Due to some perfectly reasonable decisions by Microsoft that failed to predict the future, a reasonably a proficient private hacker could choose an appropriate Trojan to embed. The agencies involved in this sort of thing have libraries of them.
Those exploits are chained much like the normal boot process. The boot sector is 512 BYTES. It can't do much, but it can load the boot loader. The boot loader is quite limited, but it can load the 2MB kernel, which loads the rest of the OS.
Similarly, based on what even _I_ can do to a Windows machine that loads script of my choice, it's pretty clear the intelligence agencies could execute arbitrary code in the sandbox. That limited sandboxed code in turn loads a privilege escalation, which can load a rootkit. Three quick steps to own the machine. With control of the machine, they start looking at network shares and dropping payloads to infect coworkers, probe firewalls from the inside, etc.