A recent malware campaign targeting Windows systems has been uncovered, involving malicious software disguised as legitimate PDF editors and manual finder tools. The infection vector primarily involved deceptive online advertisements that tricked users into downloading and installing these fake applications under the guise of accessing PDF manuals. Once installed, the malware establishes persistence by creating scheduled tasks and executing JavaScript files to maintain control over the infected system. It communicates with multiple command and control (C2) domains to receive instructions and potentially exfiltrate data. A notable aspect of this campaign is that infected machines are repurposed as residential proxies, allowing threat actors to route malicious traffic through these compromised endpoints, thereby masking their activities and complicating attribution. The campaign is potentially linked to the OneStart Browser, a known distributor of spyware and adware, suggesting a broader ecosystem of unwanted software distribution. The malware employs various techniques consistent with MITRE ATT&CK tactics such as scheduled task creation (T1053.005), script execution (T1059.007), masquerading (T1036.005), user execution (T1204.002), code signing abuse (T1553.002), signed binary proxy execution (T1218.007), persistence mechanisms (T1547.001), data staging (T1102.002), obfuscated files or information (T1027.002), and command and control communication (T1071.001). Although the campaign appears to have ceased, its widespread nature was facilitated by large-scale advertising campaigns, increasing the infection footprint globally. Authorities recommend blocking access to associated domains, auditing systems for suspicious applications, and removing software signed by specific certificate issuers linked to the malware distribution chain.

For European organizations, this malware campaign poses several risks. The transformation of infected systems into residential proxies can facilitate further malicious activities such as anonymizing cyberattacks, distributing spam, or conducting fraudulent transactions, indirectly implicating the victim organizations in illicit activities. The presence of spyware and adware components can lead to data leakage, privacy violations, and potential intellectual property theft. Scheduled tasks and persistent JavaScript execution increase the difficulty of detection and removal, potentially allowing long-term unauthorized access. The abuse of legitimate-looking software and code signing certificates undermines trust in software supply chains, complicating endpoint security efforts. Given the campaign’s use of deceptive advertising, employees in organizations with less mature cybersecurity awareness programs may be more susceptible to infection. Additionally, the malware’s network communications could lead to bandwidth consumption and network performance degradation. The indirect reputational damage and potential regulatory implications under GDPR for data breaches or unauthorized data processing further elevate the threat to European entities.

European organizations should implement a multi-layered defense strategy tailored to this threat. First, enhance endpoint detection capabilities to identify and block installation of unauthorized PDF editors or manual finder applications, especially those not sourced from verified vendors. Deploy application whitelisting to prevent execution of unapproved software and scheduled tasks. Network defenses should include blocking known malicious C2 domains and monitoring for unusual outbound traffic patterns indicative of proxy activity. Conduct regular audits of installed software and digital certificates to identify and remove applications signed by suspicious or untrusted certificate authorities. User awareness training should emphasize the risks of downloading software from unverified sources and recognizing deceptive advertisements. Employ advanced threat hunting techniques to detect persistence mechanisms such as scheduled tasks and obfuscated JavaScript files. Integrate threat intelligence feeds referencing this campaign to stay updated on emerging indicators of compromise. Finally, consider implementing network segmentation to limit lateral movement and isolate potentially infected systems.