Artifact for Understanding the Status and Strategies of the Code Signing Abuse Ecosystem
The artifact contains a CSV table and a ZIP folder of certificate files. The CSV file mainly records metadata of abusive certificates—such as hash, serial number, subject, issuer, validity period, and abuse category—and provides the VirusTotal report of one representative software sample signed by each certificate. The ZIP folder contains the original .cer files of all abused certificates listed in the CSV. Each file is named after its MD5 value, and the total number of certificates (2,072) is consistent with the description in Section IV.C of the paper.
The artifact evaluated for NDSS 2026 is permanently archived at:
https://doi.org/10.5281/zenodo.17666996
The paper can be seen at NDSS26_FINAL_VERSION.pdf.
Citation: Hanqing Zhao, Yiming Zhang, Lingyun Ying, Mingming Zhang, Baojun Liu, Haixin Duan, Zi-Quan You, and Shuhao Zhang. Understanding the Status and Strategies of the Code Signing Abuse Ecosystem. In Symposium on Network and Distributed System Security (NDSS), 2026.
This artifact is released under the MIT License (see LICENSE).