[KaoruAK]

The 'both were just signed' argument fails to address the structural anomalies. If Microsoft signed both, why does the malware use RSA-2048 while the official binary uses RSA-4096?. Furthermore, the malware carries a compilation timestamp from the year 2097, an APT technique to evade security filters. We aren't just seeing 'two signed files'; we are seeing a malicious binary (verified with sandbox escape and session theft) that shouldn't exist in Microsoft's signing pipeline, yet it carries a valid signature and was delivered via a zero-click attack from an official CDN. This points directly to a compromise of the trust infrastructure (Key compromise, CA breach, or verification bypass), not a routine signing event