Beware: Fake PDF Editor Spreads Dangerous Infostealer via Google Ads
Experts at Truesec have reported a large-scale malicious campaign in which attackers promoted a fake PDF-editing application, AppSuite PDF Editor, through Google Ads. Beneath its veneer of legitimacy lurked the TamperedChef infostealer, capable of siphoning confidential data from compromised devices.
Analysis revealed that the operation was orchestrated by a well-structured group leveraging multiple applications designed to load one another, ultimately ensnaring victims’ systems into schemes involving residential proxy networks. Some of these programs further misled users by offering free features in exchange for permission to use their devices as part of a proxy infrastructure.
Truesec identified more than 50 domains hosting malicious builds, signed with counterfeit digital certificates issued under the names of at least four different companies, including ECHO Infini SDN BHD, GLINT By J SDN. BHD, and SUMMIT NEXUS Holdings LLC.
According to Truesec’s technical report, TamperedChef’s malicious activity was not triggered immediately. Initially, the application functioned as a legitimate PDF editor, but on August 21—nearly two months after the advertising campaign began—it received an update that enabled its malicious functionality. At that point, a compromised version was downloaded with the -fullupdate argument, activating the infostealer.
Once installed, the infected app checked for the presence of security solutions before extracting browser data using Windows DPAPI (Data Protection API), the native mechanism for safeguarding sensitive information. This allowed TamperedChef to exfiltrate passwords, cookies, and other personal data stored on victim systems.
Investigators discovered that the attackers operated at least five distinct Google Ads campaign IDs, suggesting a broad geographic reach and highly targeted distribution. Notably, the malicious activity was only enabled near the end of the ads’ 60-day lifespan, likely as part of a strategy to maximize downloads before activating the payload.
The campaign relied on dozens of websites advertising AppSuite PDF Editor as a free and convenient tool. Among the downloaded executables were also OneStart and Epibrowser—previously classified as potentially unwanted programs (PUPs) but, in this case, exhibiting clear behavior consistent with full-fledged malware.
In parallel, researchers from Expel conducted their own investigation. They confirmed that OneStart, AppSuite PDF, and another component called ManualFinder could execute suspicious commands, download malicious modules, and enroll devices into residential proxy networks.
In some instances, users were presented with a prompt offering free PDF editing in exchange for allowing their devices to be used as part of a proxy infrastructure. Analysts stressed that the proxy provider itself may be a legitimate company unaware of the scheme, with attackers simply acting as affiliates profiting at the expense of unsuspecting users.
Although some of the identified programs are nominally classified as PUPs, researchers emphasized that their functionality fully aligns with the definition of malware. Installing such applications can result not only in data theft but also in unauthorized exploitation of systems for proxy schemes and the further propagation of threats.
Both Truesec and Expel have released comprehensive reports containing extensive IoC identifiers, enabling administrators and security professionals to detect compromised systems and prevent infrastructure breaches.
Support Our Threat Intelligence
If you find our technology report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
