gryfft
6 hours ago
Quoting d_stroid from Reddit:
> If it was an attack on the hash algorithm, then two different files should share the same hash. If two files have different hash and both have a legitimate signature, it's simply because they have both been signed.There is absolutely no indication of a compromise of Microsoft code signing keys based on any information presented here. It also not the only conclusion left - it is just you jumping to the least probable explanation without any evidence.
KaoruAK
6 hours ago
The 'both were just signed' argument fails to address the structural anomalies. If Microsoft signed both, why does the malware use RSA-2048 while the official binary uses RSA-4096?. Furthermore, the malware carries a compilation timestamp from the year 2097, an APT technique to evade security filters. We aren't just seeing 'two signed files'; we are seeing a malicious binary (verified with sandbox escape and session theft) that shouldn't exist in Microsoft's signing pipeline, yet it carries a valid signature and was delivered via a zero-click attack from an official CDN. This points directly to a compromise of the trust infrastructure (Key compromise, CA breach, or verification bypass), not a routine signing event