Multiple malicious spam campaigns using signed emails have been observed distributing the GootKit (aka talalpek or Xswkit) banking Trojan with the help of a multi-stage malware loader dubbed Jasper loader. Jasper loader has been disseminated by multiple malspam campaigns throughout the last months and it has been used to drop Gootkit banking Trojan. The attackers use legitimate certified email services such as Posta Elettronica Certificata (PEC) to send signed emails to their victims.
Source: https://www.bleepingcomputer.com/news/security/europeans-hit-with-multi-stage-malware-loader-via-signed-malspam/