highPhishing

CryptoVista Trojanized Installer: Stolen Docaposte EV Certificate Achieves 0/36 AV Detection While Impersonating Legitimate Crypto Brand

PublishedMarch 12, 2026

Threat Actors:Assessment for Certificate

phishingsocial-engineeringc2

TL;DR: A trojanized cryptocurrency application installer is abusing a freshly issued SSL.com Extended Validation code signing certificate stolen from TRUST & SIGN POLAND, a subsidiary of French postal giant Docaposte (La Poste Group). The certificate was issued on March 4, 2026 -- one day before the malware appeared in the wild -- and achieves 0/36 AV detection on ReversingLabs. The Inno Setup 6.7.0 installer uses ChaCha20 encryption with PBKDF2 key derivation to hide its payload, performs process injection via WriteProcessMemory, and implements geofencing via system language discovery. The malware impersonates CryptoVista, a legitimate cryptocurrency news site established in 2014, complete with a professionally written privacy policy designed to disarm suspicious users. As of this writing, the abused certificate is not listed on the MalwareBazaar Code Signing Certificate Blocklist.

A Certificate Issued Monday, Weaponized by Tuesday

The timeline tells the story. On March 4, 2026, SSL.com issued an Extended Validation code signing certificate to TRUST & SIGN POLAND SP Z O O -- a real Polish company, KRS-registered, owned by Docaposte, itself a subsidiary of France's La Poste Group. By March 5, a malware sample signed with that certificate appeared on ReversingLabs. By March 9, it hit MalwareBazaar. At no point did any of the 36 antivirus engines on ReversingLabs flag it.

This is EV certificate abuse at its most effective: a signed, legitimate-appearing binary from a real company in the digital trust business, burning through every security control that relies on code signing as a trust signal.

The certificate thumbprint 79207f8316533991fb54281cf8cacf777038dc189c97e83cf49fa4551206776c is not on the CSCB as of March 10, 2026. The abused certificate is still technically valid.

The Attack Chain

[Social Engineering]     [Delivery]          [Installation]        [Execution]           [Actions]
Brand impersonation  ->  Signed EXE      ->  Inno Setup      ->  WriteProcessMemory -> [Encrypted Payload]
CryptoVista brand        EV cert bypass       ChaCha20 decrypt     Process injection     Stealer/RAT (TBD)
Privacy policy           0/36 AV detect       Drop .tmp (4.2MB)    Language check        Sandbox evasion
                                              Geofence check

The operator constructed a credible social engineering package: a signed installer impersonating a real cryptocurrency brand, bundled with a professional privacy policy that explicitly states "We do not ask for private keys, seed phrases or PINs." The irony is deliberate -- the privacy policy is itself the social engineering, designed to make crypto-savvy users feel safe by addressing exactly the concerns they would have.

Code Signing Certificate Analysis

The Full Chain

Level	Subject	Valid From	Valid To	Serial
Root CA	SSL.com EV Root CA RSA R2	2017-05-31	2042-05-30	`56b629cd34bc78f6`
Intermediate	SSL.com EV Code Signing Intermediate CA RSA R3	2019-03-26	2034-03-22	`424b6a53cec766141c2a63b1a51c4104`
End-entity	TRUST & SIGN POLAND SP Z O O	2026-03-04	2026-08-22	`084df03cc7d8caf34c5c2cfeec448b27`

Key details on the signing certificate:

Thumbprint (SHA256): 79207f8316533991fb54281cf8cacf777038dc189c97e83cf49fa4551206776c
Key Size: RSA 3072-bit
Extended Key Usage: Code Signing
Certificate Policies: OID 2.23.140.1.3 (EV Code Signing)
CSCB Status: NOT LISTED

Who Is TRUST & SIGN POLAND?

This is not a shell company. TRUST & SIGN POLAND SP Z O O is a legitimate business entity registered in the Polish KRS (National Court Register):

Field	Value
KRS Number	0000936459
NIP (Tax ID)	7252314776
REGON	52065462100000
Registered	December 9, 2021
Address	ul. Ogrodowa 8, lokal VI P., 91-062 Lodz, Poland
Owner	DOCAPOSTE TRUST & SIGN (French SAS, 100% Docaposte subsidiary)
Previous Owner	IDEMIA POLAND R&D SP Z O O
Business	Digital trust services, software publishing, IT consulting

One detail stands out in the registry data: wzmiankaOBrakuPokryciaKapitalu: True -- a notation that the company's capital is not fully covered. While not definitive, financial stress at a digital trust company is a relevant signal when assessing how a private key might have been compromised.

How Did the Operator Get This Certificate?

Three hypotheses, ordered by probability:

Stolen private key (HIGH confidence): The key was exfiltrated from TRUST & SIGN POLAND's infrastructure. A company in the digital trust and code signing business is a high-value target -- compromising one entity yields signing capabilities that can be reused across campaigns.
Fraudulent EV issuance (MEDIUM confidence): Someone impersonated the company through SSL.com's EV validation process. The one-day turnaround from certificate issuance to malware appearance suggests a pre-planned operation with the signing infrastructure ready before the certificate existed.
Insider abuse (LOW confidence): Less likely given the company is wholly owned by a major French corporation with enterprise governance structures.

Malware Technical Analysis

Sample Details

Field	Value
SHA256	`87c266e14685da69531d6e6fd8128c8727a4e28cdc372a6b84718d85c804c705`
SHA1	`5d753f117d68283b967f7cc1068293265cb2509a`
MD5	`164d7f11406aeaeea2b814a700176a98`
Imphash	`88016fcdef7f227c62171d0afad9aae4`
Size	2,094,616 bytes (2.1 MB)
Type	PE32 executable (GUI) Intel 80386
Compiler	Delphi (Embarcadero RAD Studio)
Framework	Inno Setup 6.7.0
Compilation	2026-01-02T11:55:47Z
First Seen (RL)	2026-03-05T19:00:36Z
First Seen (MB)	2026-03-09T21:32:53Z

Layered Encryption Architecture

The installer uses a serious encryption stack designed to prevent static payload extraction:

PBKDF2 -- Key derivation from an embedded installer password
SHA256 -- Hash function within key derivation
ChaCha20 -- Symmetric encryption of the installer's data payload
XOR -- Additional obfuscation layer (RandomXorStartOffset, RandomXorFirstSlice)
LZMA1 Small -- Compression of the encrypted data

The encryption parameters are stored in the Inno Setup header:

TSetupEncryptionKey (32 bytes)
TSetupEncryptionNonce (24 bytes)
EncryptionBaseNonce
CryptKey

This is not the default Inno Setup encryption. The operator specifically configured ChaCha20 with PBKDF2 key derivation -- a deliberate choice to make automated unpacking tools fail.

Inno Setup Structure

Component	Offset	Size	Content
Setup Loader (PE)	0x0	~0xd0400	Delphi Inno Setup loader engine
Setup Messages (zlb)	0xd0400	~0x4177	PNG icon + RTF Privacy Policy
Setup Header (encrypted)	0xd4577	~0x2BA61	ChaCha20-encrypted header + file data
Authenticode Signature	0x1fcfd8	9,792	PKCS#7 code signing signature

PE Section Table

Section	Virtual Size	Raw Size	Entropy	Notes
.text	0xaf7fc	0xaf800	6.39	Main code
.itext	0x18cc	0x1a00	6.04	Delphi initialization
.data	0x3f3c	0x4000	5.18	Initialized data
.bss	0x734c	0x0	0.00	Uninitialized data
.idata	0x1068	0x1200	4.82	Import table
.reloc	0x11fec	0x12000	6.70	Relocations
.rsrc	0x74c8	0x7600	6.68	Resources

Note the entropy values: .text at 6.39 and .rsrc at 6.68 are elevated but not high enough to trigger packer detection heuristics. The encrypted payload lives in the Inno Setup data stream, not in the PE sections themselves -- another deliberate evasion choice.

Behavioral Analysis

Sandbox analysis across Windows 10 and Windows 11 environments (Triage) revealed the malware's execution pattern and its evasion behavior.

Process Tree

CryptoVista_Installer_fSRqK__2_.exe (PID 1364/3796)
  -> is-XXXXXX.tmp\CryptoVista_Installer_fSRqK__2_.tmp (PID 4492/3372)
     [WriteProcessMemory injection from parent to child]

The parent process spawns a child via the Inno Setup temporary extraction, then uses WriteProcessMemory to inject code into the child process. This is consistent with process hollowing or direct code injection -- the child process serves as a clean vessel for the actual malicious payload.

Dropped Files

File	SHA256	Size
CryptoVista_Installer_fSRqK__2_.tmp	`f8892860c6c5446d477daadd343e680caeac7bd0e4f04ff5fc6bec1159353934`	4.2 MB

The dropped .tmp file at 4.2 MB is significantly larger than the 2.1 MB installer, suggesting the encrypted payload expands considerably after decryption.

Network Activity

Destination	Port	Protocol	Purpose
8.8.8.8	53	UDP	DNS resolution
172.217.208.94 (c.pki.goog)	80	HTTP	Google CRL check
52.111.229.48	--	TCP	Microsoft infrastructure

The network profile is notable for what it does not contain: no C2 communication, no data exfiltration, no payload download. The malware detected the sandbox and refused to execute its full payload. The only outbound traffic is benign system activity -- DNS resolution, CRL checks, and a Microsoft telemetry endpoint.

Geofencing via Language Discovery

Registry access: HKLM\SYSTEM\ControlSet001\Control\NLS\Language

The malware queries the system language configuration before proceeding. This is MITRE T1614.001 (System Location Discovery: System Language Discovery) -- a common technique used by Eastern European cybercrime operations to avoid executing in CIS countries, or to target specific language regions for maximum impact.

The installer includes a professionally crafted RTF privacy policy that would pass casual inspection. Key excerpts from the policy text:

References "CryptoVista Inc." as the publisher
Claims to collect only "technical data" and "crash logs"
Explicitly states: "We do not ask for private keys, seed phrases or PINs"
Provides contact email: info@cryptovista[.]com
Mentions "Changers listed in the app" (cryptocurrency exchange references)
Includes standard GDPR-style privacy language

This is high-effort social engineering. By proactively addressing cryptocurrency security concerns, the operator targets exactly the audience most likely to scrutinize an installer -- and disarms them with the privacy assurances they expect from a legitimate crypto application.

Brand Impersonation: The Real CryptoVista

The legitimate cryptovista[.]com is a real entity, and the impersonation is deliberate:

Field	Value
Domain	cryptovista[.]com
IP	64.23.237.22 (DigitalOcean)
Hosting	Cloudways (WordPress)
Nameservers	Cloudflare (elsa.ns, ned.ns)
Email	Microsoft 365 (verified tenant MS=ms55869585)
Registrar	GoDaddy
Created	2014-04-29
Content	Cryptocurrency news articles (2021-2022 era)
Status	Active but unmaintained since late 2022

The real CryptoVista is a cryptocurrency news website -- it does not offer downloadable software, wallets, or tools. The malware's claim to be "CryptoVista" application software is entirely fabricated. The operator likely selected this brand because it has recognizable domain age and crypto-sector relevance but appears abandoned, making it unlikely to issue public takedown notices or warnings.

MITRE ATT&CK Mapping

Tactic	Technique	ID	Implementation
Resource Development	Code Signing Certificates	T1588.003	Abused EV cert from TRUST & SIGN POLAND via SSL.com
Resource Development	Establish Accounts	T1585	Impersonation of CryptoVista brand
Initial Access	Drive-by Compromise / Phishing	T1189/T1566	Trojanized installer distribution (vector TBD)
Execution	User Execution: Malicious File	T1204.002	Victim runs signed installer
Defense Evasion	Subvert Trust Controls: Code Signing	T1553.002	EV code signing bypasses SmartScreen and AV
Defense Evasion	Obfuscated Files or Information	T1027	ChaCha20 + PBKDF2 + XOR encryption layers
Defense Evasion	Process Injection	T1055	WriteProcessMemory from parent to child process
Defense Evasion	Virtualization/Sandbox Evasion	T1497	Minimal activity in sandbox environments
Discovery	System Location Discovery: System Language	T1614.001	NLS\Language registry check for geofencing
Discovery	System Information Discovery	T1082	OS version and language enumeration

Indicators of Compromise

File Indicators

# Main installer
87c266e14685da69531d6e6fd8128c8727a4e28cdc372a6b84718d85c804c705  (SHA256)
5d753f117d68283b967f7cc1068293265cb2509a                          (SHA1)
164d7f11406aeaeea2b814a700176a98                                  (MD5)

# Dropped temporary file
f8892860c6c5446d477daadd343e680caeac7bd0e4f04ff5fc6bec1159353934  (SHA256)

# UnpacMe extracted payload
dd02afed5a797cb01fb64f5f484b6c9b52479de72043f0b0b1b422b39b954d56  (SHA256)

# Import hash (generic Inno Setup 6.7.0)
88016fcdef7f227c62171d0afad9aae4  (Imphash)

Certificate Indicators

# Abused EV certificate -- block on sight
Thumbprint: 79207f8316533991fb54281cf8cacf777038dc189c97e83cf49fa4551206776c
Serial:     084df03cc7d8caf34c5c2cfeec448b27
Subject:    TRUST & SIGN POLAND SP Z O O
Issuer:     SSL.com EV Code Signing Intermediate CA RSA R3

Behavioral Indicators

# Filename patterns
CryptoVista_Installer_*.exe
is-*.tmp\CryptoVista_Installer_*.tmp

# Registry access
HKLM\SYSTEM\ControlSet001\Control\NLS\Language

# Process behavior
Parent -> child WriteProcessMemory injection

Network (Impersonated -- NOT malicious infrastructure)

# These are LEGITIMATE and should NOT be blocked
cryptovista[.]com        (impersonated brand)
info@cryptovista[.]com   (referenced in fake privacy policy)

Detection Opportunities

YARA Rules

rule CryptoVista_Trojanized_Installer {
    meta:
        description = "Detects CryptoVista trojanized Inno Setup installer with ChaCha20 encryption"
        author = "Breakglass Intelligence"
        date = "2026-03-10"
        tlp = "TLP:CLEAR"
        severity = "HIGH"
        hash = "87c266e14685da69531d6e6fd8128c8727a4e28cdc372a6b84718d85c804c705"
        reference = "https://intel.breakglass.tech"
    strings:
        $inno = "Inno Setup" ascii
        $brand1 = "CryptoVista" ascii wide nocase
        $brand2 = "CryptoVista Inc" ascii wide nocase
        $privacy = "private keys, seed phrases" ascii wide nocase
        $delphi_export = "__dbk_fcall_wrapper" ascii
        $chacha = "ChaCha20" ascii wide
    condition:
        uint16(0) == 0x5A4D and
        $inno and $delphi_export and
        (2 of ($brand*) or $privacy or $chacha)
}

rule EV_Cert_TrustSignPoland_Abuse {
    meta:
        description = "Detects binaries signed with abused TRUST & SIGN POLAND EV certificate"
        author = "Breakglass Intelligence"
        date = "2026-03-10"
        tlp = "TLP:CLEAR"
        severity = "CRITICAL"
    strings:
        $subject = "TRUST & SIGN POLAND" ascii wide
        $serial = { 08 4d f0 3c c7 d8 ca f3 4c 5c 2c fe ec 44 8b 27 }
        $issuer = "SSL.com EV Code Signing" ascii wide
    condition:
        uint16(0) == 0x5A4D and
        ($subject and $issuer) or $serial
}

Sigma Rule -- Process Injection from Inno Setup Installer

title: CryptoVista Installer Process Injection
id: a3f8c9d1-7e2b-4c5a-b6d0-9e1f3a8c7d2e
status: experimental
description: Detects WriteProcessMemory injection pattern from Inno Setup installer processes
author: Breakglass Intelligence
date: 2026/03/10
logsource:
    category: process_access
    product: windows
detection:
    selection:
        SourceImage|endswith:
            - 'CryptoVista_Installer*.exe'
        GrantedAccess|contains:
            - '0x20'   # PROCESS_VM_WRITE
            - '0x8'    # PROCESS_VM_OPERATION
    condition: selection
level: high
tags:
    - attack.defense_evasion
    - attack.t1055

Endpoint Detection Queries

# KQL -- Microsoft Defender for Endpoint
DeviceProcessEvents
| where FileName matches regex @"CryptoVista_Installer.*\.exe"
| join kind=inner (
    DeviceProcessEvents
    | where ActionType == "WriteProcessMemory"
) on DeviceId, InitiatingProcessId
| project Timestamp, DeviceName, FileName, ProcessCommandLine

# KQL -- Language discovery after Inno Setup execution
DeviceRegistryEvents
| where RegistryKey has "Control\\NLS\\Language"
| where InitiatingProcessFileName matches regex @"is-.*\.tmp"
| project Timestamp, DeviceName, InitiatingProcessFileName, RegistryKey

Certificate-Based Blocking

For organizations that can enforce certificate-based policies:

# Windows WDAC policy addition
# Block the abused certificate by its TBS hash
Add-WDACPolicy -CertificateThumbprint "79207f8316533991fb54281cf8cacf777038dc189c97e83cf49fa4551206776c" -Action Block

# Carbon Black -- block by signer
process_name:*.exe AND digsig_subject:"TRUST & SIGN POLAND SP Z O O"

What We Still Do Not Know

The encrypted payload prevented full detonation in sandboxed environments. Several critical questions remain:

What is the final payload? The behavioral indicators (process injection, geofencing, sandbox evasion) are consistent with an info-stealer or RAT, but the actual payload family is unconfirmed.
What is the delivery vector? The installer exists, but we have not yet identified how victims encounter it -- likely candidates include fake download pages, SEO poisoning targeting crypto keywords, or targeted phishing.
Are there additional samples? The certificate was issued March 4. Only one sample has appeared. An EV certificate this fresh is a high-value asset -- the operator almost certainly plans to sign additional payloads.
Was the company infrastructure compromised? TRUST & SIGN POLAND is in the digital trust business. If their signing infrastructure was breached, the implications extend well beyond this single malware sample.

Non-sandboxed dynamic analysis is required to obtain the full payload behavior and confirm the malware family.

Published by Breakglass Intelligence. Investigation conducted 2026-03-09. 0/36 AV detection. EV certificate not blocklisted. Abuse reports filed. Classification: TLP:CLEAR