How Threat Actors Weaponize EV Certificates by Lucie Cardiet

Leaked Black Basta chat logs reveal the group obtains and abuses Extended Validation (EV) code-signing certificates—via purchase from underground markets or by remotely accessing stolen hardware tokens (YubiKey through VirtualHere)—to sign MSIs, VBS loaders, and malware (including ransomware, PikaBot, and Cobalt Strike), allowing payloads to bypass signature-based defenses; the report includes exact signtool and .pfx signing procedures, evidence of automation and certificate repositories, and recommends behavior-based detection and EDR integration as mitigations.