration). Supported versions that are affected are 12.2.3-12.2.14. …

Attack vector: Network
Published: 06/10/2025
Modified: 21/12/2025

Modified

CVE-2025-0411 KEV targets

7.0 High

7-Zip Mark-of-the-Web Bypass Vulnerability. This vulnerability allows remote attackers to bypass the Mark-of-the-Web protection mechanism on affected installations of 7-Zip. User interaction …

Attack vector: Local
Published: 06/02/2025
Modified: 21/12/2025

Analyzed

CVE-2025-8088 KEV targets

8.8 High

RARLAB WinRAR contains a path traversal vulnerability affecting the Windows version of WinRAR. This vulnerability could allow an attacker to execute arbitrary …

Attack vector: Network
Published: 12/08/2025
Modified: 27/05/2026

CVE-2025-0282 KEV targets

9.0 Critical

A stack-based buffer overflow in Ivanti Connect Secure before version 22.7R2.5, Ivanti Policy Secure before version 22.7R1.2, and Ivanti Neurons for ZTA …

Attack vector: Network
Published: 08/01/2025
Modified: 21/12/2025

Analyzed

CVE-2025-2783 KEV targets

8.3 High

Google Chromium Mojo on Windows contains a sandbox escape vulnerability caused by a logic error, which results from an incorrect handle being …

Attack vector: Network
Published: 27/03/2025
Modified: 21/12/2025

Analyzed

CVE-2024-47575 KEV targets

9.8 Critical

A missing authentication for critical function in FortiManager 7.6.0, FortiManager 7.4.0 through 7.4.4, FortiManager 7.2.0 through 7.2.7, FortiManager 7.0.0 through 7.0.12, FortiManager …

Attack vector: Network
Published: 23/10/2024
Modified: 21/12/2025

Analyzed

← Previous

Page / 2

13–23 of 23

T1553 subtechnique-of

Subvert Trust Controls MITRE

Campaign (3)

SolarWinds Compromise uses
RedDelta Modified PlugX Infection Chain Operations uses
Operation AkaiRyū uses

Tool (2)

CSPY Downloader uses

The MITRE Corporation Confidence 100

[CSPY Downloader](https://attack.mitre.org/software/S0527) is a tool designed to evade analysis and download additional payloads used by [Kimsuky](https://attack.mitre.org/groups/G0094).(Citation: Cybereason Kimsuky November 2020)
QuasarRAT uses

The MITRE Corporation Confidence 100

[QuasarRAT](https://attack.mitre.org/software/S0262) is an open-source, remote access tool that has been publicly available on GitHub since at least 2014. [QuasarRAT](https://attack.mitre.org/software/S0262) is developed in the C# language.(Citation: GitHub QuasarRAT)(Citation: Volexity…

Contact About Legal notice Privacy policy Terms of use