{
	"id": "f0ce2654-46de-4167-80bc-b3cee7ea523a",
	"created_at": "2026-04-06T00:19:12.840239Z",
	"updated_at": "2026-04-10T03:24:29.201229Z",
	"deleted_at": null,
	"sha1_hash": "b18e613a679661753aefc2b5e84ac8bae9ceec95",
	"title": "Code-signing certificate abuse in the Black Basta chat leaks (and how to fight back)",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1650961,
	"plain_text": "Code-signing certificate abuse in the Black Basta chat leaks (and how to\r\nfight back)\r\nBy Aaron Walton\r\nPublished: 2025-03-18 · Archived: 2026-04-05 20:29:20 UTC\r\nTL;DR \r\nCode-signing helps computers have confidence in the legitimacy of files, but cybercriminals abuse them too. \r\nBlackBasta’s leaked chat logs give us insight into how a ransomware gang leveraged code-signing certificates for\r\ntheir malware campaigns.\r\nBy investigating code-signing certificates and reporting false signings, you can protect yourself and others from\r\nmalicious activity.\r\nRecently, we (the information security community) received the opportunity to look behind the curtain and see the inner\r\nworkings of the Black Basta ransomware gang. In this post, we’ll use the opportunity to examine how the ransomware gang\r\nused their skill and finances to abuse a core security concept: code-signing certificates.\r\n@usernamegg discussing his escape from arrest in Armenia with @chuck. Quak refers to what defenders track\r\nas Quakbot, or Qakbot, malware.\r\n@usernamegg: There was no information about Quak and Basta in my case\r\n@chuck: And what did they present in general?\r\n@chuck: If they don’t know that you’re basta, that’s good\r\nCore safety via code-signing certificates\r\nComputers have become an essential part of our lives and businesses. To help make this possible, a lot of time has gone into\r\nhelping ensure systems exist to make using computers safe. One of the core principles to help do this is code-signing\r\ncertificates. \r\nCode-signing certificates help solve some basic problems. They help answer the questions “How can I trust this program?”\r\nand “How can I trust this program has not been tampered with?”\r\nhttps://expel.com/blog/code-signing-certificate-abuse-in-the-black-basta-chat-leaks-and-how-to-fight-back/\r\nPage 1 of 10\n\nCode-signing certificates are issued to vetted organizations. This vetting process results in a chain of trust: a root authority\r\ntrusts a certificate authority, and the certificate authority vets and validates their customers. After validation, the customer is\r\ntrusted because the certificate authority is trusted.\r\nThis chain of trust impacts how web browsers and operating systems handle many files. If the file isn’t signed, many\r\nbrowsers and operating systems will show very clear warnings. However, if they are trusted, those warnings may not appear,\r\nor may only be informational.\r\nThis is an informational User Access Control message. The file is signed by Broadcom Inc.\r\nThis system helps us have confidence that a system file or downloaded application is legitimate, and that the developer has\r\nbeen vetted.\r\nIt uses public key cryptography to ensure the signatures are valid. When a file is signed, it requires the signing party to have\r\na private key (often tied to a hardware token) to apply a signature to a file. This ensures entities without the private key can’t\r\nsign as the software developer.\r\nSigning also protects against file tampering. The signature tied to the file contains a cryptographic hash of the file, and this\r\nhash must match the computed file hash of the file, or the signature won’t be seen as valid. If you aren’t familiar with\r\nhashing, this is a technique of applying a one-way algorithm to a file to compute a small representation of the file. Any\r\nmodifications to the file will impact the representation or hash.\r\nThese processes work pretty seamlessly: when you’re downloading or running files from trusted sources, the chain of trust\r\nhelps you feel safe about the file you’re running. Without this system, the user is required to validate a lot of information on\r\ntheir own (such as the source of the download) and calculate their own file hashes to compare against a public list of file\r\nhashes.\r\nAbusing code-signing\r\nThis code-signing process and transfer of trust works well, but just like anything within cybersecurity, attackers can also\r\nleverage the process. Cybercriminals also want to ensure browsers and operating systems trust their files, too, so they’re\r\nincentivized to find ways to abuse this system.\r\nhttps://expel.com/blog/code-signing-certificate-abuse-in-the-black-basta-chat-leaks-and-how-to-fight-back/\r\nPage 2 of 10\n\nThis is an informational User Access Control warning. This Adobe Photoshop file is signed by Just Add Water\r\nItalian Pizza Bread Pasta Mix Ltd. (spoiler alert: it isn’t a legitimate copy of Photoshop).\r\nIn very rare cases, cybercriminals can steal the private key and then sign files as an organization. There are some very well-known cases of this happening, but since the private key is connected to a physical hardware token, usually it’s very\r\nuncommon. \r\nThe most common method of abuse today is to impersonate a company and be issued the keys directly. Instead of each bad\r\nactor needing to do this themselves, certain attackers specialize in this impersonation and resell the certificates. One well-known seller is Megatraffer, who has been selling certificates for a long time, and was also selling certificates to the Conti\r\nransomware gang.\r\nAn image capture of Megatraffer’s Code Signing Guru website as captured by the Wayback machine. Here,\r\nMegatraffer advertises why criminals need code-signing certificates for their malware.\r\nThis type of abuse has been previously written about and published by others. However, we recently got a good look at this\r\ntype of abuse from the inside: from the chat logs from the Black Basta Ransomware gang.\r\nChat logs made public \r\nOn February 20, an individual going by ExploitWhispers announced they were publishing chats from the Black Basta\r\nransomware gang. ExploitWhispers stated they did this because Black Basta had crossed the line by compromising a\r\nRussian bank.\r\nIt’s generally taboo for Russian cybercriminals to target entities in the Commonwealth of Independent States (former\r\nUSSR countries). Targeting these countries could result in legal action, and unlike the West, have a larger chance of\r\nmanifesting into charges. Targeting entities in these countries also impacts the lives of fellow countrymen.\r\nhttps://expel.com/blog/code-signing-certificate-abuse-in-the-black-basta-chat-leaks-and-how-to-fight-back/\r\nPage 3 of 10\n\nThese types of leaks are valuable to defenders like us because they often expose uncensored discussions between\r\ncybercriminals. Several researchers and organizations have also already dug deep into these leaks, observing how bad actors\r\nhandled the Ascension Healthcare ransomware attack internally, learning about how the gang leader escaped detention in\r\nArmenia, or documenting the vulnerabilities and tactics the gang discusses.\r\nA picture of a translated chat message. A leading member shared his opinion on how to handle blowback from\r\nencrypting devices in the Ascension Healthcare ransomware attack. Ransomware gangs regularly try to\r\nrebrand to avoid heat from law enforcement.\r\n@usernamegg: But after such a f***, we need to rebrand or we will be taken by the a**\r\nThe leaks themselves cover time from 2023-09-18 to 2024-09-28. There are almost 200,000 messages, 50 unique users, and\r\n79 chatrooms (source).\r\nFrom our own visibility, we knew the Black Basta ransomware gang were frequent abusers of code-signing certificates.\r\nSpecifically, our SOC frequently saw Black Basta sign Pikabot and Darkgate malware they used in phishing campaigns, so\r\nwe dug in to see what we could learn.\r\nWhy sign?\r\nIn the early parts of the chatlog (2023-10-06), the bad actors discuss the cost and value of using code-signing certificates\r\n(the following machine-translated from Russian and edited for style and clarity.)\r\n@usernamegg and @usernameeugway discuss the costs associated with the campaign and signing files.\r\n@usernameeugway: How much did the signature cost? \r\n@usernamegg: Well, we’ll spend $500 to send 1,000 copies of the PDF build with the MSI files, with the EV certificate that\r\ncosts $4,000\r\n@usernameeugway: And if you don’t have a cert? What will happen? \r\n@usernamegg: Without a cert, it is better not to send anything to the team. This is not a targeted attack, but a mass one\r\nThe main person handling the certificates goes by “gg” in the chats, and is known to be one of the main leaders of Black\r\nBasta. He had formerly been part of the Conti ransomware gang, and is the most active person in the chat logs.\r\nWithin the chatlogs, gg frequently talks about handling the signing of files. When he shares the files, they are always nicely\r\nlabeled, which helps us get a good understanding of their contents. In general, they freely use code-signing certificates and\r\ndon’t hold back on buying or using them.\r\nhttps://expel.com/blog/code-signing-certificate-abuse-in-the-black-basta-chat-leaks-and-how-to-fight-back/\r\nPage 4 of 10\n\n@lapa and @usernamegg discuss using a certificate for a test before a campaign.\r\n@lapa: Maybe now we won’t use the certs?  \r\n@lapa: We will at least see if there will be launches of the files\r\n@lapa: We will spoil the cert\r\n@usernamegg: Will\r\n@usernamegg: We can send immediately large files with a cert\r\n@usernamegg: They will spoil it anyway\r\nIn most cases, signed files gg shares are labeled like this: “EV## Impersonated Organization name [Certificate\r\nProvider].rar” (for example, “EV44AAA_CLOTHING [SSL.COM].rar”). We can further correlate this particular certificate\r\nwith a file in the The Cert Graveyard database.\r\nThe Cert Graveyard is a public database that tracks code-signing certificate abuse. \r\nThe file’s entry in the The Cert Graveyard database.\r\nThe Cert Graveyard documented the abuse of a certificate issued by SSL.com to AAA Clothing Limited. They identified the\r\nmalware as DarkGate malware, and provided the file hash\r\nb79b536569c0060a834e4001289a6700692d67df58e644779fababf0df22fc75. This file is also publicly available on\r\nVirusTotal.\r\nhttps://expel.com/blog/code-signing-certificate-abuse-in-the-black-basta-chat-leaks-and-how-to-fight-back/\r\nPage 5 of 10\n\nVirusTotal indicates the certificate for AAA Clothing Limited was reported and revoked.\r\nThe chats mention at least 28 certificates. The entire list we identified is provided at the end of this document. Like the AAA\r\nClothing Limited file, most are numbered and follow the pattern mentioned above. The file numbers range from 13 to 101,\r\nso the fact that we only have 28 may indicate many more are unaccounted for. Reporting certificates for revocation is\r\nimportant, but with gangs like these, they often have many on hand.\r\n@usernamegg and @burito are discussing their ability to generate new certificates quickly when a previous\r\none is revoked.\r\n@usernamegg: You just use your crypting tool and we’ll sign it with an EV cert \r\n@burito: Cert revoked by the campaign\r\n@burito: Error: key status is disabled \r\n@usernamegg: The new one is already there\r\n@burito: Let’s go 🙂\r\nA crypting tool is a common means to hide the functionality of a file. \r\nThe possibility that they could have had 100+ code-signing certificates isn’t unusual. According to The Cert Graveyard,\r\nsome malware families have been seen signed with code-signing many times. This includes Qakbot, which has been seen\r\nsigned by impersonated organizations more than 100 times. The gang also signed many different files within a campaign—\r\nnot just their initial access malware.\r\nhttps://expel.com/blog/code-signing-certificate-abuse-in-the-black-basta-chat-leaks-and-how-to-fight-back/\r\nPage 6 of 10\n\n@usernamegg confirms the contents of files they plan to use in a cyber attack.\r\n@usernamegg: update.zip\r\n@usernamegg: update1 Lumma update2 socks update3 hvnc update4 cobalt\r\n@usernamegg: All signed EV cert\r\nThe gang uses code-signing for multiple components of their campaign. This includes signing initial access tools (IATs) like\r\nQuakbot, Pikabot, and Darkgate; information stealing malware, like Lumma infostealer; tools to hide one’s presence on a\r\ncomputer and network, like SOCKS proxy and Hidden VNC; and their featured remote access tool, Cobalt Strike.\r\nCode-signing certificate abuse is often misunderstood. However, these chats give us a lot of great visibility into how this\r\ngang abuses them. We’ve seen how much they pay for them, how liberally they use them (due to their critical role in their\r\ncampaign), and we’ve seen them used to sign a range of malware.\r\nLeveraging the leaks for good\r\nJust knowing ransomware gangs and other criminals abuse code-signing certificates isn’t enough. It’s important for\r\norganizations to leverage that knowledge for their defenses, too. Here’s what you can do.\r\n1. Investigate files with uncommon code-signing signatures.\r\nMalware traffic generation teams (also known as traffers) often sell a service to hide the malicious code (using what is called\r\ncrypting) and provide code-signing services. As a result, signed malware has a low detection rate, which increases the\r\nchances of success. Malware with high detection rates is unlikely to be signed to avoid “spoiling the cert.” \r\nAt Expel, we frequently see malicious advertisements for common apps. These advertisements push low-detection malware.\r\nIt’s important to investigate the file, because the code-signing certificate can often be an indicator of malicious activity. One\r\nway to investigate these is to compare what the file claims to be with its signer. \r\nIn the following image, the file on VirusTotal was uploaded as SlackSetup.exe. It was downloaded from a malicious\r\nadvertisement for Slack. The file information (which is basically just a text field an attacker can fill in) also claims the file is\r\nSlack. However, the certificate signer is “SIAFU LIMITED” and not the expected signer: Slack.\r\nThe file and certificate details of a file on VirusTotal. The items highlighted in green are inconsistent with the\r\nsigner, making the signer suspicious.\r\nBy reviewing and evaluating what the file claims to be versus who has signed the file, analysts can quickly identify whether\r\nthe file is legitimate, regardless of the detection rate. (At the time of this writing, the file was detected as malicious by four\r\nof 68 detection engines. But seeing completely clean malicious files is also fairly common.)\r\nOrganizations can manually review these features or use automation and AI. You do you. 🙂\r\nhttps://expel.com/blog/code-signing-certificate-abuse-in-the-black-basta-chat-leaks-and-how-to-fight-back/\r\nPage 7 of 10\n\n2. Submit reports for abused code-signing certificates.\r\nCertificate providers are really responsive to reports. The certificate provider previously vetted and trusted a customer, so\r\nreceiving reports of abuse allows them to take action and revoke the certificates. To report a certificate, the file must be\r\npublicly available for the provider to validate your claim of abuse. The easiest way to make it available is to upload the file\r\nto VirusTotal and give that link to the provider. We also recommend providing a detailed report of the activity you observed\r\nindicating abuse, especially if the file is clean in terms of detection. The information you provide helps them identify\r\nmalicious activity.\r\nThe maintainers of Cert Graveyard also have a tool called certReport, which can generate abuse reports in a few seconds and\r\ndirect you on where to report the certificate. This tool leverages VirusTotal to collect the important details on the certificate,\r\nas well as any suspicious indicators identified by VirusTotal.\r\nReporting the certificate can also: \r\nCosts criminals money. As mentioned in the leaks, code-signing certificates regularly cost $4,000 or more, because\r\nobtaining the certificate takes a lot of work. Reporting the certificate causes criminals to have to spend even more\r\nmoney, or risk having a completely useless campaign.\r\nDisrupt future downloads. When a certificate is revoked, the file is now viewed as worse than an unsigned file.\r\nBoth browsers and operating systems will reject a revoked certificate as explicitly untrusted. This can help protect\r\nusers in your organization and outside your organization from downloading the same malware.\r\nDisrupt malware delivery. As seen in the chats, when a certificate is revoked, the certificate can’t sign files\r\nanymore. This can disrupt campaigns where a bad actor is trying to deliver signed files. We regularly see malware\r\ntraffic teams disrupted due to the revocation of their certificates.\r\nHelp defenders identify malware. Since most certificates issued to impostors are used to sign multiple files, they all\r\nbecome suspect once one is reported. When certificates aren’t revoked, they are reused across malware. Identifying\r\nother files with a malicious certificate can help identify low-detection malware that can then be investigated and\r\nanalyzed to build new detections to find them the next time they are seen.\r\nBlack Basta’s known certificates\r\nThe following table contains the certificates mentioned in the chats. We checked to see if they were publicly known in the\r\nCert Graveyard database. If they were known, the file hash was provided. \r\nThis list was also provided to the certificate issuers listed in the table for their awareness.\r\nNumber\r\nfrom\r\nchat\r\nSubscriber Issuer\r\nDate\r\nseen\r\nThumbprint Hash example (if available)\r\nEV1\r\nAproFoods\r\nLLC\r\nGlobalSign Unknown Unknown Unknown\r\nEV4 Avikser LLC GlobalSign Unknown Unknown Unknown\r\nEV6 Aprima LLC GlobalSign Unknown Unknown Unknown\r\nEV13 Stimul LLC GlobalSign 1/31/24 F89A8B321959FED4963D8DF10996E1A9BD07119D b758b935fc420e334d8afdff6d\r\nEV23 LLC SERVER GlobalSign 4/24/24 2B20EE6FB83FF52BDD2714741A8783981795B8E7 315e6d1736e2ec8465a172d28\r\nEV24\r\nLLC\r\nCESARIA\r\nGlobalSign 5/31/24 239E18C2FF083DAB3546B83BE3CC00756442047D ec3ca0877e599ae9c40cbcec51\r\nEV32 Primak LLC GlobalSign 10/2/24 Unknown Unknown\r\nEV37 MK ZN S.R.O. SSL.com 9/28/23 0D762B095F6F2BA2DBEB00C5B8E9C93294FAD66F 4325d78175a803fb6a1d235e8\r\nEV41 MK ZN S.R.O. GlobalSign 10/12/23 Unknown Unknown\r\nEV42\r\nAAA Bio Mass\r\nServices\r\nSSL.com Unknown Unknown Unknown\r\nEV43 Fast Colibri SSL.com Unknown Unknown Unknown\r\nEV44* Media Box SSL.com Unknown Unknown Unknown\r\nEV44*\r\nAAA Clothing\r\nLimited\r\nSSL.com 10/5/23 DF4E044C56147E7629B9C7781A5FE88996F91C5D b79b536569c0060a834e40012\r\nhttps://expel.com/blog/code-signing-certificate-abuse-in-the-black-basta-chat-leaks-and-how-to-fight-back/\r\nPage 8 of 10\n\nEV45\r\nSIA “VIK\r\nCAR”\r\nSSL.com Unknown Unknown Unknown\r\nEV47\r\nAcacia Wood\r\nlimited\r\nSSL.com Unknown Unknown Unknown\r\nEV48\r\nAndapak\r\nCorrugated\r\nSales Limited\r\nSSL.com Unknown Unknown Unknown\r\nEV53\r\nAmazing\r\nProjects\r\nSSL.com Unknown Unknown Unknown\r\nEV54 Stone Canvas SSL.com Unknown Unknown Unknown\r\nEV56 Wallfort SSL.com Unknown Unknown Unknown\r\nEV57 Freeze Me Ltd SSL.com Unknown Unknown Unknown\r\nEV60 Soft Blanket SSL.com 11/3/23 17E254F06BCF34A77A3797C5382E4BC064D2328D f119f1e813cdb8dba30bd3348e\r\nEV61 Soft Comm SSL.com Unknown Unknown Unknown\r\nEV62 Sky Wine SSL.com Unknown Unknown Unknown\r\nEV68 SSTextiles SSL.com Unknown Unknown Unknown\r\nEV71 Share Holding SSL.com Unknown Unknown Unknown\r\nEV75 Miniboss SSL.com Unknown Unknown Unknown\r\nEV76 Dentinum SSL.com Unknown Unknown Unknown\r\nEV77 Seed Plant SSL.com Unknown Unknown Unknown\r\nEV78 Get Natural SSL.com Unknown Unknown Unknown\r\nEV80 New Print SSL.com Unknown Unknown Unknown\r\nEV81 Fisker Fashion SSL.com Unknown Unknown Unknown\r\nEV85\r\nSOFTWARE\r\nMEDICAL\r\nDEVICES\r\nLIMITED\r\nSSL.com 12/15/23 7917A946ED473A0E81BD4501B0B1736FB1AC653D fda2abd24764809fb36d4d2ee7\r\nEV89\r\nKim Chick\r\nSexing\r\nSSL.com Unknown Unknown Unknown\r\nEV90\r\n4leaf Holding\r\nCorp.\r\nSSL.com Unknown Unknown Unknown\r\nEV93\r\nARCHIKADIA\r\nSP Z O O\r\nSSL.com 1/15/24 566E7BCC466E79F9A21D4FF7DFF0A407D76B41F9 6c91b714aefef2438be04161d8\r\nEV94\r\nTalk Invest\r\nApS\r\nSSL.com 1/19/24 7B75394FF02197A21E6F683A717CB5A94C7C3DAE 1626880b917b7f5756109dcb6\r\nEV95\r\nA.P. Hernandez\r\nConsulting\r\ns.r.o.\r\nSSL.com 1/25/24 2941D5F8758501F9DBC4BA158058C3B5 89dc50024836f9ad406504a3b\r\nEV99\r\n4leaf Holding\r\nCorp.\r\nSSL.com 1/26/24 94BACD94876552AA683B8D9E4772A0E37C985E30 3a993c44e39c426239051b00a\r\nEV101 Show Down SSL.com Unknown Unknown Unknown\r\nUnknown TAIM LLC GlobalSign 10/5/23 4CB87577FA5B91346CCE30FB9FF3139D46DE3361 5be959722d8cd4bfd6f88a4901\r\nUnknown\r\nKen Friedman\r\nAB\r\nSSL.com 12/26/23 BB296138FB75F5CEB45E36B85A8DF7CC82C6364C 8db0b8f45f726a963b34410c74\r\nUnknown\r\nClover Field\r\nApS\r\nSSL.com 12/14/23 1C2C084FB6E18A4033B63E619868CF81819BF46E e88610db05636a1476435ec1f\r\nhttps://expel.com/blog/code-signing-certificate-abuse-in-the-black-basta-chat-leaks-and-how-to-fight-back/\r\nPage 9 of 10\n\n* While two certificates can’t both be EV44, these numbers are directly from the chat and could not be confirmed. \r\nSource: https://expel.com/blog/code-signing-certificate-abuse-in-the-black-basta-chat-leaks-and-how-to-fight-back/\r\nhttps://expel.com/blog/code-signing-certificate-abuse-in-the-black-basta-chat-leaks-and-how-to-fight-back/\r\nPage 10 of 10\n\nEV56 Wallfort EV57 Freeze Me SSL.com Ltd SSL.com Unknown Unknown Unknown Unknown Unknown Unknown\nEV60 Soft Blanket SSL.com 11/3/23 17E254F06BCF34A77A3797C5382E4BC064D2328D f119f1e813cdb8dba30bd3348e\nEV61 Soft Comm SSL.com Unknown Unknown Unknown\nEV62 Sky Wine SSL.com Unknown Unknown Unknown\nEV68 SSTextiles SSL.com Unknown Unknown Unknown\nEV71 Share Holding SSL.com Unknown Unknown Unknown\nEV75 Miniboss SSL.com Unknown Unknown Unknown\nEV76 Dentinum SSL.com Unknown Unknown Unknown\nEV77 Seed Plant SSL.com Unknown Unknown Unknown\nEV78 Get Natural SSL.com Unknown Unknown Unknown\nEV80 New Print SSL.com Unknown Unknown Unknown\nEV81 Fisker Fashion SSL.com Unknown Unknown Unknown\nSOFTWARE   \nMEDICAL   \nEV85 SSL.com 12/15/23 7917A946ED473A0E81BD4501B0B1736FB1AC653D fda2abd24764809fb36d4d2ee7\nDEVICES   \nLIMITED   \nKim Chick   \nEV89 SSL.com Unknown Unknown Unknown\nSexing   \n4leaf Holding   \nEV90 SSL.com Unknown Unknown Unknown\nCorp.   \nARCHIKADIA   \nEV93 SSL.com 1/15/24 566E7BCC466E79F9A21D4FF7DFF0A407D76B41F9 6c91b714aefef2438be04161d8\nSP Z O O   \nTalk Invest   \nEV94 SSL.com 1/19/24 7B75394FF02197A21E6F683A717CB5A94C7C3DAE 1626880b917b7f5756109dcb6\nApS   \nA.P. Hernandez   \nEV95 Consulting SSL.com 1/25/24 2941D5F8758501F9DBC4BA158058C3B5 89dc50024836f9ad406504a3b\ns.r.o.   \n4leaf Holding   \nEV99 SSL.com 1/26/24 94BACD94876552AA683B8D9E4772A0E37C985E30 3a993c44e39c426239051b00a\nCorp.   \nEV101 Show Down SSL.com Unknown Unknown Unknown\nUnknown TAIM LLC GlobalSign 10/5/23 4CB87577FA5B91346CCE30FB9FF3139D46DE3361 5be959722d8cd4bfd6f88a4901\nKen Friedman   \nUnknown SSL.com 12/26/23 BB296138FB75F5CEB45E36B85A8DF7CC82C6364C 8db0b8f45f726a963b34410c74\nAB   \nClover Field   \nUnknown SSL.com 12/14/23 1C2C084FB6E18A4033B63E619868CF81819BF46E e88610db05636a1476435ec1f\nApS   \n  Page 9 of 10",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://expel.com/blog/code-signing-certificate-abuse-in-the-black-basta-chat-leaks-and-how-to-fight-back/"
	],
	"report_names": [
		"code-signing-certificate-abuse-in-the-black-basta-chat-leaks-and-how-to-fight-back"
	],
	"threat_actors": [
		{
			"id": "aa73cd6a-868c-4ae4-a5b2-7cb2c5ad1e9d",
			"created_at": "2022-10-25T16:07:24.139848Z",
			"updated_at": "2026-04-10T02:00:04.878798Z",
			"deleted_at": null,
			"main_name": "Safe",
			"aliases": [],
			"source_name": "ETDA:Safe",
			"tools": [
				"DebugView",
				"LZ77",
				"OpenDoc",
				"SafeDisk",
				"TypeConfig",
				"UPXShell",
				"UsbDoc",
				"UsbExe"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775434752,
	"ts_updated_at": 1775791469,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/b18e613a679661753aefc2b5e84ac8bae9ceec95.pdf",
		"text": "https://archive.orkl.eu/b18e613a679661753aefc2b5e84ac8bae9ceec95.txt",
		"img": "https://archive.orkl.eu/b18e613a679661753aefc2b5e84ac8bae9ceec95.jpg"
	}
}