It's not every time malware creators have to steal or buy a valid code-signing certificate to sign their malware – Sometimes the manufacturers unknowingly provide themselves.
This is what exactly done by a Taiwan-based networking equipment manufacturer D-Link, which accidently published its Private code signing keys inside the company's open source firmware packages.