{
	"id": "9bc4821e-25ce-4596-b2bc-abe4b3f08c8a",
	"created_at": "2026-04-06T00:13:19.714755Z",
	"updated_at": "2026-04-10T13:13:02.204249Z",
	"deleted_at": null,
	"sha1_hash": "61a4de65915198ac93e64099b3a715c9aeb3c757",
	"title": "Avast finds compromised Philippine Navy certificate used in remote access tool",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1053966,
	"plain_text": "Avast finds compromised Philippine Navy certificate used in\r\nremote access tool\r\nBy Threat Research TeamThreat Research Team\r\nArchived: 2026-04-05 17:43:42 UTC\r\nAvast Threat Intelligence Team has found a remote access tool (RAT) actively being used in the wild in the\r\nPhilippines that uses what appears to be a compromised digital certificate belonging to the Philippine Navy. This\r\ncertificate is now expired but we see evidence it was in use with this malware in June 2020.  \r\nBased on our research, we believe with a high level of confidence that the threat actor had access to the private\r\nkey belonging to the certificate.\r\nWe got in touch with CERT-PH, the National Computer Emergency Response Team for the Philippines to help us\r\ncontact the navy. We have shared with them our findings. The navy security team later let us know that the\r\nincident has been resolved and no further assistance was necessary from our side.\r\nBecause this is being used in active attacks now, we are releasing our findings immediately so organizations can\r\ntake steps to better protect themselves. We have found that this sample is now available on VirusTotal.\r\nCompromised Expired Philippine Navy Digital Certificate\r\nIn our analysis we found the sample connects to  dost[.]igov-service[.]net:8443 using TLS in a statically\r\nlinked OpenSSL library.\r\nA WHOIS lookup on the C\u0026C domain gave us the following:\r\nhttps://decoded.avast.io/threatintel/avast-finds-compromised-philippine-navy-certificate-used-in-remote-access-tool/\r\nPage 1 of 4\n\nThe digital certificate was pinned so that the malware requires the certificate to communicate.\r\nWhen we checked the digital certificate used for the TLS channel we found the following information:\r\nSome important things to note:\r\nThe certificate is a valid certificate with a subject of *.navy.mil.ph , the Philippine Navy.\r\nThe certificate has recently expired: it was valid for one year, from Sunday December 15, 2019 until\r\nTuesday December 15, 2020.\r\nOur research shows that Censys saw this certificate employed by the actual navy.mil.ph website\r\nhttps://decoded.avast.io/threatintel/avast-finds-compromised-philippine-navy-certificate-used-in-remote-access-tool/\r\nPage 2 of 4\n\nBased on our research, we believe with a high level of confidence that the threat actor had access to the private\r\nkey belonging to the certificate.\r\nWhile the digital certificate is now expired we see evidence it was in use with this malware in June 2020. \r\nThe malicious PE file was found with filename: C:\\Windows\\System32\\wlbsctrl.dll and its hash is:\r\n85FA43C3F84B31FBE34BF078AF5A614612D32282D7B14523610A13944AADAACB .\r\nIn analyzing that malicious PE file itself, we found that the compilation timestamp is wrong or was edited.\r\nSpecifically, the TimeDateStamp of the PE file was modified and set to the year 2004 in both the PE header and\r\nDebug Directory as shown below:\r\nHowever, we found that the author used OpenSSL 1.1.1g and compiled it on April 21, 2020 as shown below:\r\nThe username of the author was probably udste . This can be seen in the debug information left inside the used\r\nOpenSSL library.\r\nWe found that the malware supported the following commands:\r\nrun shellcode\r\nread file\r\nwrite file\r\ncancel data transfer\r\nlist drives\r\nrename a file\r\ndelete a file\r\nhttps://decoded.avast.io/threatintel/avast-finds-compromised-philippine-navy-certificate-used-in-remote-access-tool/\r\nPage 3 of 4\n\nlist directory content\r\nSome additional items of note regarding the malicious PE file:\r\nAll configuration strings in the malware are encrypted using AES-CBC with the exception of the mutex it\r\nuses.That mutex is used as-is without decryption: t7As7y9I6EGwJOQkJz1oRvPUFx1CJTsjzgDlm0CxIa4= .\r\nWhen this string is decrypted using the hard-coded key it decrypts to QSR_MUTEX_zGKwWAejTD9sDitYcK . We\r\nsuspect that this is a failed attempt to disguise this malware as the infamous Quasar RAT malware. But this\r\ncannot be the case because this sample is written in C++ and the Quasar RAT is written in C#.\r\nAvast customers are protected against this malware.\r\nIndicators of Compromise (IoC)\r\nRepository: https://github.com/avast/ioc/tree/master/Philippine-Navy-Certificate\r\nA group of elite researchers who like to stay under the radar.\r\nSource: https://decoded.avast.io/threatintel/avast-finds-compromised-philippine-navy-certificate-used-in-remote-access-tool/\r\nhttps://decoded.avast.io/threatintel/avast-finds-compromised-philippine-navy-certificate-used-in-remote-access-tool/\r\nPage 4 of 4",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://decoded.avast.io/threatintel/avast-finds-compromised-philippine-navy-certificate-used-in-remote-access-tool/"
	],
	"report_names": [
		"avast-finds-compromised-philippine-navy-certificate-used-in-remote-access-tool"
	],
	"threat_actors": [],
	"ts_created_at": 1775434399,
	"ts_updated_at": 1775826782,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/61a4de65915198ac93e64099b3a715c9aeb3c757.pdf",
		"text": "https://archive.orkl.eu/61a4de65915198ac93e64099b3a715c9aeb3c757.txt",
		"img": "https://archive.orkl.eu/61a4de65915198ac93e64099b3a715c9aeb3c757.jpg"
	}
}