Code-signing certificates are precious commodities in the criminal underground, they are used by vxers to sign malware code to evade detection. Operators of the major black markets in the darknets buy and sell code-signings certificates. Most of the code-signed certificates are obtained by hackers due to fraud and not from security breaches suffered by the CAs. The most expensive items are the fully authenticated domains with EV SSL encryption and code signing capabilities. The report concluded the report concluded that more sophisticated actors and nation-state actors who are engaged in less widespread attacks will continue using fake code signing certificates in their operations.”]
Source: https://securityaffairs.co/wordpress/69457/cyber-crime/code-signing-certificates-2.html