The threat analysis focuses on three interconnected malicious programs: AppSuite, OneStart, and ManualFinder. These malware variants share common server infrastructure and exhibit similar installation and operational patterns, strongly indicating they originate from the same threat actor. OneStart initially masqueraded as a Chromium-based browser but evolved from earlier versions that leveraged node.exe to execute malicious JavaScript code. The threat actors behind these programs have demonstrated significant adaptability and longevity, distributing malware disguised as benign utilities including games, recipe finders, and manual finders to evade detection. The malware employs various techniques such as PowerShell execution, persistence mechanisms (T1547.001), and living-off-the-land binaries (T1218.011) to maintain footholds and execute code stealthily. The use of browser extensions and desktop assistant-like applications further aids in deception and persistence. The infrastructure includes domains like onestart.io and securebrowser.io, and the malware is associated with multiple hashes and domains, indicating a broad and evolving campaign. Although no known exploits in the wild have been reported, the threat actors’ ability to morph their software and evade detection poses a persistent risk. The tags referencing techniques such as command-line interface execution (T1059 variants), user execution (T1204.002), and remote file copy (T1105) suggest a multi-stage infection chain that can be triggered by user interaction and leverages legitimate system tools to avoid raising suspicion.

For European organizations, this threat presents a moderate risk primarily due to its stealthy nature and persistence capabilities. The malware’s disguise as legitimate utilities increases the likelihood of user execution, potentially leading to unauthorized access, data exfiltration, or further malware deployment. The use of living-off-the-land binaries and PowerShell scripts complicates detection and response efforts, potentially allowing prolonged presence within networks. Organizations in sectors relying heavily on browser-based tools or custom utilities may be particularly vulnerable. The adaptability of the threat actors means that traditional signature-based defenses may be insufficient, increasing the risk of successful compromise. While no critical exploits have been reported, the malware’s ability to maintain persistence and execute arbitrary code could impact confidentiality and integrity of sensitive data, disrupt operations, and erode trust in IT environments. European entities with less mature endpoint detection and response capabilities or those with extensive use of third-party utilities may face higher exposure.

1. Implement advanced endpoint detection and response (EDR) solutions capable of identifying living-off-the-land techniques and anomalous PowerShell usage. 2. Enforce strict application whitelisting policies to prevent unauthorized execution of node.exe and other scripting engines in unexpected contexts. 3. Conduct regular user awareness training focused on the risks of executing unknown utilities and browser extensions, emphasizing the deceptive nature of this malware family. 4. Monitor network traffic for connections to known malicious domains such as onestart.io, securebrowser.io, and 7df4va.com, and block these at perimeter firewalls and DNS layers. 5. Employ behavioral analytics to detect unusual installation patterns or persistence mechanisms, especially those involving desktop assistants or browser extensions. 6. Regularly audit installed software and browser extensions to identify and remove suspicious or unauthorized applications. 7. Maintain up-to-date threat intelligence feeds to quickly identify new hashes and indicators of compromise related to this malware. 8. Restrict use of PowerShell and node.js execution to only trusted scripts and signed code where possible, and enable logging and monitoring of script execution. 9. Implement multi-factor authentication and least privilege principles to limit the impact of potential compromises. 10. Prepare incident response plans that include procedures for detecting and eradicating malware that uses living-off-the-land techniques.