{
	"id": "e8e7c6bc-506a-4ab3-86e1-8a35e0fc6746",
	"created_at": "2026-04-06T00:14:03.020955Z",
	"updated_at": "2026-04-10T03:32:09.255055Z",
	"deleted_at": null,
	"sha1_hash": "642c735584a0d3a74c18024a049b0680aaf21adf",
	"title": "Certificates stolen from Taiwanese tech-companies misused in Plead malware campaign",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1122776,
	"plain_text": "Certificates stolen from Taiwanese tech-companies misused in\r\nPlead malware campaign\r\nBy Anton Cherepanov\r\nArchived: 2026-04-05 13:20:48 UTC\r\nD-Link and Changing Information Technologies code-signing certificates stolen and abused by highly skilled\r\ncyberespionage group focused on East Asia, particularly Taiwan\r\n09 Jul 2018  •  , 3 min. read\r\nESET researchers have discovered a new malware campaign misusing stolen digital certificates.\r\nWe spotted this malware campaign when our systems marked several files as suspicious. Interestingly, the flagged\r\nfiles were digitally signed using a valid D-Link Corporation code-signing certificate. The exact same certificate\r\nhad been used to sign non-malicious D-Link software; therefore, the certificate was likely stolen.\r\nHaving confirmed the file’s malicious nature, we notified D-Link, who launched their own investigation into the\r\nmatter. As a result, the compromised digital certificate was revoked by D-Link on July 3, 2018.\r\nhttps://www.welivesecurity.com/2018/07/09/certificates-stolen-taiwanese-tech-companies-plead-malware-campaign/\r\nPage 1 of 6\n\nFigure 1. The D-Link Corporation code signing certificate used to sign malware\r\nThe malware\r\nOur analysis identified two different malware families that were misusing the stolen certificate – the Plead\r\nmalware, a remotely controlled backdoor, and a related password stealer component. Recently, the JPCERT\r\npublished a thorough analysis of the Plead backdoor, which, according to Trend Micro, is used by the\r\ncyberespionage group BlackTech.\r\nhttps://www.welivesecurity.com/2018/07/09/certificates-stolen-taiwanese-tech-companies-plead-malware-campaign/\r\nPage 2 of 6\n\nFigure 2. The Changing Information Technology Inc. code signing certificate used to sign malware\r\nAlong with the Plead samples signed with the D-Link certificate, ESET researchers have also identified samples\r\nsigned using a certificate belonging to a Taiwanese security company named Changing Information Technology\r\nInc.\r\nDespite the fact that the Changing Information Technology Inc. certificate was revoked on July 4, 2017, the\r\nBlackTech group is still using it to sign their malicious tools.\r\nThe ability to compromise several Taiwan-based technology companies and reuse their code-signing certificates in\r\nfuture attacks shows that this group is highly skilled and focused on that region.\r\nThe signed Plead malware samples are highly obfuscated with junk code, but the purpose of the malware is\r\nsimilar in all samples: it downloads from a remote server or opens from the local disk a small encrypted binary\r\nblob. This binary blob contains encrypted shellcode, which downloads the final Plead backdoor module.\r\nhttps://www.welivesecurity.com/2018/07/09/certificates-stolen-taiwanese-tech-companies-plead-malware-campaign/\r\nPage 3 of 6\n\nFigure 3. Obfuscated code of the Plead malware\r\nThe password stealer tool is used to collect saved passwords from the following applications:\r\nGoogle Chrome\r\nMicrosoft Internet Explorer\r\nMicrosoft Outlook\r\nMozilla Firefox\r\n Why steal digital certificates?\r\nMisusing digital certificates is one of the many ways cybercriminals try to mask their malicious intentions – as the\r\nstolen certificates let malware appear like legitimate applications, the malware has a greater chance of sneaking\r\npast security measures without raising suspicion.\r\nProbably the most infamous malware known to have used several stolen digital certificates is the Stuxnet worm,\r\ndiscovered in 2010 and the malware behind the very first cyberattack to target critical infrastructure. Stuxnet used\r\ndigital certificates stolen from RealTek and one from JMicron, two well-known technology companies based in\r\nTaiwan.\r\nHowever, the tactic is not exclusive to high-profile incidents like Stuxnet, as evidenced by this recent discovery.\r\nhttps://www.welivesecurity.com/2018/07/09/certificates-stolen-taiwanese-tech-companies-plead-malware-campaign/\r\nPage 4 of 6\n\nIoCs\r\nESET detection names\r\nWin32/PSW.Agent.OES trojan\r\nWin32/Plead.L trojan\r\nWin32/Plead.S trojan\r\nWin32/Plead.T trojan\r\nWin32/Plead.U trojan\r\nWin32/Plead.V trojan\r\nWin32/Plead.X trojan\r\nWin32/Plead.Y trojan\r\nWin32/Plead.Z trojan\r\nUnsigned samples (SHA-1)\r\n80AE7B26AC04C93AD693A2D816E8742B906CC0E3\r\n62A693F5E4F92CCB5A2821239EFBE5BD792A46CD\r\nB01D8501F1EEAF423AA1C14FCC816FAB81AC8ED8\r\n11A5D1A965A3E1391E840B11705FFC02759618F8\r\n239786038B9619F9C22401B110CF0AF433E0CEAD\r\nSigned samples (SHA-1)\r\n1DB4650A89BC7C810953160C6E41A36547E8CF0B\r\nCA160884AE90CFE6BEC5722FAC5B908BF77D9EEF\r\n9C4F8358462FAFD83DF51459DBE4CD8E5E7F2039\r\n13D064741B801E421E3B53BC5DABFA7031C98DD9\r\nC\u0026C servers\r\namazon.panasocin[.]com\r\noffice.panasocin[.]com\r\nokinawas.ssl443[.]org\r\nhttps://www.welivesecurity.com/2018/07/09/certificates-stolen-taiwanese-tech-companies-plead-malware-campaign/\r\nPage 5 of 6\n\nCode signing certificates serial numbers\r\nD-Link Corporation: 13:03:03:e4:57:0c:27:29:09:e2:65:dd:b8:59:de:ef\r\nChanging Information Technology Inc: 73:65:ed:e7:f8:fb:b1:47:67:02:d2:93:08:39:6f:51\r\n1e:50:cc:3d:d3:9b:4a:cc:5e:83:98:cc:d0:dd:53:ea\r\nLet us keep you\r\nup to date\r\nSign up for our newsletters\r\nSource: https://www.welivesecurity.com/2018/07/09/certificates-stolen-taiwanese-tech-companies-plead-malware-campaign/\r\nhttps://www.welivesecurity.com/2018/07/09/certificates-stolen-taiwanese-tech-companies-plead-malware-campaign/\r\nPage 6 of 6",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MISPGALAXY",
		"ETDA",
		"MITRE",
		"Malpedia"
	],
	"references": [
		"https://www.welivesecurity.com/2018/07/09/certificates-stolen-taiwanese-tech-companies-plead-malware-campaign/"
	],
	"report_names": [
		"certificates-stolen-taiwanese-tech-companies-plead-malware-campaign"
	],
	"threat_actors": [
		{
			"id": "efa7c047-b61c-4598-96d5-e00d01dec96b",
			"created_at": "2022-10-25T16:07:23.404442Z",
			"updated_at": "2026-04-10T02:00:04.584239Z",
			"deleted_at": null,
			"main_name": "BlackTech",
			"aliases": [
				"BlackTech",
				"Canary Typhoon",
				"Circuit Panda",
				"Earth Hundun",
				"G0098",
				"Manga Taurus",
				"Operation PLEAD",
				"Operation Shrouded Crossbow",
				"Operation Waterbear",
				"Palmerworm",
				"Radio Panda",
				"Red Djinn",
				"T-APT-03",
				"TEMP.Overboard"
			],
			"source_name": "ETDA:BlackTech",
			"tools": [
				"BIFROST",
				"BUSYICE",
				"BendyBear",
				"Bluether",
				"CAPGELD",
				"DRIGO",
				"Deuterbear",
				"Flagpro",
				"GOODTIMES",
				"Gh0stTimes",
				"IconDown",
				"KIVARS",
				"LOLBAS",
				"LOLBins",
				"Linopid",
				"Living off the Land",
				"TSCookie",
				"Waterbear",
				"XBOW",
				"elf.bifrose"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "2646f776-792a-4498-967b-ec0d3498fdf1",
			"created_at": "2022-10-25T15:50:23.475784Z",
			"updated_at": "2026-04-10T02:00:05.269591Z",
			"deleted_at": null,
			"main_name": "BlackTech",
			"aliases": [
				"BlackTech",
				"Palmerworm"
			],
			"source_name": "MITRE:BlackTech",
			"tools": [
				"Kivars",
				"PsExec",
				"TSCookie",
				"Flagpro",
				"Waterbear"
			],
			"source_id": "MITRE",
			"reports": null
		},
		{
			"id": "75024aad-424b-449a-b286-352fe9226bcb",
			"created_at": "2023-01-06T13:46:38.962724Z",
			"updated_at": "2026-04-10T02:00:03.164536Z",
			"deleted_at": null,
			"main_name": "BlackTech",
			"aliases": [
				"CIRCUIT PANDA",
				"Temp.Overboard",
				"Palmerworm",
				"G0098",
				"T-APT-03",
				"Manga Taurus",
				"Earth Hundun",
				"Mobwork",
				"HUAPI",
				"Red Djinn",
				"Canary Typhoon"
			],
			"source_name": "MISPGALAXY:BlackTech",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "3b93ef3c-2baf-429e-9ccc-fb80d0046c3b",
			"created_at": "2025-08-07T02:03:24.569066Z",
			"updated_at": "2026-04-10T02:00:03.730864Z",
			"deleted_at": null,
			"main_name": "BRONZE CANAL",
			"aliases": [
				"BlackTech",
				"CTG-6177 ",
				"Circuit Panda ",
				"Earth Hundun",
				"Palmerworm ",
				"Red Djinn",
				"Shrouded Crossbow "
			],
			"source_name": "Secureworks:BRONZE CANAL",
			"tools": [
				"Bifrose",
				"DRIGO",
				"Deuterbear",
				"Flagpro",
				"Gh0stTimes",
				"KIVARS",
				"PLEAD",
				"Spiderpig",
				"Waterbear",
				"XBOW"
			],
			"source_id": "Secureworks",
			"reports": null
		}
	],
	"ts_created_at": 1775434443,
	"ts_updated_at": 1775791929,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/642c735584a0d3a74c18024a049b0680aaf21adf.pdf",
		"text": "https://archive.orkl.eu/642c735584a0d3a74c18024a049b0680aaf21adf.txt",
		"img": "https://archive.orkl.eu/642c735584a0d3a74c18024a049b0680aaf21adf.jpg"
	}
}