Parasitic MSI: How EV Code Signing MaaS Turns Trusted Installers Into Stealer Delivery Vehicles
title: "Parasitic MSI: How EV Code Signing MaaS Turns Trusted Installers Into Stealer Delivery Vehicles" subtitle: "A legitimately signed MSI installer delivers DeerStealer and XFiles -- and the signing infrastructure is available as a service" tags: ["DeerStealer", "XFiles", "MSI", "code-signing", "MaaS", "stealer", "EV-certificate", "supply-chain"]
Parasitic MSI: How EV Code Signing MaaS Turns Trusted Installers Into Stealer Delivery Vehicles
There is a growing market in the underground for EV (Extended Validation) code signing as a service. For a few hundred dollars per signature, threat actors can wrap their malware in a legitimate code signing certificate -- the kind that bypasses SmartScreen, passes Authenticode verification, and earns implicit trust from both users and security products. This investigation documents a case where that service was used to deliver DeerStealer and XFiles through a signed MSI installer.
The sample appeared on MalwareBazaar on March 11, 2026. On the surface it looks like a legitimate Windows Installer package -- properly structured, properly signed, no obvious red flags to a casual observer. Under the hood, it unpacks a credential-stealing payload that targets browser passwords, cryptocurrency wallets, and session tokens.
Key Findings
- Legitimately signed MSI: The installer carries a valid EV code signing certificate, passing Windows SmartScreen and most application whitelisting policies
- Dual payload: Delivers both DeerStealer (browser credential theft, crypto wallet targeting) and XFiles (information stealer with broad data collection capabilities)
- EV Signing MaaS: The signing infrastructure is not unique to this actor -- it is part of a Malware-as-a-Service ecosystem where code signing certificates are sold or rented to multiple operators
- Trust exploitation: The MSI format itself carries implicit trust -- users expect
.msifiles to be legitimate software installers, and many organizations whitelist MSI execution - Multi-stage delivery: The MSI acts as the initial access vector, unpacking intermediate loaders before deploying the final stealer payloads
The EV Signing Problem
Extended Validation certificates are supposed to be the gold standard of software trust. They require identity verification, organizational validation, and physical hardware tokens. Yet a thriving underground market has emerged where stolen, purchased, or fraudulently obtained EV certificates are offered as a service.
The economics are straightforward: an EV certificate costs the signing service provider a one-time investment. Each signature sold to a malware operator generates pure margin. The buyer gets their payload trusted by Windows, and the service provider bears none of the operational risk.
This sample demonstrates the practical impact. Windows SmartScreen -- the single most effective consumer-facing protection against malicious downloads -- is defeated by design. The MSI passes verification. It runs without warning dialogs. The infection chain begins silently.
Attack Chain
[Social Engineering / Malvertising]
|
v
Signed MSI Installer (EV Certificate)
Passes SmartScreen, Authenticode, AV whitelists
|
v
[MSI CustomAction Execution]
Unpacks intermediate loader
Establishes persistence
|
v
[DeerStealer Deployment]
Browser credential theft (Chrome, Firefox, Edge)
Cryptocurrency wallet extraction
Session token harvesting
|
v
[XFiles Deployment]
System information collection
Document harvesting
Clipboard monitoring
|
v
[Exfiltration]
Stolen data packaged and sent to C2
DeerStealer Capabilities
DeerStealer is a focused credential stealer that has gained traction in 2025-2026. Its core capabilities include:
- Browser password extraction from Chromium-based browsers (Chrome, Edge, Brave, Opera) and Firefox
- Cryptocurrency wallet theft targeting MetaMask, Phantom, Coinbase Wallet, and hardware wallet bridge applications
- Cookie and session token harvesting for account takeover without needing passwords
- Autofill data extraction including credit card numbers and addresses
- Browser extension data for cryptocurrency and password manager extensions
XFiles Stealer
XFiles complements DeerStealer with broader system-level data collection:
- System profiling: Hardware IDs, OS version, installed software inventory
- Document harvesting: Scans common paths for documents matching financial/corporate keywords
- Email client credentials: Outlook, Thunderbird profile data
- FTP/SSH credentials: FileZilla, WinSCP, PuTTY saved sessions
- Clipboard monitoring: Captures cryptocurrency addresses for potential clipboard hijacking
Detection Challenges
The combination of a legitimate EV signature and the MSI delivery format creates significant blind spots:
- SmartScreen bypass: EV-signed executables are trusted by default
- MSI whitelisting: Many enterprise environments whitelist MSI execution for software deployment
- Behavioral delay: The MSI performs legitimate-looking installation actions before deploying the payload
- AV evasion: The signing certificate reduces the weight of heuristic detections
IOCs
Sample:
- File Type: MSI (Windows Installer)
- Delivery: web_download, malvertising
- Payloads: DeerStealer, XFiles
Detection Guidance:
- Monitor for MSI installations that spawn unexpected child processes (PowerShell, cmd.exe, or unsigned executables)
- Alert on MSI CustomActions that write to
%TEMP%or%APPDATA%and immediately execute the written files - Hunt for DeerStealer indicators: access to Chrome
Login DataSQLite databases, ChromiumLocal Statefiles - Monitor for XFiles indicators: rapid enumeration of browser profiles, FTP client config directories, and email client data stores
MITRE ATT&CK
| Technique | ID | Application |
|---|---|---|
| User Execution: Malicious File | T1204.002 | User runs signed MSI |
| Subvert Trust Controls: Code Signing | T1553.002 | EV certificate bypasses SmartScreen |
| Masquerading: Invalid Code Signature | T1036.001 | Legitimate signature on malicious payload |
| Credentials from Password Stores: Web Browsers | T1555.003 | DeerStealer browser credential theft |
| Steal Web Session Cookie | T1539 | Session token harvesting |
| Data from Local System | T1005 | XFiles document harvesting |
| Clipboard Data | T1115 | Clipboard monitoring |
| Exfiltration Over C2 Channel | T1041 | Stolen data exfiltration |
Conclusion
The parasitic MSI represents an uncomfortable truth about code signing trust models: they work until the certificates are compromised, and there is now a mature market for doing exactly that. The combination of EV signing MaaS with dual-payload stealers (DeerStealer + XFiles) creates an infection chain that bypasses the most common consumer and enterprise defenses by design. The fix is not technical -- it requires the certificate authorities to improve validation and revocation speed, and for defenders to stop treating code signatures as proof of safety. Monitor MSI installation behavior, not just signatures.