> If it was an attack on the hash algorithm, then two different files should share the same hash. If two files have different hash and both have a legitimate signature, it's simply because they have both been signed.There is absolutely no indication of a compromise of Microsoft code signing keys based on any information presented here. It also not the only conclusion left - it is just you jumping to the least probable explanation without any evidence.
The 'both were just signed' argument fails to address the structural anomalies. If Microsoft signed both, why does the malware use RSA-2048 while the official binary uses RSA-4096?. Furthermore, the malware carries a compilation timestamp from the year 2097, an APT technique to evade security filters.
We aren't just seeing 'two signed files'; we are seeing a malicious binary (verified with sandbox escape and session theft) that shouldn't exist in Microsoft's signing pipeline, yet it carries a valid signature and was delivered via a zero-click attack from an official CDN. This points directly to a compromise of the trust infrastructure (Key compromise, CA breach, or verification bypass), not a routine signing event
Quoting d_stroid from Reddit:
> If it was an attack on the hash algorithm, then two different files should share the same hash. If two files have different hash and both have a legitimate signature, it's simply because they have both been signed.There is absolutely no indication of a compromise of Microsoft code signing keys based on any information presented here. It also not the only conclusion left - it is just you jumping to the least probable explanation without any evidence.
The 'both were just signed' argument fails to address the structural anomalies. If Microsoft signed both, why does the malware use RSA-2048 while the official binary uses RSA-4096?. Furthermore, the malware carries a compilation timestamp from the year 2097, an APT technique to evade security filters. We aren't just seeing 'two signed files'; we are seeing a malicious binary (verified with sandbox escape and session theft) that shouldn't exist in Microsoft's signing pipeline, yet it carries a valid signature and was delivered via a zero-click attack from an official CDN. This points directly to a compromise of the trust infrastructure (Key compromise, CA breach, or verification bypass), not a routine signing event