Malware authors only put in the minimum effort needed to steal from users. In the past it was pretty easy for them to put up a fake electrum site and then advertise it on google adwords. The ad would show up above search results and newbie users would click on it, download the malware versions and receive bitcoin to wallets created with it only to find the coins stolen shortly afterwards.
Google then upset the apple cart by banning crypto ads completely. No longer could malware authors fool users into downloading their fake version of electrum.
One of them made a last ditch attempt by buying electrum.com and putting up a fake version there. That domain would have attracted type in traffic i.e. users would have typed it in their address bar directly so the malware author didn’t need to depend on google advertising. Fortunately, Electrum developers were able to dissect the malware and present enough evidence to get that site shut down.
The latest method that is being adopted is malware that writes to wallet files and replaces addresses in them with the malware author’s. There have been a couple of cases so far. One reported here and another here.
We don’t know how the malware is getting write access to the filesystem but it may be that write access to some files is all it has in which case using full wallet file encryption may protect you. To do that go to wallet menu > password, enter your password in all 3 fields, check encrypt wallet file and click on ok to save that.