{
	"id": "8e33c4af-d463-47b2-bd54-59ea769cd7c2",
	"created_at": "2026-04-06T00:09:59.836663Z",
	"updated_at": "2026-04-10T03:21:19.549577Z",
	"deleted_at": null,
	"sha1_hash": "b98bdfb1bfc1eba483dc21f091771f8cd7893d13",
	"title": "W3 May | EN | Story of the week: Code Signing Certificate on the Darkweb",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 2059344,
	"plain_text": "W3 May | EN | Story of the week: Code Signing Certificate on the\r\nDarkweb\r\nBy Hyunmin Suh\r\nPublished: 2021-05-18 · Archived: 2026-04-05 13:24:52 UTC\r\nTrust but verify\r\nCo-Author:\r\n, , YH Jeong | S2W LAB Talon\r\nPress enter or click to view image in full size\r\nExecutive Summary\r\nCode signing certificates have been used since Stuxnet incident (2011) as of today. Malware using code signing\r\ncertificate is classified as highly reliable software and is less likely to be detected by Anti Virus (AV). It is known\r\nthat attackers prefer code signed certificates as the most of current Internet and security systems are oriented\r\ntoward trust and reputation dependent models.\r\nCode signing certificates began to be sold on the dark web from around 2015 to 2016, and are mostly spotted on\r\nRussian speaking forums. Until recently, code signed certificates are being sold by various sellers on the forums\r\nand prices ranging from $400 to $3500 depending on the grade of the certificate.\r\nhttps://medium.com/s2wlab/w3-may-en-story-of-the-week-code-signing-certificate-on-the-darkweb-94c7ec437001\r\nPage 1 of 15\n\nIt is important to consider the fact that this criminal ecosystem being active is that sellers have been constantly\r\nsupplying certificates of legitimate companies, which can be seen that those of companies and developers’ lack of\r\nsecurity awareness and negligence of management provided the cause of hacking code signing certificates\r\nprocessing servers.\r\nMost of the code signing certificate issues had already been a big issue in the past, so many people regard this\r\nissue as just an old case. However, attackers are still interested in code signing certificate servers and still being\r\ntraded on the dark web or via hidden channels.\r\nCode signing certificate sales posting in the dark web\r\nPress enter or click to view image in full size\r\nAccording to the seller, it can issue a certificate of global brand C that issues SSL certificates. And the price\r\nranges from $500 to $2600.\r\nIf you develop a software without code signing, the biggest difference is in the User Account Control (UAC) part\r\nwhen executing the software.\r\nPress enter or click to view image in full size\r\nhttps://medium.com/s2wlab/w3-may-en-story-of-the-week-code-signing-certificate-on-the-darkweb-94c7ec437001\r\nPage 2 of 15\n\nImage from SSL2BUY (https://www.ssl2buy.com/wiki/regular-code-signing-vs-ev-code-signing)\r\nCodeSigning vs SSL Certificate\r\nPress enter or click to view image in full size\r\nImage from SECTIGO store (https://sectigostore.com/blog/differences-between-ssl-certificates-and-code-signing-certificates/)\r\nAs can be seen from above diagram, the main difference between SSL certificate and code signing certificate is\r\nwhether you own a website or you publish downloadable software, applications, etc.\r\nIf so, let’s have a look how the EV is different in the code signature.\r\nCode Signing vs Code Signing EV\r\nhttps://medium.com/s2wlab/w3-may-en-story-of-the-week-code-signing-certificate-on-the-darkweb-94c7ec437001\r\nPage 3 of 15\n\nThe code signing EV mentioned by seller means Extended Validation (EV) code signing certificates, which differs\r\nfrom the general code signing certificate in that the private key is stored in a separate hardware token in the case\r\nof EV. The most noticeable difference when running the software is that the Windows Smart Screen Filter warning\r\ndoes not appear when using EV code signing certificates.\r\nPress enter or click to view image in full size\r\nImage from Code Signing Store (https://codesigningstore.com/code-signing/digicert-ev-code-signing?gclid=CjwKCAjwy42FBhB2EiwAJY0yQllulxfYB-XGcN0Cesmj4AJocNnjPxlpWk4KNyOdEV1MkriGQm5IgRoCdV4QAvD_BwE)\r\nBecause of this, many cybercriminals use code signed certificate to increase the success rate of attacks when\r\ncreating malwares.\r\nHowever, the certificate cannot be issued by anyone, it is required to submit documents such as business\r\nregistration certificate, tax payment certificate, and etc. to authorities and go through examination process.\r\nTherefore, attackers directly steal the code sign certificate by compromising legitimate company’s certification\r\nserver, or purchase it from the dark web sellers.\r\nThen, let’s take a look at how many sellers are still active on the dark web forums.\r\nCode Signing Certificate Sellers on the dark web\r\nPress enter or click to view image in full size\r\nhttps://medium.com/s2wlab/w3-may-en-story-of-the-week-code-signing-certificate-on-the-darkweb-94c7ec437001\r\nPage 4 of 15\n\nPress enter or click to view image in full size\r\nAs can be seen from the table, users have been active from at least 2 months to 7 years. In this regard, code\r\nsigning certificates can be seen as quite a popular product on the dark web.\r\nSeller’s Posts in Exploit[.]iN Forum\r\nMegatraffer\r\nPress enter or click to view image in full size\r\nhttps://medium.com/s2wlab/w3-may-en-story-of-the-week-code-signing-certificate-on-the-darkweb-94c7ec437001\r\nPage 5 of 15\n\nDigital certificates for sale, from the oldest and most trusted service!️We offer:\r\n- regular (non-EV) code signing certificates\r\n- EV code signing certificatesPrice\r\n- non-EV certificate - $700- EV code signing certificate - $3500All certificates:\r\n- valid for 1 year, can also make them for 2 yearsWhy signing files?\r\n- to avoid red/yellow UAC warnings\r\n- to avoid SmartScreen alerts\r\n- signed software is much more trusted by users\r\n- some antiviruses block ALL unsigned software from being executedBenefits of EV Code Signing certifi\r\n- removes SmartScreen blue windows immediately\r\n- maximum level of trust by AVs\r\n- EV certificate is a 'must have' if you want to sign drivers for Windows 10Contact:***sanitized by s\r\nSeller’s Posts in XSS[.]IS Forum\r\nFirefox\r\nPress enter or click to view image in full size\r\nhttps://medium.com/s2wlab/w3-may-en-story-of-the-week-code-signing-certificate-on-the-darkweb-94c7ec437001\r\nPage 6 of 15\n\nThere is a ready-made C**** Code Signing certificate (standard), made for sale, released on 04/15/201\r\nIf there is a stable demand, we will gradually expand the range and volumes. A similar top on the ex\r\nSeller’s Posts in Telegram\r\nSamCodeSign\r\nhttps://medium.com/s2wlab/w3-may-en-story-of-the-week-code-signing-certificate-on-the-darkweb-94c7ec437001\r\nPage 7 of 15\n\nhttps://medium.com/s2wlab/w3-may-en-story-of-the-week-code-signing-certificate-on-the-darkweb-94c7ec437001\r\nPage 8 of 15\n\n⚡️⚡️⚡️Сертификаты в наличии / Certificates in stock⚡️⚡️⚡️\r\n \r\n1)\r\nType: EV Code Signing\r\nStatus: New 🔥\r\nTerm: 1 year\r\nCA: S***\r\nConditions: Installed on a token. Only shipping is at the buyer's expense.\r\nQuantity: 4 in stock\r\nPrice: $3300. 💵2)\r\nType: EV Code Signing\r\nStatus: New 🔥\r\nTerm: 1 year\r\nCA: D***\r\nConditions: Remote installation on your token.\r\nQuantity: 1 piece in stock\r\nPrice: $3600. 💵3)\r\nType: EV Code Signing\r\nStatus: Old ⏳\r\nTerm: until June 26, 2021\r\nCA: G***\r\nConditions: Remote installation on your token.\r\nQuantity: 1 piece in stock\r\nPrice: $2600. 💵\r\nConclusion\r\nMalware signed with stolen certificates have been found constantly. As mentioned earlier, the reason why the\r\ncriminal ecosystem is still active today is that there is an abundance of supply chains in which hackers constantly\r\nbringing legitimate companies’ certificates.\r\nIt is difficult for general companies to cope with malicious code signed with legitimate companies certificates.\r\nTherefore, the most fundamental solution is to raise the security awareness of companies and developers for the\r\ncode signing certificate server and manage them in cautious manner.\r\nReferences to past cases related to code signing certificates\r\nCase 1 : Private-Key Stolen\r\nhttps://medium.com/s2wlab/w3-may-en-story-of-the-week-code-signing-certificate-on-the-darkweb-94c7ec437001\r\nPage 9 of 15\n\nStealing the private-key of a normal software developer, signing the malicious code they developed, and disguised\r\nas a legitimate program\r\nGet Hyunmin Suh’s stories in your inbox\r\nJoin Medium for free to get updates from this writer.\r\nRemember me for faster sign in\r\nCase 1–1. Stuxnet malware incident related\r\nDate of incident: January 2011\r\nMalware used: Trojan — Zeus\r\nIncidents explained: Use of stolen digital signatures by Realtek Semiconductor Corp. based in Taiwan\r\nhttps://medium.com/s2wlab/w3-may-en-story-of-the-week-code-signing-certificate-on-the-darkweb-94c7ec437001\r\nPage 10 of 15\n\nDigital signature that was stolen at the time of incident (see the reference 13)\r\nAccording to Kaspersky, JMicron and Realtek announced the possibility of infection with Zeus, a Trojan that\r\nsteals digital signatures. They also provided that digital signatures stolen could not only be used by attackers on\r\nthe stuxnet driver, but could also be sold on the black market.\r\nCase 1–2. Sony Pictures hacking incident related\r\nDate of incident: November 2014\r\nMalware used: Destover Malware\r\nIncidents explained: Destover Malware signed by stolen sony certificate, and hijacked pfx file\r\nCase 2 : Compromised Code Signing Process Server\r\nPress enter or click to view image in full size\r\nhttps://medium.com/s2wlab/w3-may-en-story-of-the-week-code-signing-certificate-on-the-darkweb-94c7ec437001\r\nPage 11 of 15\n\nSigning malicious codes of hackers by compromising the server that performs code signing process.\r\nCase 2–1. Adobe hacking incident\r\nDate of incident: September 2012\r\nMalware used: pwdump7 v 7.1, myGeeksmail.dll\r\nIncidents explained: Attackers penetrated the network and reached a build server on which they requested a\r\nsignature for two malicious utilities.\r\nCase 2–2. Bit9 system hacking incident related\r\nDate of incident: February 2013\r\nMalware used: Trojan, Backdoor.Hikit\r\nIncidents explained:\r\n- Web Server hacked by SQL injection, and installed Backdoor.Hikit\r\n- Accessed to virtual machine that processes digital signature\r\n- 32 malicious file’s been tampered\r\nCase 3 : Direct Attack on Certificate Authority\r\nhttps://medium.com/s2wlab/w3-may-en-story-of-the-week-code-signing-certificate-on-the-darkweb-94c7ec437001\r\nPage 12 of 15\n\nCompromising the Certificate Authority (CA) that issues code signing certificate and manipulating them to issue\r\ncode signing certificates for attacker\r\nCase 3–1. Comodo Certificate Authority (CA) breached case\r\nDate of incident: March 2011\r\nMalware used:\r\nIncidents explained:\r\n- Create a new ID after hijacking a user account registered with RA in South Africa (InstantSSL.it), issuing\r\n9 fake certificates\r\n- ComodoHacker gets a full access to the RA network then reverse engineered the DLL (TrustDll.dll)\r\nhandling certification request\r\n- ComodoHacker post : https://pastebin.com/DBDqm6Km\r\n- The username and password are hard-coded in the DLL file, allowing hackers to connect directly to the\r\nAPI used to sign certificates\r\n- Created its own CSR (Certificate Signing Request), then signed with the API already have an access to,\r\nand issued 9 fraudulent certificates for the CAs mentioned above\r\nCase 3–2. DigiNotar Certificate Authority (CA) breached case\r\nDate of incident: August 2011\r\nVulnerability used: Web server vulnerability\r\nIncidents explained:\r\n- Google’s chrome team discovered that DigiNotar-issued certificate doesn’t match google.com’s internal\r\nlist of certificates\r\n- Web server hacked → Office-Net hacked → Secure-Net hacked including CA server → Activated\r\nRemote Desktop protocol and connected\r\nhttps://medium.com/s2wlab/w3-may-en-story-of-the-week-code-signing-certificate-on-the-darkweb-94c7ec437001\r\nPage 13 of 15\n\nMore than 531 fraudulent certifications has been issued.\r\nDigiNotar — Bankrupted due to its hacking incident\r\nAttacker’s note : https://pastebin.com/1AxH30em\r\nReference\r\n1. Issued for Abuse: Measuring the Underground Trade in Code Signing Certificates\r\n(https://arxiv.org/pdf/1803.02931.pdf)\r\n2. The Use of Counterfeit Code Signing Certificates Is on the Rise (https://www.recordedfuture.com/code-signing-certificates/)\r\n3. Understanding Code Signing Abuse in Malware Campaigns\r\n(https://www.trendmicro.com/en_us/research/18/d/understanding-code-signing-abuse-in-malware-campaigns.html)\r\n4. The Real Story of Stuxnet (https://spectrum.ieee.org/telecom/security/the-real-story-of-stuxnet)\r\n5. Case study of Stuxnet (https://www.hsdl.org/?view\u0026did=792239)\r\n6. 악성코드를 유포시키기 위한 코드서명 해킹 3가지 유형 (https://m.blog.naver.com/PostView.nhn?\r\nblogId=aepkoreanet\u0026logNo=220669301729\u0026proxyReferer=https:%2F%2Fwww.google.com%2F)\r\n7. SONY PICTURES ENTERTAINMENT — EU Cyber Direct (https://eucyberdirect.eu/wp-content/uploads/2020/11/2014-sony-pictures-entertainment.pdf)\r\n8. Adobe Says Its Code Signing Infrastructure Has Been Hacked (https://www.darkreading.com/risk/adobe-says-its-code-signing-infrastructure-has-been-hacked/d/d-id/1138440?)\r\n9. The Scary and Terrible Code Signing Problem You Don’t Know You Have (https://www.sans.org/reading-room/whitepapers/critical/scary-terrible-code-signing-problem-you-36382)\r\n10. Microsoft, FireEye confirm SolarWinds supply chain attack (https://www.zdnet.com/article/microsoft-fireeye-confirm-solarwinds-supply-chain-attack/)\r\n11. Hackers are selling legitimate code-signing certificates to evade malware detection\r\n(https://www.zdnet.com/article/hackers-are-selling-legitimate-code-signing-certificates-to-evade-malware-detection/)\r\n12. Stuxnet: Zero victims (https://securelist.com/stuxnet-zero-victims/67483/)\r\n13. Stuxnet signed certificates frequently asked questions (https://securelist.com/stuxnet-signed-certificates-frequently-asked-questions/29725/)\r\n14. Stuxnet and stolen certificates (https://securelist.com/stuxnet-and-stolen-certificates/29724/)\r\n15. VB2018 paper: Since the hacking of Sony Pictures\r\n(https://www.virusbulletin.com/virusbulletin/2018/11/vb2018-paper-hacking-sony-pictures/)\r\n16. Stolen Sony certificates used to digitally sign Destover Malware\r\n(https://www.cyberdefensemagazine.com/stolen-sony-certificates-used-to-digitally-sign-destover-malware/)\r\n17. ‘Destover’ malware now digitally signed by Sony certificates (updated) (https://securelist.com/destover-malware-now-digitally-signed-by-sony-certificates/68073/)\r\n18. Comodo-Fraud-Incident-2011–03–23 (https://www.comodo.com/Comodo-Fraud-Incident-2011-03-\r\n23.html)\r\n19. SECURITY BREACH IN CA NETWORKS -COMODO, DIGINOTAR, GLOBALSIGN\r\n(https://blog.isc2.org/isc2_blog/2012/04/test.html)\r\nhttps://medium.com/s2wlab/w3-may-en-story-of-the-week-code-signing-certificate-on-the-darkweb-94c7ec437001\r\nPage 14 of 15\n\n20. All You Need to Know About the SolarWinds Attack (https://www.thesslstore.com/blog/all-you-need-to-know-about-the-solarwinds-hack/)\r\n21. EP 3: DIGINOTAR, YOU ARE THE WEAKEST LINK, GOOD BYE!\r\n(https://darknetdiaries.com/transcript/3/)\r\nPress enter or click to view image in full size\r\nHomepage: https://www.s2wlab.com\r\nFacebook: https://www.facebook.com/S2WLAB/\r\nTwitter: https://twitter.com/s2wlab\r\nSource: https://medium.com/s2wlab/w3-may-en-story-of-the-week-code-signing-certificate-on-the-darkweb-94c7ec437001\r\nhttps://medium.com/s2wlab/w3-may-en-story-of-the-week-code-signing-certificate-on-the-darkweb-94c7ec437001\r\nPage 15 of 15",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://medium.com/s2wlab/w3-may-en-story-of-the-week-code-signing-certificate-on-the-darkweb-94c7ec437001"
	],
	"report_names": [
		"w3-may-en-story-of-the-week-code-signing-certificate-on-the-darkweb-94c7ec437001"
	],
	"threat_actors": [],
	"ts_created_at": 1775434199,
	"ts_updated_at": 1775791279,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/b98bdfb1bfc1eba483dc21f091771f8cd7893d13.pdf",
		"text": "https://archive.orkl.eu/b98bdfb1bfc1eba483dc21f091771f8cd7893d13.txt",
		"img": "https://archive.orkl.eu/b98bdfb1bfc1eba483dc21f091771f8cd7893d13.jpg"
	}
}