Threat Actors Exploit PDF Editor Vulnerabilities with New Trojan to Transform Devices into Proxies

Cybersecurity researchers have identified a sophisticated threat campaign that exploits a seemingly legitimate PDF editor application to convert infected devices into residential proxies. This malicious software, masquerading as productivity tools, reflects an evolving strategy by threat actors who increasingly target trusted software categories to gain persistent network access and monetise compromised systems. The attack initiates with files that bear the code-signing signature “GLINT SOFTWARE SDN. BHD.,” which initially lends credibility to the malicious payload. However, beneath this facade lies a complex infection chain that begins with JavaScript components designed to drop and execute the primary trojan, known as “ManualFinder.” This multi-stage approach illustrates the attackers’ understanding of modern security detection mechanisms and their efforts to evade traditional signature-based detection systems.

ExpelSecurity analysts uncovered this emerging threat through their monitoring of suspicious network activities and file behaviour patterns. The researchers noted that the malware’s initial deployment strategy heavily relies on the OneStart Browser application, which has been flagged as consistently problematic software. This browser creates scheduled tasks that execute JavaScript files from the user’s temporary directory, establishing a foothold for subsequent malware deployment. The infection mechanism reveals a carefully orchestrated process where the JavaScript component connects to command and control domains, specifically mka3e8[.]com and similar infrastructure. These domains act as distribution points for the ManualFinder application, which maintains the same fraudulent code-signing certificate to preserve the appearance of legitimacy throughout the infection chain. The trojan’s dual-purpose design combines genuine functionality with malicious behaviour, allowing it to perform its advertised function of helping users locate product manuals while simultaneously transforming infected devices into residential proxy nodes. 

Categories: Malware Distribution, Exploitation of Trusted Software, Residential Proxy Networks 

Tags: Cybersecurity, Threat Campaign, PDF Editor, Malicious Software, Infection Chain, JavaScript, ManualFinder, Command and Control, Residential Proxies, Network Access