Key Takeaways
Background
PolySwarm analysts have identified previously unreported OilRig activity using a stolen or fraudulently obtained Entrust Extended Validation (EV) code signing certificate issued to MOSCII Corporation Co., Ltd., a legitimate Thai enterprise IT vendor. The certificate has been used to sign at least four malware samples submitted to PolySwarm between September 2024 and March 2026, including confirmed instances of Karkoff, a backdoor exclusively attributed to OilRig.
Two additional samples signed with the same certificate are currently undetected by the majority of antivirus engines, representing active, uninvestigated threat infrastructure. The internal filename of the signed Karkoff sample, egatdmtools.exe, mimics tooling associated with EGAT (Electricity Generating Authority of Thailand), a major Thai state utility with which MOSCII has documented business relationships. This pattern is consistent with OilRig's established tactic of compromising trusted IT vendors to gain access to their government and critical infrastructure clients. None of this infrastructure or the certificate abuse has been previously reported in open source threat intelligence.
Who is OilRig?
OilRig, also tracked as APT34, Crambus, Helix Kitten, and COBALT GYPSY, is a cyberespionage threat actor assessed with high confidence to operate on behalf of Iran's Ministry of Intelligence and Security (MOIS). Active since at least 2014, OilRig primarily targets government agencies, energy sector organizations, financial institutions, and telecommunications providers across the Middle East, with expanding operations into Southeast Asia, Europe, and North America.
The group is known for:
Karkoff is a lightweight, modular .NET backdoor designed for persistent access and selective command execution. It has been observed in multiple OilRig campaigns since 2018 and is considered a reliable indicator of OilRig attribution when detected.
Using PolyKG to Investigate
This investigation did not begin with a tip or a known IOC. It emerged organically from a routine threat hunting session focused on Iranian APT activity. The following describes the exact steps taken and the logic behind each pivot.
STEP 1: Search For Iranian Apt Malware Since February 28, 2026
The initial query was straightforward: search PolySwarm's metadata index for samples associated with known Iranian APT malware families submitted after February 28, 2026..
Only one family returned results: Karkoff. Six samples were found, five submitted on March 10, 2026, and one submitted on March 19, 2026 (the day our analyst made the query). The cluster of five same-day submissions suggested either a coordinated campaign wave, a researcher submitting a batch of collected samples, or an automated pipeline pushing newly collected specimens.
STEP 2: Pull Full Metadata On All Six Samples
Rather than stop at the family label, we pulled complete metadata for each sample individually, requesting PE file attributes, exiftool data, compile dates, file sizes, signing status, and sandbox results. This is where the investigation diverged significantly from a routine check.
Two samples immediately stood out:
A8f39a7d116a57136f148ca5b0b64c1621d12e971d1484566b7ac3d0608dede9
6d40a9aea28570d2835c46ae78dc27d0986aabfce8277d8af178337831be137c
STEP 3: Pivot On The Code Signing Certificate
The certificate belonging to MOSCII Corporation was used as a pivot point. We searched PolySwarm's entire sample collection for any other artifacts signed with the same certificate.
This is a standard and powerful threat hunting technique. Code signing certificates are expensive and non-trivial to obtain, as legitimate EV certificates require identity verification by the issuing Certificate Authority (Entrust, in this case). If a threat actor has obtained one, they will typically reuse it across multiple operations until it is revoked or expires. Finding all samples signed with the same certificate reveals the full scope of what that certificate has been used to sign.
The pivot returned two additional samples beyond the known Karkoff instances:
ce446f6da9a6a62ca0832a135c44cf13c7fe02ffd8efd8f123dbc0b06f03a38a
216f6c98a716b8f5bc0cda61ff0947252bf05d27bb16067d54d8706a45b453ac
Both samples were submitted two days after the March 10 Karkoff cluster and have almost no antivirus coverage. At the time of this report, they appear to represent live, largely undetected malware in the wild.
With a legitimate Thai company's EV certificate appearing on confirmed OilRig malware, we investigated background information on MOSCII Corporation directly. MOSCII Corporation Co., Ltd. is a real, established Thai software and IT services company founded in 2002, headquartered at 6/54 StarCat Building, Chatuchak, Bangkok. Their flagship product is StarCat, an enterprise IT network management and monitoring platform. Their customer base consists primarily of Thai government agencies, state-owned enterprises, and large private sector organizations. They have held partner relationships with Sun Microsystems, IBM, and Microsoft. WHOIS records for moscii.com confirm the domain was registered in 2002 and remains active.
MOSCII does not appear to be a shell company or a fraudulent entity. This is a legitimate business whose code signing certificate has been stolen or otherwise abused without their knowledge.
The internal filename egatdmtools.exe requires context to be meaningful. EGAT is the Electricity Generating Authority of Thailand, one of the country's largest state-owned enterprises, responsible for electricity generation and transmission nationwide. EGAT is exactly the kind of client that a Thai enterprise IT vendor like MOSCII would serve.
"DM Tools" in the filename likely refers to device management or data management tooling, the kind of utility software an IT vendor deploys and maintains on a client's network. The product string TOOLS.Net4 reinforces this: it presents as a generic .NET 4 administrative utility.
The implication is that OilRig obtained MOSCII's code signing certificate, most likely by compromising MOSCII directly, then crafted a Karkoff backdoor that masquerades as legitimate MOSCII tooling deployed to EGAT's network. A binary named egatdmtools.exe, signed by MOSCII's certificate, would appear entirely legitimate to any security tool or analyst performing a cursory review on EGAT's systems.
This is OilRig's documented playbook applied to a new geography: identify a trusted IT vendor, compromise the vendor, steal their credentials or certificates, and use the vendor's trusted relationship with target organizations to achieve persistent access. The same technique has been documented in OilRig's Middle East operations targeting Saudi Aramco and regional telecommunications providers.
Technical Findings
Karkoff is a .NET backdoor first identified in 2018. It is designed for selective command execution, receiving instructions from a C2 server and executing them based on pre-configured time schedules to limit exposure during investigation. It has evolved significantly since its initial discovery, with variants observed in 2019, 2022, 2024, and now 2026.
Karkoff maintains persistence via scheduled tasks or registry run keys, communicates over HTTP/HTTPS to attacker-controlled infrastructure, and logs execution results for retrieval by the operator. Its modular design allows OilRig to add or remove capabilities between campaigns.
SHA256: 6d40a9aea28570d2835c46ae78dc27d0986aabfce8277d8af178337831be137c
Family: Karkoff
Polyscore: 0.660
Submitted: 2026-03-10
Size: 3.1 MB
Signed: Yes
Certificate: Entrust EV — MOSCII CORPORATION CO., LTD.
Cert validity: September 2022 – September 2025 (expired, was valid at compile time)
Internal name: egatdmtools.exe
Product: TOOLS.Net4
Detections: 2 / 16 engines
Upload origin: United States
The certificate expiry in September 2025 is notable. The sample was submitted to PolySwarm in March 2026, meaning the certificate was expired at submission time. However, Windows will execute a signed binary with an expired certificate as long as the binary was timestamped (countersigned) before expiry. Whether this sample was timestamped before September 2025 is unknown without acquisition of the binary.
SHA256: a8f39a7d116a57136f148ca5b0b64c1621d12e971d1484566b7ac3d0608dede9
Family: Karkoff
Polyscore: 0.660
Submitted: 2026-03-10
Size: 10 MB
Signed: No
Compile date: August 27, 2014 (SPOOFED)
Detections: 2 / 12 engines
Sandbox: No detonation — size-based evasion likely successful
Upload origin: United States
The combination of a spoofed 2014 compile timestamp and 10 MB file size suggests this sample was specifically prepared to evade automated analysis:
Both of these samples were signed with the MOSCII certificate and submitted two days after the Karkoff cluster. Their near-zero detection rates mean they are currently circulating in the wild without meaningful AV coverage. They are not part of the Karkoff malware family but are likely associated with this activity due to reuse of the same certificates used to sign the sample noted above.
Sample A:
SHA256: ce446f6da9a6a62ca0832a135c44cf13c7fe02ffd8efd8f123dbc0b06f03a38a
Polyscore: ~0.10
Submitted: 2026-03-12
Signed: Yes — MOSCII CORPORATION CO., LTD. (Entrust EV)
Detections: 1–2 / ~50 engines
Sandbox: No behavioral detonation
Upload origin: United States
Sample B:
SHA256: 216f6c98a716b8f5bc0cda61ff0947252bf05d27bb16067d54d8706a45b453ac
Polyscore: ~0.10
Submitted: 2026-03-12
Signed: Yes — MOSCII CORPORATION CO., LTD. (Entrust EV)
Detections: 1–2 / ~50 engines
Sandbox: No behavioral detonation
Upload origin: United States
The fact that both were submitted on the same day, two days after the Karkoff cluster, and share the same certificate and evasion profile strongly suggests they are part of the same operation, potentially additional tools or payloads deployed alongside Karkoff in a multi-stage intrusion chain.
The following samples complete the full picture of Karkoff activity in PolySwarm's collection, establishing a timeline stretching back to November 2025:
SHA256 SCORE DAT
27a74df534eb05042603676b1237da6abfd8505597be1858c5a161e8af4a313b 0.660 2026-03-19
497d7e83b9a021f44699f5844018189421c0d429830995497a6e8352419a2330 0.908 2026-03-10
95fd3f06689e7e279daf8c5ca636970a3c94d8cc04cc3a6bcfe58fe58f903dfc 0.935 2026-03-10
40d32e87ea0ed02b060abde7be2c3de34dd369bb2da41b717cd804c92b48b34a 0.908 2026-03-10
a8f39a7d116a57136f148ca5b0b64c1621d12e971d1484566b7ac3d0608dede9 0.660 2026-03-10
6d40a9aea28570d2835c46ae78dc27d0986aabfce8277d8af178337831be137c 0.660 2026-03-10
a37b33fe504370a41b7d2eefd33fbd97c5be5e9c2f94ea4a4d943cdffe177d61 0.660 2026-01-24
014aa93767f2a9e007c45b04c1665fa466b6bd78a94f0456b87158546352c079 0.660 2025-12-01
076ba910589bba4e03eb7cd2b769f5a8d4232f75e7b620be0e3cc03d08f6ddea 1.000 2025-11-24
ab2294175edbfa71cb275dac49deac2ffaf1dce4d0bab3c7d95ccb4bef684128 1.000 2025-11-19
The two November 2025 samples score 1.000 — maximum confidence — and likely represent less-obfuscated variants submitted earlier in the campaign lifecycle before the operators introduced the evasion techniques observed in March 2026. The progression from polyscore 1.0 in November to 0.66 in March is consistent with an operator iterating on evasion in response to increasing detection.
Known Samples Associated With The Moscii Certificate
SHA256 FAMILY SUBMITTED
6d40a9aea28570d2835c46ae78dc27d0986aabfce8277d8af178337831be137c Karkoff 2026-03-10
ce446f6da9a6a62ca0832a135c44cf13c7fe02ffd8efd8f123dbc0b06f03a38a Unknown 2026-03-12
216f6c98a716b8f5bc0cda61ff0947252bf05d27bb16067d54d8706a45b453ac Unknown 2026-03-12
Attribution to OilRig (APT34) is assessed with High Confidence based on the following converging indicators:
Malware Family: Karkoff is an OilRig-exclusive tool. No other threat actor has been observed using Karkoff in any documented campaign. Its presence is considered a reliable OilRig indicator.
Certificate Abuse Pattern: Stealing or purchasing EV code signing certificates from legitimate regional IT vendors is a previously documented OilRig tactic. The group has previously abused certificates from Middle Eastern technology companies to sign tools deployed against regional governments and energy companies.
Targeting Logic: EGAT (Thailand's state electricity authority) is exactly the type of critical infrastructure target consistent with OilRig's mission profile. Iran has strategic interest in Southeast Asian energy infrastructure and diplomatic relationships with Thailand. OilRig's targeting footprint has expanded beyond the Middle East since 2022.
Vendor Abuse Pattern: Compromising a trusted IT vendor (MOSCII) to gain access to their government clients (EGAT and others) is OilRig's documented supply chain methodology. This mirrors their operations against IT managed service providers in the Gulf region.
Operational Security Evolution: The progression from unobfuscated, high-scoring samples in November 2025 to low-scoring, evasion-heavy samples in March 2026 is consistent with an active operator monitoring detection rates and iterating accordingly, a level of operational discipline associated with state-sponsored actors rather than cybercriminal groups.
PolyKG Recommendations
PolyKG made multiple recommendations for potentially affected entities and for cybersecurity practitioners:
For EGAT And Thai Critical Infrastructure
The EGAT-themed filename and the MOSCII certificate suggest EGAT is an active target. Organizations in Thailand's energy, utilities, and government sectors, particularly those using MOSCII's StarCat platform or any MOSCII-managed services, should:
The MOSCII Entrust EV certificate (expired September 2025) should be reviewed for revocation if not already revoked. Entrust should be notified of the abuse so they can assess whether the certificate was issued to a legitimately compromised entity or whether the application process was fraudulent.
The two undetected samples noted above represent a coverage gap. Security vendors are encouraged to analyze these samples and update detection signatures. The MOSCII certificate should be added to blocklists for certificate-based detection rules.
This activity cluster, including the MOSCII certificate, the EGAT filename, and the associated Karkoff samples, is not currently represented in any known open source threat intelligence feed or vendor report. Teams tracking OilRig should add the following to their IOC sets:
Certificate subject: MOSCII CORPORATION CO., LTD.
Certificate issuer: Entrust
Certificate validity: September 2022 – September 2025
Filename indicator: egatdmtools.exe
Product string: TOOLS.Net4
Analyst Commentary
This report constitutes original threat intelligence derived from PolySwarm telemetry. The certificate abuse and associated infrastructure described herein have not been previously reported in open source threat intelligence at the time of publication. All analysis in this report was conducted using PolySwarm's threat intelligence platform and corroborated via OSINT. No external samples were acquired or executed. We have currently assessed this activity to be threat level medium, as we cannot confirm an active campaign leveraging these samples at this time.
The following tools and queries were used:
IOCs
Karkoff
27a74df534eb05042603676b1237da6abfd8505597be1858c5a161e8af4a313b
497d7e83b9a021f44699f5844018189421c0d429830995497a6e8352419a2330
95fd3f06689e7e279daf8c5ca636970a3c94d8cc04cc3a6bcfe58fe58f903dfc
40d32e87ea0ed02b060abde7be2c3de34dd369bb2da41b717cd804c92b48b34a
a8f39a7d116a57136f148ca5b0b64c1621d12e971d1484566b7ac3d0608dede9
6d40a9aea28570d2835c46ae78dc27d0986aabfce8277d8af178337831be137c
a37b33fe504370a41b7d2eefd33fbd97c5be5e9c2f94ea4a4d943cdffe177d61
014aa93767f2a9e007c45b04c1665fa466b6bd78a94f0456b87158546352c079
076ba910589bba4e03eb7cd2b769f5a8d4232f75e7b620be0e3cc03d08f6ddea
ab2294175edbfa71cb275dac49deac2ffaf1dce4d0bab3c7d95ccb4bef684128
Click here to view all samples of Karkoff in our PolySwarm portal.
Undetected samples signed with MOSCII certificate
ce446f6da9a6a62ca0832a135c44cf13c7fe02ffd8efd8f123dbc0b06f03a38a
216f6c98a716b8f5bc0cda61ff0947252bf05d27bb16067d54d8706a45b453ac
File Indicators
Filename: egatdmtools.exe
Product string: TOOLS.Net4
File size: ~10 MB (padded variant), ~3.1 MB (signed variant)
Certificate Indicators
Subject: MOSCII CORPORATION CO., LTD.
Issuer: Entrust
Valid: September 2022 – September 2025
Status: Expired (revocation status unconfirmed at time of report)
Don’t have a PolySwarm account? Go here to sign up for a free Community plan or subscribe.
Contact us at hivemind@polyswarm.io | Check out our blog | Subscribe to our reports.