New phishing attacks exploit stolen digital certificates for malicious software

A sophisticated new phishing campaign is targeting office workers by impersonating legitimate software updates for popular applications like Zoom, Microsoft Teams, and Adobe Reader, according to Microsoft. These attacks leverage stolen digital certificates to bypass security measures, making malicious files appear trustworthy to computer systems. The campaign, which began in February 2026, tricks users into downloading harmful software disguised as essential updates, as reported by HackRead.

The attackers are using compromised Extended Validation (EV) certificates, specifically one issued to TrustConnect Software PTY LTD, to sign malicious executables. These files, often named after legitimate applications such as msteams.exe or adobereader.exe, are distributed through fake meeting invites or links to deceptive download websites. Once executed, these files install remote monitoring and management (RMM) tools, like ScreenConnect and MeshAgent, which provide attackers with persistent, privileged access to corporate networks. The attackers employ encoded PowerShell commands to download additional tools, ensuring a layered defense against detection and removal by IT security teams.

Security experts emphasize that a valid signature alone is no longer sufficient proof of legitimacy. Organizations must adopt a broader security model that incorporates behavioral analysis, context, and telemetry alongside signature verification to effectively defend against such advanced threats.

Source: HackRead