Cybersecurity researchers discovered a hidden cyberattack where hackers stole a digital "ID card" (a code signing certificate) from a legitimate Thai software company. The hackers used this stolen certificate to disguise their malicious programs as safe, everyday IT tools. This allowed the malware to bypass security checks and remain undetected on victim networks.

Who was behind the attack?

The attack is confidently linked to a cyberespionage group known as OilRig (also tracked as APT34). This group is assessed to operate on behalf of Iran's Ministry of Intelligence and Security and has been active for over a decade, specializing in spying on governments and critical infrastructure.

What is the nature and goal of the attack?

The primary goal of this attack is long-term cyberespionage rather than immediate disruption or destruction. By planting a "backdoor" program on victim computers, the attackers can quietly maintain access to the network, monitor activities, and steal sensitive intelligence over an extended period.

Were specific industries or people targeted?

Yes, the attackers specifically targeted the energy sector in Thailand. They did this by disguising their malicious files to look like utility software used by the Electricity Generating Authority of Thailand (EGAT).

How was the attack carried out from a high-level perspective?

The hackers first compromised a trusted enterprise IT vendor to steal their digital software certificate. They then attached this stolen certificate to their own virus, making it look like a normal, safe program. Finally, they used the vendor's trusted relationship with its clients to sneak the disguised virus into the clients' secure networks.

Why are the targeted entities attractive to attackers?

Organizations like national electricity authorities are critical to a country's infrastructure and hold highly sensitive strategic data. Because the attackers' sponsor state has strategic interests in Southeast Asian energy infrastructure, gaining quiet, persistent access to these networks provides highly valuable intelligence.

Is this a widespread issue or a targeted one?

This specific attack is highly targeted, aiming at specific critical infrastructure entities through a single compromised vendor. However, the overarching method of hacking a trusted vendor to reach their clients—known as a supply chain attack—is a widespread and growing threat globally.

What actions should organizations take to protect themselves?

Companies should strictly monitor and verify all software provided by third-party vendors, even if the software appears to have a valid digital signature. Additionally, security teams should update their defenses to block the specific compromised certificate mentioned in the report and look out for suspiciously large files that might be trying to bypass automated security scanners.

Threats Feed|OilRig|Last Updated 02/04/2026|AuthorCertfa Radar|Publish Date27/03/2026

OilRig Supply Chain Attack: Stolen Thai IT Vendor Certificates Hide Karkoff Backdoor

Actor Motivations: Espionage,Exfiltration
Attack Vectors: Backdoor,Compromised software
Attack Complexity: Medium
Threat Risk: High Impact/High Probability

Threat Overview

PolySwarm researchers have uncovered previously unreported cyberespionage activity by the Iranian state-sponsored threat actor OilRig (APT34). The campaign leverages a stolen Extended Validation (EV) code signing certificate from a legitimate Thai IT vendor, MOSCII Corporation, to sign malicious payloads, including the custom Karkoff backdoor. By masquerading as legitimate vendor tooling, OilRig targeted Thailand’s energy sector, specifically the Electricity Generating Authority of Thailand (EGAT). The attackers employed advanced defense evasion techniques, such as spoofing compile timestamps to 2014 and padding binaries to 10 MB to bypass automated sandbox environments. This supply chain intrusion highlights OilRig’s continued evolution in targeting critical infrastructure and government agencies through trusted vendor relationships across Southeast Asia and the Middle East.

Reference and Credit: Polyswarm - March 2026

PolyKG Discovers Previously Unreported OilRig Samples Using Stolen Cert

Detected Targets

Type	Description	Confidence
Case	MOSCII CORPORATION CO., LTD. Moscii Corporation Co., Ltd. is a Thailand-based technology company specializing in computer management systems, software consultancy, and innovative IT solutions. MOSCII CORPORATION CO., LTD. has been targeted by OilRig with abusive purposes.	Verified
Sector	Information Technology	Verified
Sector	Energy	Verified
Sector	Utilities	Verified
Region	Thailand	Verified

Extracted IOCs

014aa93767f2a9e007c45b04c1665fa466b6bd78a94f0456b87158546352c079
076ba910589bba4e03eb7cd2b769f5a8d4232f75e7b620be0e3cc03d08f6ddea
216f6c98a716b8f5bc0cda61ff0947252bf05d27bb16067d54d8706a45b453ac
27a74df534eb05042603676b1237da6abfd8505597be1858c5a161e8af4a313b
40d32e87ea0ed02b060abde7be2c3de34dd369bb2da41b717cd804c92b48b34a
497d7e83b9a021f44699f5844018189421c0d429830995497a6e8352419a2330
6d40a9aea28570d2835c46ae78dc27d0986aabfce8277d8af178337831be137c
95fd3f06689e7e279daf8c5ca636970a3c94d8cc04cc3a6bcfe58fe58f903dfc
a37b33fe504370a41b7d2eefd33fbd97c5be5e9c2f94ea4a4d943cdffe177d61
a8f39a7d116a57136f148ca5b0b64c1621d12e971d1484566b7ac3d0608dede9
ab2294175edbfa71cb275dac49deac2ffaf1dce4d0bab3c7d95ccb4bef684128
ce446f6da9a6a62ca0832a135c44cf13c7fe02ffd8efd8f123dbc0b06f03a38a

download

Tip: 12 related IOCs (0 IP, 0 domain, 0 URL, 0 email, 12 file hash) to this threat have been found.

FAQs

OilRig Supply Chain Attack and Certificate Theft

: Cybersecurity researchers discovered a hidden cyberattack where hackers stole a digital "ID card" (a code signing certificate) from a legitimate Thai software company. The hackers used this stolen certificate to disguise their malicious programs as safe, everyday IT tools. This allowed the malware to bypass security checks and remain undetected on victim networks.
: The attack is confidently linked to a cyberespionage group known as OilRig (also tracked as APT34). This group is assessed to operate on behalf of Iran's Ministry of Intelligence and Security and has been active for over a decade, specializing in spying on governments and critical infrastructure.
: The primary goal of this attack is long-term cyberespionage rather than immediate disruption or destruction. By planting a "backdoor" program on victim computers, the attackers can quietly maintain access to the network, monitor activities, and steal sensitive intelligence over an extended period.
: Yes, the attackers specifically targeted the energy sector in Thailand. They did this by disguising their malicious files to look like utility software used by the Electricity Generating Authority of Thailand (EGAT).
: The hackers first compromised a trusted enterprise IT vendor to steal their digital software certificate. They then attached this stolen certificate to their own virus, making it look like a normal, safe program. Finally, they used the vendor's trusted relationship with its clients to sneak the disguised virus into the clients' secure networks.
: Organizations like national electricity authorities are critical to a country's infrastructure and hold highly sensitive strategic data. Because the attackers' sponsor state has strategic interests in Southeast Asian energy infrastructure, gaining quiet, persistent access to these networks provides highly valuable intelligence.
: This specific attack is highly targeted, aiming at specific critical infrastructure entities through a single compromised vendor. However, the overarching method of hacking a trusted vendor to reach their clients—known as a supply chain attack—is a widespread and growing threat globally.
: Companies should strictly monitor and verify all software provided by third-party vendors, even if the software appears to have a valid digital signature. Additionally, security teams should update their defenses to block the specific compromised certificate mentioned in the report and look out for suspiciously large files that might be trying to bypass automated security scanners.

About Affiliation

OilRig

Associate threats