Warning: Trojanized infostealer campaign (Appsuite PDF editor/Manual Finder), Immediate action required!

Image
Decorative image
Published : 02/09/2025

Last update:  01/09/2025 

Type:

  • Infostealer

Sources

TrueSec - https://www.truesec.com/hub/blog/tamperedchef-the-bad-pdf-editor

Risks

A recent malicious campaign has been observed delivering trojanized applications disguised as a PDF editor or offering product manuals. This malware has the capability to steal credentials and turn the compromised Windows device into a proxy.

Multiple incidents have been reported; immediate action is required.

Description

The malware—commonly referred to as “AppSuite-PDF”, “PDFEditor” or “ManualFinder”—is actively distributed through deceptive online advertisements and malicious links positioned prominently in search results. These links often redirect users to websites that appear legitimate and professional but deliver a trojanized application.

A single click on one of these links is enough to download and install the malware. Any user relying on advertisements to obtain software is at risk of compromise.

Although the applications appear authentic, they covertly install malware with two primary functions: credential theft and proxy creation. Compromised Windows devices are repurposed as proxies, providing threat actors with persistence and further exploitation opportunities.

The malware often remains dormant for weeks, allowing infections to spread undetected. Once activated, it can hijack accounts, weaken security defenses, and establish footholds for additional attacks. This significantly elevates organizational risk by endangering access credentials, disrupting business continuity, and eroding trust.

This is an ongoing campaign, with new distribution techniques and activity continuously being uncovered.

For the latest developments, consult the following resources:

If you are experiencing issues, suspect you are under attack, or have relevant information: https://ccb.belgium.be/cert/report-incident

Recommended Actions

The CCB recommends implementing the following preventive measures.

More measures are available at: Cyber Fundamentals Framework

Organisational Measures

  • Deploy advanced endpoint detection and response (EDR) solutions with behavioural analysis.
  • Implement application allowlisting and code signing verification.
  • Monitor endpoints for suspicious persistence mechanisms (registry keys, scheduled tasks).
  • Establish network monitoring for unusual communications (C2).
  • Use the Indicators of Compromise listed on this webpage for detection and protection purposes.
  • Conduct regular security awareness training focusing on AI-generated threats.
  • Maintain updated threat intelligence feeds.
  • Implement zero-trust architecture principles for running any executable.
  • Implement multifactor authentication.

User Education

Organisations should train employees to:

  • Verify application authenticity through official channels.
  • Be suspicious of applications requesting excessive permissions.
  • Report unusual system behaviour immediately.
  • Avoid downloading software from unofficial sources.

How to verify if you're compromised?

To verify if you are compromised, it is recommended to:

Post-Compromise Measures

If your investigation showed you were in fact compromised, the CCB recommends:

Reset the credentials of all users, including: Enterprise credentials, Credentials present in the browser, All credentials in the operating system vault (Windows Credential Manager)

  • Revoke multifactor authentication sessions/logon sessions due to risks posed by token theft and long-running sessions.
  • Review multifactor authentication methods as well as conditional access, following the principle of least privilege.
  • Wipe and/or reinstall the endpoint to remove all persistence mechanisms.

Feedback

We kindly ask you to send feedback to info@ccb.belgium.be.

Please include what actions you have taken.

For questions regarding this letter, please consult first our FAQ on Spear Warnings.