How to Break Windows’ Trust System for $10 a Month
Cybercriminals have started exploiting Microsoft’s Trusted Signing service to sign malware, making it appear as if it were safe and developed by legitimate companies. This tactic helps bypass antivirus software and other security mechanisms that tend to trust signed files.Trusted Signing is a cloud-based service launched by Microsoft in 2024. It allows developers to quickly sign their programs using short-lived certificates that are valid for just three days. Files signed this way receive basic trust from Windows and SmartScreen, reducing the chances of security warnings upon execution.
Hackers have been signing malicious programs and distributing them as legitimate software. Security researchers have identified multiple cases of abuse, including malware campaigns like Crazy Evil Traffers and Lumma Stealer. The malicious files were signed with certificates issued by Microsoft’s certification authority.
Although the certificates are only valid for three days, the files signed with them remain trusted unless the certificate is revoked. This gives hackers enough time to spread their malware and infect systems before any countermeasures can be taken.
Trusted Signing offers developers a convenient way to sign their applications, with a subscription priced at $9.99 per month. Unlike traditional code-signing certificates, these are not issued directly to users but are created and managed within Microsoft’s infrastructure, theoretically reducing the risk of compromise. However, this very architecture also enables cybercriminals to rapidly sign malicious files—especially when registering an account as an individual, which is significantly easier.
Typically, criminals seek to obtain Extended Validation (EV) certificates, which offer a higher level of trust and allow malware to bypass security measures more effectively. However, acquiring an EV certificate is difficult—it requires either stealing one from a company or investing considerable time and money to register a fake business. By contrast, the Trusted Signing route is cheaper and far more accessible.
Microsoft claims it actively monitors activity within the service and swiftly revokes certificates when abuse is detected. The company has stated that malicious files have already been identified and that the attackers' accounts have been banned.
Security experts warn that hackers now only need a basic Microsoft-issued certificate to distribute malware successfully, as Windows inherently trusts these certificates. Additionally, obtaining approval for Trusted Signing is much easier than acquiring an EV certificate. Registering as an individual is particularly simple—unlike corporate signing, it does not require a company with three years of history.
This loophole provides cybercriminals with an easy and affordable way to spread malware with minimal resistance. While Microsoft continues to manually revoke certificates and block malicious accounts, the risk of further abuse remains.
