IGLOO links a CJ Olivenetworks certificate-abuse malware sample to Kimsuky based on tradecraft overlap with an earlier Nexaweb certificate-abuse phishing campaign, including a Go-built dropper, Acrobat-like icon, and a backdoor internally named httpSpy.dll. The dropper appears to have been delivered in a spear-phishing RAR and used a screen-saver executable disguised as a document, creating a decoy PDF tied to a Korea Institute of Machinery and Materials IP access request. After execution, it deletes itself, drops an unsigned DLL as config.dat under the public user directory, and runs its exported function with rundll32.exe. The backdoor uses VMProtect-like obfuscation, decrypts strings and APIs dynamically, establishes persistence via registry or service mechanisms, stores configuration with NTFS alternate data streams, and attempts HTTP C2 communication with gsegse.dasfesfgsegsefsede.o-r.kr. The abuse of a timestamped leaked certificate matters because it can preserve apparent signature validity even after revocation, increasing trust from users and security controls.