...as it hinds in legitimate files having vaid digital signatures...
I've done extensive research on Microsoft's digital signatures of executables (AuthentiCode).
Practically, it is not possible to alter the executable code of a signed application without invalidating the AuthentiCode signature. Theoretically it is possible, but the world lacks the cryptographic computing power and knowledge to make this a realistic attack.
What is possible however is to add data in non-executable locations of a signed application without invalidating the signature. But this added content is harmless, it can't be executed automatically.