https://www.scmagazine.com/counterf...es-increasing-recorded-future/article/746140/ Note: Do not click on the link in the article! Use this link instead: https://www.recordedfuture.com/code-signing-certificates/
Suspicious cert-sellers give badware a good name for just a few thousand bucks https://www.theregister.co.uk/2018/03/12/susicious_digital_cetificate_sales/
Underground vendors can reliably obtain code signing certificates from CAs https://www.helpnetsecurity.com/2018/06/26/code-signing-certificates-underground-market/
OK so this basically means that just because software is signed it shouldn't be trusted. But I assume they can not impersonate legit certificates from well known software companies?