Hackers Use Microsoft Trusted Signing to Spread Malware

Cybercriminals have started exploiting the Microsoft Trusted Signing service to sign malicious software, making it appear safe and created by reputable companies. This tactic helps them bypass antivirus programs and other security systems, which tend to trust signed files more.

What Is Microsoft Trusted Signing?

Trusted Signing is a cloud service launched by Microsoft in 2024. It allows developers to quickly sign their software using short-lived certificates that are valid for only three days. Files signed this way receive basic trust from Windows and SmartScreen, helping them avoid warning messages when launched.

How Hackers Are Abusing the Service

Attackers sign malware and distribute it as if it were legitimate software. Experts have already found several examples, including malicious files from the Crazy Evil Traffers and Lumma Stealer campaigns. These files were signed with certificates issued by Microsoft’s certification authority.

Although the certificates are only valid for three days, files signed during that period remain trusted unless the certificate is revoked. This gives hackers enough time to spread their malware and infect devices.

Why Trusted Signing Appeals to Cybercriminals

Trusted Signing offers developers a convenient way to sign their products, with a subscription costing $9.99 per month. Certificates are not issued directly to users; instead, they are created and used through Microsoft’s infrastructure, which theoretically reduces the risk of compromise. However, this setup also allows for quick signing of malicious files, especially if the account is registered to an individual, which is easier to do.

Typically, criminals try to obtain more reliable EV (Extended Validation) certificates, which provide a higher level of trust and help bypass security. But getting these is difficult: it requires either stealing from a company or spending significant time and money to register a fake business. The new method using Trusted Signing is simpler and cheaper.

Microsoft’s Response and Ongoing Risks

Microsoft claims it monitors activity on its service and promptly revokes certificates if abuse is detected. The company says that malicious files have already been discovered and the attackers’ accounts have been blocked.

Experts note that now hackers only need a standard Microsoft certificate, since the system trusts it. The verification process for obtaining one is much easier than for an EV certificate. It’s especially simple to register as an individual—there’s no need for the three-year company history required for corporate signatures.

As a result, attackers have found a convenient and accessible way to distribute malware with minimal obstacles. While Microsoft currently responds to each violation manually, there remains a risk that abuse of the service will continue.