A valid Sectigo cert, a fake RVTools installer, and your entire VMware cluster is theirs. Code signing is not security.
You trust signed software. Your antivirus trusts signed software. Windows Defender, CrowdStrike, SentinelOne β they all have a simple rule: if the binary has a valid certificate from a trusted CA, it gets a head start. Less scrutiny. Fewer alerts.
Attackers know this. That’s why they buy valid certificates.
A valid Sectigo, DigiCert, or Let’s Encrypt certificate means the software was signed. It does NOT mean the software is safe. Code signing proves authorship, not intent. Attackers buy certs just like legitimate developers.
The Attack β Fake RVTools, Real VMware Access
RVTools is a legitimate VMware management tool used by thousands of sysadmins. It’s signed. It’s trusted. It runs with high privileges.
An attacker buys a valid code signing certificate from Sectigo (cost: a few hundred dollars). They take the real RVTools installer, inject a backdoor, and reβsign it with their own valid certificate. The binary looks identical. The signature is valid. The behaviour is not.
Standard EV or OV code signing cert. No questions asked beyond business registration. Cost: β¬300ββ¬800/year.
Inject shellcode that reaches out to a C2 server, downloads a VMware credential stealer, and exfiltrates vCenter credentials.
“Need to troubleshoot your VMware cluster? Download the latest RVTools here.”
The signed binary bypasses EDR alerts. The attacker now has full admin access to your VMware environment.
Your entire virtual infrastructure is now under someone else’s control.
Sectigo certificate: β¬500.
Fake RVTools installer: 2 hours of work.
Access to your VMware cluster: priceless β for the attacker.
Code signing gave the malware a free pass through your security stack. Not because your EDR is bad. Because it’s doing what you told it to do: trust signed software.
Why This Works β The “Trusted” Loophole
- EDRs prioritize signed binaries. They still scan them, but with lower suspicion. Reputation scoring gives signed files a head start.
- Users trust the icon. “This program is digitally signed” looks safe to a sysadmin in a hurry.
- Valid certs are easy to buy. No criminal record required. A small business registration is enough.
- Revocation is slow. Even if the malware is discovered, the cert takes days or weeks to be revoked. By then, thousands have downloaded it.
In 2025, multiple ransomware groups were observed using valid Sectigo and DigiCert certificates to sign their malware. The certs were purchased legally. The signatures were cryptographically valid. Your EDR didn’t flag them because it was doing exactly what it was designed to do: trust trusted publishers.
Real-World Examples
- SolarWinds (2020): A valid certificate signed the malicious Orion update. It bypassed security for months.
- Stuxnet (2010): Used stolen certificates from Realtek and JMicron to bypass driver signing checks.
- ZLoader (2021): Used a valid Sectigo certificate to sign its loader, evading numerous EDRs.
- Ryuk ransomware variants: Multiple campaigns used signed binaries to slip past initial detection.
This is not new. It’s just getting easier.
β Trusting signed binaries. (It won’t help.)
β Application allowlisting. Only approved software runs, regardless of signature.
β Runtime monitoring. The malware still has to behave maliciously. Detect that behaviour.
β Software hash verification. Compare the hash against the vendor’s official hash. Not just the signature.
β Principle of least privilege. The sysadmin shouldn’t be a domain admin. Limit the blast radius.
β Regular pentesting. Simulate this exact attack. Find out if your team would fall for it.
What You Can Do This Week
- β Stop trusting signatures. A valid cert is not a clean bill of health. Treat signed software with the same suspicion as unsigned.
- β Implement application allowlisting. Only specific approved binaries can run. Everything else β signed or not β gets blocked.
- β Verify software hashes. Before running a tool, check its SHAβ256 against the vendor’s official website. Not a thirdβparty forum.
- β Train your team. “Digitally signed” does not mean “safe to run.”
- β Run a social engineering test. See if your sysadmins would download and run a fake signed installer. You might be surprised.
- β Harden your VMware environment. Separate management plane. Limit admin access. Monitor vCenter logs for unusual logins.
Your EDR trusts signed software. Attackers know this. They buy certificates. They sign their malware. They walk right past your defences.
Code signing is not security. It’s a proof of authorship, not a proof of safety.
Treat every binary like it’s malicious. Because someday, one will be.
The Bottom Line
A valid Sectigo certificate. A fake RVTools installer. A sysadmin in a hurry. That’s all it takes to own your VMware cluster.
Code signing doesn’t stop malware. It just gives it a clean suit and a fake ID.
Don’t trust the signature. Verify the software. Or someone else will verify it for you β by running it.
Think your EDR would catch a signed backdoor?
Full infrastructure pentest: β¬3,000. Social engineering test: included in retainer. Security retainer: β¬1,500/month.
π© DM @StackOfTruths on XFree 15-min consultation. No hard sell. Just honest answers about your blind spots.
Leave a Reply