A criminal gang named Suckfly has been using stolen code-signing certificates to give its custom malware the appearance of legitimacy since 2014.
http://arstechnica.co.uk/security/2016/03/to-bypass-code-signing-checks-malware-gang-steals-lots-of-certificates/
Brian Spector, CEO of MIRACL discusses: “This is just another instance of an attacker group taking advantage of the lax controls around commercial certificate authorities in order to achieve their goals. Because they are using a legitimate code signing certificate, checks in the victim’s browser or operating system will fail because the certificate is good. It's like a criminal posing as a police officer with a real police officer's badge. How are you supposed to tell the difference? You can't, and that's the issue.
This problem is that commercial CAs create a single point of compromise, which can be easily exploited by hackers. It’s an architectural issue at the end of the day. There is no way that 'patching' this industry will work, despite the best of intentions to police it. The best thing to do is start over, with a model of distributed or shared trust.”