Where is the Origin QAKBOT Uses Valid Code Signing

Keypoints

• QAKBOT and EMOTET have been highly active, with Black Basta ransomware operators using QAKBOT for entry and references to the Follina vulnerability (CVE-2022-30190).
• Recent observations show QAKBOT modules signed with multiple valid code signing certificates, implying access to private keys.
• Abuse scenarios include certificates issued to real micro-companies, identity theft, and unusual certificate issuance details (e.g., same free email service across certs, IP updates before issuance).
• Historically, code signing abuse has appeared in Stuxnet, Flame, and other cases; Doowon Kim’s CSS’17 study documented numerous stolen keys and certificates from trusted CAs.
• In June–July 2022, Trend Micro observed at least seven certificates in use by QAKBOT within a short window, signaling ongoing abuse.
• Defensive guidance emphasizes stronger private-key protection (hardware tokens, cloud signing), monitoring identity and domain authenticity, and improving certificate revocation checks and CT log limitations for code signing.