I haven't read the docs, but from the wikileaks page describing it, I assume the malware "wraps" any exe. If it then manages to "unwrap" (on save?) and disappear before crypto checks happen, then they don't need actual need to attack the crypto.