At this point, the simplest explanation is that it actually is malware. A more credible explanation than security researchers making something that looks this much like malware, but actually isn't.

Even the WHOIS response gives "Privacy service provided by Withheld for Privacy ehf" under the contact field. The developers claim to be living in the UK, but don't provide any legal identity - and it's not hard; you don't even need to be a British resident to start a shell company in Britain.

because they know how to sell software. cloused source. for windows. things gov mandate allows plenty of budget. etc.