Iranian Hackers Exploit SSL.com Certificates to Sign Malware

Published: September 30, 2025
SSL.com Allows to Sign Malicious Code

Digital certificates are designed to create trust. But what happens when hackers take advantage of gaps in trust? Reports show that Iranian state-sponsored hackers have been using valid SSL.com certificates to sign malware. This means they could make their malware undetectable and, therefore, more dangerous.

The Incident: Signed Malware in the Wild

Check Point Software and Prodaft revealed that an Iranian group tracked as UNC1549, aka Subtle Snail, Smoke Sandstorm, and Nimbus Manticore, had put malware in the wild signed with SSL.com code-signing certificates.

These code-signing certificates gave the malware an air of legitimacy and reduced detection rates for many antivirus engines, which simply trust “signed” code. The problem security tools faced was that the signed code was malicious, and the tool trusted it as safe because it was signed.

How the Hackers Exploited SSL.com?

Multiple investigations claimed the signed code had been issued to a list of suspicious businesses, such as:

  • Insight Digital B.V. – Netherlands
  • RGC Digital AB – Sweden
  • Sevenfeet Software AB – Sweden

The domains all contained the same header, “Under Construction” stock images, and there were no contact details listed. These are strong warning signs that a certificate authority (CA) should have detected when issuing the signed code.

Check Point stated that they believed the companies were either designed front companies created by the actors or that they were fraudulent identities created in the likeness of real businesses.

Regardless, the fact that the certificates were issued suggests there are questions surrounding SSL.com’s vetting process.

Why Signed Malware Is So Dangerous?

Signed binaries generate a considerable risk:

  • Lower Detection Rates: Malware appears to be normal software.
  • Bypasses Trust Checks: Many organizations specifically whitelist signed executables.
  • Persistence: Actors can stay operational longer before detection.

In this case, UNC1549 used the certificates to deploy back doors and infostealer malware against European organizations, but the risk is global.

SSL.com’s Response Comes into Focus

When Dark Reading reached out to SSL.com, they first talked with an AI chatbot that simply summarized the inquiry, providing no genuine response. Then Dark Reading created a support ticket, which generated another AI-driven reply that was also vague.

At the time of publishing, SSL.com hadn’t provided any direct response from their security or communications teams. This lack of transparency, plus the fact that some certificates are still valid, raises significant and warranted questions about SSL.com as a CA had they been able to respond to the abuse.

History Repeats: A Lesson from Symantec

This is not the first time a CA is in question for abuse; back in 2017 Google revoked trust from all Symantec certificates after discovering they had mistakenly issued 30,000+ certificates. As a result, Symantec was forced to sell its PKI business to DigiCert.

If SSL.com does not take considerable steps to improve identity validation and incident response processes, it risks losing the trust of the industry as Symantec did.

Defending Against Signed Malware

While companies cannot influence CA practices, they can enact a risk mitigation plan:

  • Import Indicators of Compromise (IOCs): Take Check Point’s file hashes and domains, and import it into SIEM/EDR solutions
  • Analyze Certificate Metadata: Flag any binaries that do not have a signer matching that of the software publisher
  • Monitor Certificate Revocations: Look at the CRLs/OCSP and block binaries using revoked certs.
  • Implement Zero Trust Execution Policies: Don’t just simply rely on digital signatures; use behavioral monitoring instead.

What Does This Mean for PKI Security

This case provides clear insight into a key weakness in the PKI ecosystem: certificate authorities are a prime target for abuse. Weak vetting combined with over-reliance on automation generates a large gap into which threat actors will insert themselves.

Invalidated malware is not just a detection challenge; it is a trust challenge. If organizations cannot trust the certificates that they depend on, the entire digital trust model begins to break down.

Conclusion

To safeguard your enterprise, you should leverage what are considered highly trusted certificate providers that can demonstrate an established record of security, compliance, trust, and validation.

Industry leaders such as DigiCert Code Signing Certificates and Sectigo Code Signing Certificates perform more thorough validation and revocation processes, more in line with industry standards, making them less susceptible to abuse.

Start protecting your software supply chain with DigiCert Software Trust Manager – certified to be trusted around the world.

Code Signing Updates

Buy Code Signing Certificate

Increase your Software Downloads and Verify its Integrity by Digitally Sign Software and Executables using Trusted Code Signing Certs.

Price Starts at $215.99 Per Year

Related posts:

  1. CyberLink Breached Through Supply Chain Attack By North Korean Hackers
  2. How to Digitally Sign Applications? What Certificate Is Used to Sign Apps?
  3. Code Signing Certificate vs SSL Certificates: Key Differences
  4. Malware vs Virus: Similarities and Differences
Janki Mehta

Janki Mehta

Janki Mehta is a Cyber-Security Enthusiast who constantly updates herself with new advancements in the Web/Cyber Security niche. Along with theoretical knowledge, she also implements her practical expertise in day-to-day tasks and helps others to protect themselves from threats.

Leave a comment

Your email address will not be published. Required fields are marked *