It sounds like what they are doing is capturing PINs and for use in a Trojan process that can then log into remote resources. So when you plug in your card to perform some (authorized) function, the trojan begins accessing other resources in the background.
"By capturing the PIN for the smartcard and binding the certificate, malware can silently use the card to authenticate to secure resources, so long as the card remains physically present in the card reader."
So they aren't stealing the card's credentials for future use. They are using your card in real time to access servers and other resources. A bad situation, since when security gets an alarm and comes over to your workstation to see what's up, you'll actually be sitting there with your card in the reader. You might only be playing Solitaire, but the logs will show data being copied to a server in China.