A malware can do a host variety of things on a hot computer, from installing keyloggers and replacing your destinations with theirs, to seeming like signing your own transaction but when choosing to broadcast, signing and broadcasting theirs. They can even alter the cryptographic libraries so that it seems you are signing and broadcasting your own, and indeed it is true from a blockchain perspective, but they will know how to work out your private key afterwards.
This is all useless if the transaction is verified and signed on cold Electrum.
The last thing a malware will do is choose to give the coins to a miner by using SIGHASH_NONE.
Yes, but first the attacker will try to modify the transaction in the hope that the miner won't notice the sighash_none.