the actual running process is valid and signed by Microsoft
This is the little detail that jumped out at me. It strongly suggests that if Microsoft will happily approve and sign state-run malware, then the "guarantee" offered by their code signing procedure is utterly worthless.