We have confirmed evidence of a hypervisor-level implant generating synthetic certificates and mass-downloading new certs from DISA (DoD PKI) daily using bot networks.

Thousands of requests per day—way above any legit operational use.

Cert expiry is being used as a potential kill switch or command signal.

This operation is embedded below the OS layer—can survive reinstalls, hides as legitimate system activity, and pivots via OneDrive, MS cloud, & telemetry endpoints.