Threat Actors Weaponize PDF Editor Trojan to Convert Devices into Proxies

gbhackers.com · Aman Mishra · 7 months ago · research
quality 9/10 · excellent
0 net
Tags
pdf-editor-trojan malware proxy
cyber security Cyber Security News THREATS 2 min. Read Threat Actors Weaponize PDF Editor Trojan to Convert Devices into Proxies By Aman Mishra August 21, 2025 Share Facebook Twitter Pinterest WhatsApp Researchers have discovered a complex campaign using trojanized software that uses authentic code-signing certificates to avoid detection and turn compromised machines into unintentional residential proxies, according to a recent threat intelligence notice from Expel Security. The operation begins with files bearing the code-signing signature of “GLINT SOFTWARE SDN. BHD.,” a seemingly legitimate entity whose credentials have been abused to lend credibility to malicious payloads. Malicious Code-Signing Central to this scheme is a JavaScript dropper that facilitates the installation of a trojan dubbed “ManualFinder.” This dropper is deployed through persistent mechanisms tied to the OneStart Browser, a known problematic application with a history of suspicious behavior. The persistence is achieved via a scheduled task that executes the JavaScript file from the user’s temporary directory, ensuring the malware remains active across system reboots. Once activated, the JavaScript establishes outbound connections to command-and-control (C2) domains such as mka3e8[.]com and y2iax5[.]com, from which it retrieves and installs the signed ManualFinder executable. Manual Finder This multi-stage infection chain highlights the attackers’ focus on stealth and reliability, exploiting trusted certificates to bypass endpoint security controls and user scrutiny. Dual-Function Malware Further analysis reveals the insidious nature of the payloads involved. One of the signed files masquerades as a benign PDF editor but harbors trojan capabilities that covertly reconfigure the compromised device into a residential proxy node. This transformation allows threat actors to route malicious traffic through the victim’s IP address, effectively anonymizing their operations while potentially implicating the infected user in illicit activities. The ManualFinder application, when executed in a controlled sandbox environment, presents itself as a legitimate utility designed to assist users in locating product manuals, complete with functional search features. However, its deployment context raises alarms: it is involuntarily installed via the OneStart Browser, despite the associated website promoting it as a free tool without providing any direct download options. This discrepancy suggests a deliberate strategy to distribute the malware through bundled or hijacked software channels, capitalizing on OneStart’s established reputation for sketchy practices. According to the report , Expel’s investigation underscores how such dual-purpose malware blends utility with malice, complicating detection efforts as the benign facade can deceive both users and automated scanners. The overall campaign reflects an evolving threat landscape where attackers weaponize everyday productivity tools, turning them into vectors for proxy networks that support activities like distributed denial-of-service attacks, data exfiltration, or anonymized cyber espionage. The implications of this trojan are significant for cybersecurity professionals, as it demonstrates the abuse of code-signing infrastructure and the challenges in monitoring persistent, low-profile infections. Organizations are advised to scrutinize software signatures, monitor scheduled tasks for anomalous JavaScript executions, and block known C2 domains to mitigate risks. By converting devices into proxies, attackers not only expand their infrastructure but also expose victims to legal and reputational hazards, emphasizing the need for robust threat hunting and endpoint protection strategies. Indicators of Compromise (IOCs) Indicator Type Description Value File Hash (MD5) PDF Editor Trojan d09b667391cb6f58585ead314ad9c599 File Hash (MD5) ManualFinder Executable 1efaffcd54fd2df44ab55023154bec9b File Hash (MD5) OneStart Browser 27fb60fa0e002bdb628ecf23296884d3 Domain Command-and-Control (C2) mka3e8[.]com Domain Command-and-Control (C2) y2iax5[.]com Find this News Interesting! Follow us on  Google News ,  LinkedIn , and  X  to Get Instant Updates! Tags cyber security Cyber Security News Aman Mishra Aman Mishra is a Security and privacy Reporter covering various data breach, cyber crime, malware, & vulnerability. Hot this week Infosec- Resources How To Access Dark Web Anonymously and know its Secretive and Mysterious Activities June 4, 2023 1 What is Deep Web The deep web, invisible web, or... SOC Architecture How to Build and Run a Security Operations Center (SOC Guide) – 2023 June 3, 2023 12 Today’s Cyber security operations center (CSOC) should have everything... Cyber Security News Network Penetration Testing Checklist – 2025 March 2, 2025 0 Network penetration testing is a cybersecurity practice that simulates... Cyber Security News Russian Hackers Bypass EDR to Deliver a Weaponized TeamViewer Component October 18, 2023 0 TeamViewer's popularity and remote access capabilities make it an... Checklist Web Server Penetration Testing Checklist – 2026 January 6, 2026 0 Web server pentesting is performed under three significant categories: identity,... Topics Acquisition Adobe Adware AI Amazon Amazon AWS AMD Android Anti Virus Antimalware Antispoofing ANY RUN Apache API Apple APT Artificial Intelligence Avast AWS Azure Backdoor Bitcoin Bluetooth Botnet Browser Buffer over flow Bug Bounty Business Chatbots ChatGPT Checklist Chrome Cisco CISO CISO Advisory Cloud Cloud Security Cloudflare Computer Security Course CPU Cross site Scripting cryptocurrency Cryptocurrency hack CVE/vulnerability Cyber Advisory Cyber AI Cyber Attack Cyber Crime cyber security Cyber security Course Cyber Security News Cyber Security Resources Dark Web Data Breach Data Governance DDOS Deals DeepSeek Discord DNS Dos Attack Drive Dropbox Education Email Email Security Ethical Hacking Exploit Exploitation Tools Extratorrents FACEBOOK Featured Firefox Firefox News Firewall Forensics Tools game GenAI GitHub GitLab Gmail Google Google dorks Governance GRC Hacking Books Hacks Hardware Hacking HBO HTML HTTP IBM IIS Incident Response Information Gathering Information Security Risks Infosec- Resources Insider Threats Instagram More cyber security ClickFix, Malicious DMGs Push notnullOSX to macOS Users 0 Hackers are abusing ClickFix commands and booby-trapping DMG installers... Cyber Security News Attackers Deploy Hidden Magecart Skimmer on Magento Using SVG onload Abuse 0 Security researchers at Sansec uncovered a large-scale Magecart campaign... cyber security New Phishing Campaign Exploits Google Storage to Deliver Remcos RAT 0 A recently observed phishing campaign is abusing Google Cloud... cyber security ClickFix Campaign Abuses macOS Script Editor to Deploy Atomic Stealer 0 A refreshed ClickFix campaign that swaps macOS Terminal for Script Editor... CVE/vulnerability Technical Details Released for Critical Cisco SSM Command Execution Vulnerability 0 Security researchers have published technical details regarding a highly... cyber security STX RAT Hides Remote Desktop, Steals Data to Dodge Detection 0 A stealthy new remote access trojan, dubbed STX RAT, that blends... Cyber Security News Microsoft Details How Defender Protects High-Value Assets in Real-World Attacks 0 Microsoft has significantly upgraded its Defender platform to automatically... Cyber Attack Fake Security Tool Spreads LucidRook in Taiwan Cyberattacks 0 Hackers are using fake security tools and cleverly crafted... Related Articles ClickFix, Malicious DMGs Push notnullOSX to macOS Users cyber security April 9, 2026 Attackers Deploy Hidden Magecart Skimmer on Magento Using SVG onload Abuse Cyber Security News April 9, 2026 New Phishing Campaign Exploits Google Storage to Deliver Remcos RAT cyber security April 9, 2026 ClickFix Campaign Abuses macOS Script Editor to Deploy Atomic Stealer cyber security April 9, 2026 Technical Details Released for Critical Cisco SSM Command Execution Vulnerability CVE/vulnerability April 9, 2026 Recent News ClickFix, Malicious DMGs Push notnullOSX to macOS Users Mayura Kathir - April 9, 2026 Attackers Deploy Hidden Magecart Skimmer on Magento Using SVG onload Abuse Divya - April 9, 2026 New Phishing Campaign Exploits Google Storage to Deliver Remcos RAT Mayura Kathir - April 9, 2026 ClickFix Campaign Abuses macOS Script Editor to Deploy Atomic Stealer Mayura Kathir - April 9, 2026 Technical Details Released for Critical Cisco SSM Command Execution Vulnerability Divya - April 9, 2026 STX RAT Hides Remote Desktop, Steals Data to Dodge Detection Mayura Kathir - April 9, 2026
← Back to stories