Rising usage of Apple Developer Certificates for signing Windows malware

Report summary

Several websites and repositories on the internet circulate leaked or unauthorized iOS Enterprise Developer Certificates or Apple Developer Certificates. These sources typically claim host certificates that can be used to sign iOS apps outside the App Store. From a security perspective, this is significant because such certificates are commonly abused for:

• Malware distribution on iOS
• Bypassing Apple’s app review and security controls
• Installing untrusted apps on user devices
• Serve up the Windows PE binary as signed to bypass some security controls or to look more like a legitimate app since it’s signed

One example often referenced in discussions about certificate abuse is a GitHub repository claiming to host “the latest iOS Enterprise Development Certificates” and offering programmatic access to them. This is emblematic of the broader trend of leaked enterprise certificates circulating publicly.

Additionally, various public webpages aggregate similar certificate collections or offer sign‑your‑binary “services”. These websites typically function as hubs where users can obtain or apply enterprise certificates for sideloading purposes, again, often outside legitimate usage.

Read the full research here.