Redazione RHC : 30 August 2025 09:49
A complex malware campaign has been discovered, targeting users searching for free PDF editing software. A malicious application, disguised as a legitimate “AppSuite PDF Editor”, is being spread by cybercriminals. The threat actors behind this campaign have demonstrated unprecedented boldness by submitting their malware to antivirus companies as false positives, in an attempt to have the security detections removed.
The installer, built using the open source WiX toolset, immediately downloads the actual PDF editor program from vault.appsuites.ai after execution and acceptance of the End User License Agreement. The malware, packaged as a Microsoft Installer (MSI) file, is distributed via high-profile websites designed to appear as legitimate portals for downloading productivity tools.
The discovery was made by G Data researchers, who identified the malware as a classic Trojan horse containing a sophisticated backdoor component. Initially reported as a potentially unwanted program, the application appeared to offer legitimate PDF editing functionality while concealing its true malicious nature.
Researchers noted that the malware generated significant download activity, with over 28,000 download attempts recorded in their telemetry in just one week, highlighting the campaign’s broad reach and potential impact on users worldwide.
Their analysis revealed that the application is based on the Electron framework, which allows it to function as a cross-platform desktop application using JavaScript. The malware operates through a complex system of command-line options that control various backdoor capabilities. When executed without specific parameters, the application launches an installation routine that registers the infected system with the command and control servers located at appsuites.ai and sdk.appsuites.ai.
The malware uses multiple command-line options that result in what the developers internally call “wc routines,” including the -install, -ping, -check, -reboot, and -cleanup functions. Each routine has a specific purpose: to maintain the compromised system and facilitate remote control.
The registration process involves obtaining a unique installation ID and creating persistent scheduled tasks named “PDFEditorScheduledTask” and “PDFEditorUScheduledTask” ensures the malware remains active on the compromised system. The persistence strategy involves creating multiple scheduled tasks with carefully calculated execution delays.
The primary scheduled task runs 1 day, 0 hours, and 2 minutes after installation, and is specifically designed to evade automated sandbox detection systems, which typically do not monitor for such extended periods. Additionally, the malware targets popular browsers, including Wave, Shift, OneLaunch, Chrome, and Edge, by extracting encryption keys and manipulating browser preferences to maintain long-term access to user data and credentials.
Redazione