Malware uses compromised digital certificates to evade detection. Malware is designed to work on Windows XP and Windows 7 systems. Spymel uses a.NET executable signed with a legitimate DigiCert-issued certificate. The C&C server is hosted on the android.sh domain, which has a German IP address. A keylogger is a module that logs all user keystrokes into a log file at %Application Data%ProgramFiles(32.1)svchost.1)”]
Source: https://securityintelligence.com/news/spymel-the-latest-malware-using-digital-certificates/