Bypass Record
Code-Signing Abuse × Kaseya VSA
A publicly-reported instance of Code-Signing Abuse bypassing Kaseya VSA, recorded with its original source. Factual record; no assessment of any specific deployment.
Mechanism
Attackers exploited zero-day vulnerabilities in the Kaseya VSA SaaS platform to push a malicious update to the VSA agent (agentmon.exe) installed on endpoints. The malware was digitally signed by Kaseya's certificate, making it appear legitimate and evading endpoint detection. The agent then executed the ransomware payload (mpsvc.dll) to encrypt files on affected systems.
Detection & mitigation
Monitor for unexpected execution of Kaseya agent processes (e.g., agentmon.exe) spawning unusual child processes or network connections to known malicious IPs. Deploy application whitelisting and ensure endpoint protection is configured to inspect signed binaries for behavioral anomalies.
This is a record of a publicly-reported event, not an assessment of any specific organization's deployment. Detection and mitigation notes are drawn from the cited source. Where the source is silent, fields are omitted.