Comodo/Sectigo identified 90% of certificates abused to sign malware. Most of the certificates were expired, revoked or duplicates at the time Sectigo looked into the matter. The CA also continues to investigate a number of 25 certificates that could not be accounted for during its inspection. The company encourages researchers to report the certificates abused for signing malware. It’s important to note that malware can use a certificate as long as it is valid, so don’t use it to sign malicious code.
Source: https://www.bleepingcomputer.com/news/security/sectigo-responds-to-chronicles-report-about-malware-signed-by-their-certs/