The PolySwarm Blog

Analyze suspicious files and URLs, at scale, millions of times per day. Get real-time threat intel from a crowdsourced network of security experts and antivirus companies competing to protect you.

PolyKG Discovers Previously Unreported OilRig Samples Using Stolen Cert

Mar 27, 2026 11:49:49 AM / by The Hivemind posted in Threat Bulletin, OilRig APT34 campaign, stolen code signing certificate malware, MOSCII Corporation malware, Karkoff malware analysis, EV certificate abuse cybersecurity, supply chain cyber attack Thailand

0 Comments

Executive Summary

Using PolySwarm’s knowledge graph, PolyKG, PolySwarm analysts have identified previously unreported OilRig activity leveraging a stolen Entrust Extended Validation (EV) code signing certificate issued to Thai IT vendor MOSCII Corporation. The certificate was used to sign multiple malware samples, including the Karkoff backdoor, alongside additional undetected payloads with minimal antivirus coverage. The use of a legitimate vendor certificate and EGAT-themed naming potentially suggests a supply chain intrusion targeting Thailand’s energy sector. This activity highlights a continued evolution in OilRig tradecraft, combining trusted infrastructure abuse with low-detection tooling to enable stealthy, persistent access.

Read More
All posts

Subscribe to Email Updates

Lists by Topic

see all

Posts by Topic

See all

Recent Posts

Join the Marketplace

For Enterprises and Businesses

Learn More

For Security Experts and AV Companies

Learn More