Along for the ride: When legitimate software becomes a signed malware loader

This technical blog analyzes a second-stage malicious loader that trojanizes the legitimate Greenshot screenshot tool (renamed FortiClientCompliance.exe) by replacing GreenshotPlugin.dll with a malicious version that displays a fake FortiClient compliance UI, loads a native updater.dll which creates a scheduled task for persistence, decrypts shellcode from an embedded icon, and executes it in-memory; the malware employs advanced evasion (indirect syscalls to evade user-mode hooks) and masks C2 communications as benign jQuery requests with encrypted data in a Cloudflare cookie. IOCs and file hashes are provided, the C2 was observed alive during analysis, but no follow-up payload was retrieved and attribution remains unclear.