216.73.216.86

Reoccurring Use of Highly Suspicious PDF Editors to Infiltrate Environments

· Published 21/11/2025 03:21 · Modified 21/11/2025 10:00

Export JSON

Essential information

Published
21/11/2025 03:21
Modified
21/11/2025 10:00
Tags
2025-11-21 amaryllis signal ltd convertmate malicious vector pdf converter pdfeditor scheduled tasks suspicious behavior
Related entities
2 malware

Description

Since November 19, 2025, a surge in alerts involving a file named '' has been observed. Despite its initial harmless appearance, deeper analysis reveals highly . The file, downloaded from specific domains, initiates external connections, performs host queries, and creates various artifacts. A PowerShell script is executed, adding a scheduled task that repeats the every 24 hours. This activity mirrors the tactics of the '' campaign from two months prior, with both files signed by the same entity. The similarities strongly suggest that '' is likely an initial vector for malicious activity rather than a legitimate . Immediate isolation and removal of the software and related artifacts is recommended, along with internal training for end users to recognize and avoid malicious ads and suspicious files.

External references