The Azorult information stealer and downloader malware strain was observed by Minerva Labs’ research team posing as a signed Google Update installer and achieving persistence by replacing the legitimate Google Updater program on compromised machines. The researchers were able to see that the binary was actually signed with a certificate issued to “Singh Agile Content Design Limited”” instead of Google. The certificate was issued on November 19 and
Source: all of them being disguised as a GoogleUpdate executable.”