How is Plead malware used for cyberespionage attacks?

An espionage group used stolen digital certificates to sign Plead malware and used a password stealer component that was also used in attacks in East Asia. How does this attack work, and how does one steal digital certificates?

Users increasingly need assurance that they can trust the software they download from the internet. A code-signing certificate allows developers to provide a layer of assurance to anyone downloading or installing their software, as it validates the content’s source: who published the software, as well as the content’s integrity — proof that it hasn’t been modified since it was signed. This acts as a virtual shrink-wrap for software, as the digital signature will break if the code is altered in any way after it is signed.

Unlike web server TLS certificates, code-signing certificates can’t be obtained for free, as a certificate authority (CA) carries out more detailed checks to verify

... read more at: