216.73.217.139

New malware campaign discovered via ManualFinder

· Published 03/09/2025 20:12 · Modified 03/09/2025 20:42

Export JSON

Essential information

Published
03/09/2025 20:12
Modified
03/09/2025 20:42
Tags
2025-09-03 certificate abuse javascript manualfinder onestart browser pdf editor residential proxy trojan:win32/malgent!msr trojan:win64/infostealer!msr windows
Related entities
41 observables, 8 techniques (mitre)

Description

A global malware infection of computers has been uncovered, stemming from software users installed themselves. The malware, disguised as legitimate PDF editors and manual finders, turns infected systems into residential proxies for malicious actors. The infection chain starts with deceptive ads posing as PDF manuals. The campaign, which appears to have ceased, was widespread due to large-scale advertising. The malware creates scheduled tasks, executes files, and communicates with various C2 domains. It's potentially linked to the , known for spreading spyware and adware. Authorities advise blocking access to related domains, checking for specific applications, and removing software signed by certain certificate issuers.

External references