Signed software abused to deploy antivirus-killing scripts

It has been reported that attackers are piggybacking on legitimately signed software to push scripts that disable antivirus protections. Trusted certificates and familiar installer names — the things admins rely on to separate the wheat from the chaff — allegedly became a blunt instrument for bypassing endpoint defenses. It’s a gut‑punch moment for defenders: when the shepherd is in on the heist, how do you keep the wolves out?

How the abuse reportedly works

According to reports, adversaries either bundle malicious scripts inside signed installers or leverage legitimately signed admin tools to execute payloads on endpoints. Those scripts focus on the obvious prize: stopping security services, killing AV processes, clearing logs or removing definitions so follow‑on malware can run with less scrutiny. Because the binaries carry valid signatures, application allowlists and some EDR rules can be blinded into treating the activity as benign — classic Trojan horse stuff, dressed in a suit.

Why it matters — and what defenders should do

This pattern amplifies two big headaches: trusted‑software abuse and supply‑chain risk. If signatures can be weaponized, the perimeter becomes porous from the inside out. Defenders should assume signatures are not an absolute guarantee. Hardening steps include enforcing script execution policies, tightening code‑integrity checks beyond simple certificate validation, monitoring for anomalous child processes or unusual script launches, and coordinating with vendors to revoke compromised certificates when needed. Simple? Not always. Necessary? Absolutely.

The takeaway is familiar but still chilling: trust, but verify — and then verify again. When your security tools can be turned off by what appears to be legitimate software, it’s time to rethink the checklist. Who signs the signer? That question just became more urgent.

Sources: bleepingcomputer