Understanding the Status and Strategies of the Code Signing Abuse Ecosystem
Hanqing Zhao
Network and Distributed System Security (NDSS) Symposium 2026 · Day 3 · Malware & RE
**Code signing** is the primary mechanism for verifying software authenticity and integrity, but attackers have systematically exploited weaknesses in the code signing PKI to sign malware with valid certificates from trusted CAs. This talk presents the largest study of code signing abuse, analyzing over **3.2 million signed malicious samples** and identifying **43,000+ abused certificates** across **46 publicly trusted CAs** in over **100 countries**. The researchers classify abuse into five types, discover **ghost certificates** -- abused certificates that **cannot be revoked** due to design flaws in the PKI -- and find that **38% of unrevoked certificates** are ghost certificates. Advanced abuse (stolen certificates, fake identities) is growing sharply, with stolen certificates taking an average of **66 days** to be detected and revoked. Nearly **23% of revocation date values** are inaccurate. The research reveals that attackers exploit **identity verification differences across countries** to obtain certificates in less strict jurisdictions and use **certificate polymorphism** (multiple certificates from similar identities) to maintain persistent signing capability.
AI review
The largest study of code signing abuse: 43K abused certificates, ghost certificates that can never be revoked, and systematic attacker strategies for maintaining signed malware capability. Essential intelligence for anyone doing Windows malware operations or defense.