This follow-up analysis explains how the 3CX SmoothOperator malware abused Authenticode without stealing Microsoft certificates. The trojanized ffmpeg.dll extracted malicious data from d3dcompiler_47.dll, whose certificate remained valid because the attackers placed data in parts of the certificate structure excluded from the Authenticode hash. The video points to SigFlip style abuse, certificate padding and unauthenticated attribute checks, and tools such as AnalyzePESig for detecting bytes appended inside or after the signature area.