{
	"id": "6b34c0d1-da44-4549-9897-657fc1aabeae",
	"created_at": "2026-04-06T00:19:09.673166Z",
	"updated_at": "2026-04-10T13:13:06.003562Z",
	"deleted_at": null,
	"sha1_hash": "4dd18c84b3d9efe983e4f45840cb804c12dd2ed8",
	"title": "The history of AppSuite: the certs of the BaoLoader developer",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 3725103,
	"plain_text": "The history of AppSuite: the certs of the BaoLoader developer\r\nBy Aaron Walton\r\nPublished: 2025-09-11 · Archived: 2026-04-05 21:35:53 UTC\r\nThis blog was created through a collaboration between Expel and the folks maintaining CertGraveyard.org. \r\nTL;DR\r\nWe demonstrate that the developers behind the recent AppSuite-PDF and PDF Editor campaigns have used at least 26\r\ncode-signing certificates over the last seven years to make their software appear legitimate.\r\nWe track the malware under the name BaoLoader. Their software has generally been regarded as “potentially\r\nunwanted programs” (PUPs). However, recent analysis of the software and the actors’ connections to fraud suggest\r\nwe should re-consider how we think about them.\r\nThis analysis primarily focuses on code-signing certificate abuse. This gives us a high-level overview of the actors to\r\ndefine their history of behavior, but not a complete picture. \r\nWe clarify how this malware is different from Chromeloader and TamperedChef. These names have been mistakenly\r\napplied to this malware, but the distinction is important for research and law enforcement.\r\nWhat we’re tracking and why\r\nOur analysis focuses on years of tracking a team of threat actors through mapping the actors’ use of code-signing\r\ncertificates. These actors register new businesses for receiving authorization to generate code-signing certificates. Code-signing is a critical component used to validate the legitimacy of software. They then use these certificates to sign their own\r\nmalware, often disguised as potentially unwanted programs (PUPs). \r\nThis particular analysis will focus on our research into the code-signing activity of the actors involved, connecting the\r\nthreads between the businesses the actors have propped up to create certificates, the certificate authorities they’ve used to\r\nauthorize them, and the pieces of software signed by these certificates.\r\nBackground on code-signing certificate abuse\r\nTo set the scene, it’s important to know how threat actors abuse code-signing certificates. These certificates have a unique\r\necosystem of exploitation, typically beginning with threat actors impersonating legitimate businesses to obtain them. Think\r\nof this impersonation as being similar to corporate identity theft, as the organizations listed on the fraudulent certificates are\r\noften victims themselves. \r\nThe purpose of code-signing is to grant trust to programs after their providers are vetted. The vetting process creates a chain\r\nof trust, starting with Microsoft trusting a certificate authority to vet software providers and determine whether they are\r\nhttps://expel.com/blog/the-history-of-appsuite-the-certs-of-the-baoloader-developer/\r\nPage 1 of 17\n\ntrustworthy. Through the chain of trust, Microsoft then trusts the software provider’s certificate once the certificate authority\r\nsigns it.This allows validation processes to trust software signed by that software provider’s certificate as well.\r\nThe certificate also contains a hash of the signed file, which is compared against a computed file hash. If the hashes match,\r\nthe certificate is considered valid, indicating that the file hasn’t been tampered with. (See the articles from the following\r\nauthors to learn more about code-signing and abuse: Axelarator, Expel.) \r\nIn most cases, cybercriminals abuse this system by impersonating businesses to receive a certificate. This impersonation\r\nmay include creating domains imitating a company and using it to apply, modifying government databases to include their\r\nnames and contact information, or other methods. In the case of BaoLoader, the actors registered legitimate businesses. \r\nWe believe with high confidence the malware “AppSuite-PDF,” “PDF Editor,” “ManualFinder,” “PDFTools,”\r\n“PDFProSuite,” and “OneStart” are distributed by the same team that buys certificates directly. Our data shows this team has\r\nbeen active over the last seven years. During this time, they’ve consistently maintained software that antiviruses have\r\ngenerally flagged as PUPs.\r\nThis analysis lays the groundwork for understanding and documenting their activity and exposes the threat actors’ code-signing certificate use over the last seven years.\r\nThe data\r\nExpel is grateful for the opportunity to collaborate with CertGraveyard.org and relied heavily on its database for the creation\r\nof this analysis. Cert Graveyard has documented more than 1,500 unique organizations with at least one abused code-signing\r\ncertificate. Cert Graveyard identifies certificates used to sign malware and reports them to their issuers for review and\r\nrevocation.\r\nIdentifying BaoLoader as unique malware via certificates \r\nWhen reviewing the abused certificates, we observed a high level of consistency which causes the actors to stand out:\r\nThe actors used 15 code-signing certificates issued for companies in Panama. Out of ~1,500 entries, no other actors\r\nin the database use certificates from Panama.\r\nThe actors used five certificates for companies in Malaysia. No other actors in the database use certificates from\r\nMalaysia.\r\nThe actors are capable of getting certificates from other countries as well. After some certificates used to sign\r\nOneStart were revoked, they obtained certificates for the company “Onestart Technologies LLC,” which they\r\nregistered in the US. \r\nThe certificates are consistently obtained for media companies.\r\nIn most cases when a certificate is resold, the signer name is insignificant—a buyer is simply handed a certificate. However,\r\nthese actors regularly use multiple certificates with the same signer name, but from different certificate authorities. This is\r\nhighly unusual within Cert Graveyard’s database of abused certificates. The Cert Graveyard database shows only one other\r\ndocumented instance where one actor used certificates for the same company but from two different certificate issuers. It\r\nalso has only four cases where multiple providers issued certificates for the same organization, but each were sold to distinct\r\nactors. However, the actors responsible for this malware obtained certificates for unique organizations from multiple\r\nproviders 11 times. This leads us to conclude that the actors acquire the certificates themselves—buying the certificates from\r\nproviders rather than buying them from resellers.The malware signed with these certificates and named “BaoLoader” by\r\nRussianPanda, was initially misidentified. Some sources mistakenly referred to it as “Chromeloader” due to perceived\r\nsimilarities, while others incorrectly labeled it “TamperedChef.” From our analysis, we believe that BaoLoader is distinct\r\nfrom both Chromeloader and TamperedChef, due to its different behavior and characteristic certificate patterns. We’ll dive\r\ninto these differences in depth in a bit, but first we’ll discuss what we can learn about their campaigns by looking at their\r\nhistory of abusing code-signing certificates.\r\nA history of abuse\r\nIn the following analysis, we first share information on the most recent abuse leveragingOneStart and the files it drops. Then\r\nwe review software and malware campaigns from over the years, including files going as far back as 2018.\r\nAppSuite-PDF and its relations\r\nAppSuite-PDF is a simple app whose main functionality is to download and install the PDF Editor app that allows users to\r\nedit PDFs. But it also comes with a backdoor. \r\nhttps://expel.com/blog/the-history-of-appsuite-the-certs-of-the-baoloader-developer/\r\nPage 2 of 17\n\nOver time, the actors obtained the following code-signing certificates to sign the files:\r\nGLINT SOFTWARE SDN. BHD.\r\nECHO INFINI SDN. BHD. (from two different providers)\r\nSummit Nexus Holdings LLC\r\nIn our review of these organizations and websites, we found they offered minimal to no basic information about the\r\nbusinesses. This is characteristic of sites used in obtaining and abusing code-signing certificates. We were able to cluster the\r\napplications together because of the overlaps in code-signing certificates as displayed in the table and graph below.\r\nTable 1: Representative sample of files using these certificates\r\nFile name Example file hash\r\nSigner\r\n(x509 CN)\r\nIssuer\r\nFirst\r\nVirusTotal\r\nSubmission\r\ndate\r\nPDFEditor-1.0.0.8.exe\r\n9dc1b05b8fc53c84839164e82200c5d484b65eeba25b246777fa324869487140\r\nGLINT\r\nSOFTWARE\r\nSDN. BHD.\r\nSSL.com 2025-08-05\r\nManualFinder\r\n(1).msi\r\nd0838244e7ebd0b4bd7d7486745346af6b9b3509e9a79b2526dcfea9d83c6b74\r\nGLINT\r\nSOFTWARE\r\nSDN. BHD.\r\nSSL.com 2025-07-21\r\nAppSuites-PDF-1.0.37.exe\r\n98bb0ab170efdf98414114d6c14a047d2144730f3552bb4aea36198fc49083ac\r\nSummit\r\nNexus\r\nHoldings\r\nLLC\r\nDigiCert 2025-08-23\r\nPDF\r\nEditor.msi\r\nc4f0b51308eb02c20e9bb33df80442b85b0cc0ad3ccf2598546d67c49242d506\r\nSummit\r\nNexus\r\nHoldings\r\nLLC\r\nDigiCert 2025-08-22\r\nAppSuites-PDF-1.0.8.2.msi\r\n3c702aa9c7e0f2e6557f3f4ac129afd2ad4cfa2b027d6f4a357c02d4185359c4\r\nECHO\r\nINFINI\r\nSDN. BHD.\r\nSSL.com 2025-07-16\r\nhttps://expel.com/blog/the-history-of-appsuite-the-certs-of-the-baoloader-developer/\r\nPage 3 of 17\n\nPDF\r\nEditor.exe\r\n66334de2175a0b85e2cba42189312af23497605489607e3952121ed223b2c0af\r\nECHO\r\nINFINI\r\nSDN. BHD.\r\nSSL.com 2025-08-23\r\nPDF Editor b0c321d6e2fc5d4e819cb871319c70d253c3bf6f9a9966a5d0f95600a19c0983\r\nEcho Infini\r\nSdn. Bhd.\r\nGlobalSign 2025-07-16\r\nAppSuites-PDF-1.0.29.0.msi\r\nfbc7ffc5bdda978afe0f20910210752d91762b97d6d7719a5b3a1e352a4717c3\r\nEcho Infini\r\nSdn. Bhd.\r\nGlobalSign 2025-07-16\r\nOneStart and its relations\r\nUsers generally download OneStart unintentionally, commonly from PDF editor advertisements or bundled with other\r\nsoftware. The application is primarily treated as a PUP, but also appears to use the same covert network communication\r\nmechanisms as AppSuite.\r\nThe developer signed OneStart with multiple code-signing certificates for Apollo Technologies Inc. They obtained\r\ncertificates from SSL.com and GlobalSign. The certificates were used to sign OneStartInstaller, which was uploaded to\r\nVirusTotal with other names, such as “AllManualsFinder” or “PDF Viewer”. In some cases, the internal name for\r\nOneStartInstaller was “chrome_proxy” or “OneStart_proxy”. \r\nAfter the Apollo Technologies certificates were revoked by the certificate issuers, the actors used a certificate for Caerus\r\nMedia LLC, issued by SSL.com, to sign copies of OneStart, Chrome_proxy, and EasySmart PDF. Following its revocation,\r\nthey obtained certificates for “Onestart Technologies LLC” from both SSL.com and DigiCert. This may have been an\r\nattempt to appear legitimate, however, due to the history of abuse documented within this report, these were also reported\r\nand revoked.\r\nTable 2: Representative sample using another set of certificates \r\nFile name Example file hash\r\nSigner\r\n(x509 CN)\r\nIssuer\r\nFirst\r\nVirus\r\nSubm\r\ndate\r\nAllManualsFinder.msi 469960964daf6666231f379604cb0cbd536b277bdb595c7ded9e8147278ba5ea\r\nApollo\r\nTechnologies\r\nInc.\r\nSSL.com 2024-\r\nhttps://expel.com/blog/the-history-of-appsuite-the-certs-of-the-baoloader-developer/\r\nPage 4 of 17\n\nPDF Viewer/OneStart\r\ninstaller\r\n2eace7cf97b21c58dc7dc731911c5258479661275e9a6f43870a6117694b0c82\r\nApollo\r\nTechnologies\r\nInc\r\nSSL.com 2024-\r\nOneStartInstaller-v5.5.244.0.msi\r\nc826b208e30168a7ccf9fb34a18927d60c6a4686bc5e84076216217ee9d7d3fb\r\nApollo\r\nTechnologies\r\nInc.\r\nGlobalSign 2024-\r\nchrome_proxy 046d27a6097283c2619ead410201807eb5b85c4b48b50a9e49eef422a8c3b865\r\nApollo\r\nTechnologies\r\nInc.\r\nGlobalSign 2024-\r\nSmartViewPDF c0dea5039c67a46462116a345b39e3953f89b87f395b537b2a8be0e3f2b4f8bd\r\nApollo\r\nTechnologies\r\nInc.\r\nGlobalSign 2024-\r\nonestart.exe db4d49ca1adca1248124c20c0762875cafa8a6ce85a19332b17aff9c5200a291\r\nCaerus\r\nMedia LLC\r\nSSL.com 2025-\r\nchrome_proxy 7025ec177a7df0ceca69d9e1f145c1889e39c0d7c32feeda4cb9c3a6a47e33f9\r\nCaerus\r\nMedia LLC\r\nSSL.com 2025-\r\nEasySmartPDF 6adbdd262a335eb59c55ca1c8b21efc1cc5a8bf0f8f5662e78fd9f00141feed1\r\nCaerus\r\nMedia LLC\r\nSSL.com 2025-\r\nPDF Editor e27d911a785d3c22a2c023cc41b2862f15d08d2301856b33fe9a51e39398d418\r\nOnestart\r\nTechnologies\r\nLLC\r\nSSL.com 2025-\r\nOneStart.exe 430c783801d2e30c314c76f379ed28f98c540f530f309a95c542ae68043d78b1\r\nOnestart\r\nTechnologies\r\nLLC\r\nDigiCert 2025-\r\nOneStart_proxy 6dfd5793fa84f54be855ad4bd16bf561e6c80699527ba40e9d50ca6cd27b7768\r\nOnestart\r\nTechnologies\r\nLLC\r\nDigiCert 2025-\r\nBefore AppSuite\r\nBefore AppSuite, the actors also had other products with the same manual finding and PDF viewing themes. Note (in the\r\ntable above) that they seem to use a consistent version naming system over time for their software (“-vX.X.XXXX.X). This\r\nversion numbering was used in OneStart, AppSuite, and the applications that came before it. Reviewing these certificates,\r\nhttps://expel.com/blog/the-history-of-appsuite-the-certs-of-the-baoloader-developer/\r\nPage 5 of 17\n\nwe see that they are clearly making iterations on the same product. Most prominent is their PDF Pro Suite, which became\r\nAppSuite-PDF.\r\nImage: Installer message from file submitted to VirusTotal on 2024-02-29.\r\n(8dfb2197e19e9dfa09cd38bc039702cf4ea7df0c4f7c16fa5df80ba2e8267b92)\r\nImage: Installer message from file submitted to VirusTotal on 2024-08-02.\r\n(099c77409d23507d65ee7783575c77c4eeee86cd35b9338ac6fcdfef894ad472)\r\nhttps://expel.com/blog/the-history-of-appsuite-the-certs-of-the-baoloader-developer/\r\nPage 6 of 17\n\nImage: Installer message from file submitted to VirusTotal on 2024-11-08.\r\n(84781fa57f2c01eee0e0160734019bde86c212bbaab7fce9241f84e07cee11d6)\r\nDuring this time, they also acquired code-signing certificates for “Digital Promotions Sdn. Bhd.” from both GlobalSign and\r\nSSL.com and many other certs from additional code authorities. \r\nOne notable certificate signer is “Eclipse Media Inc.,” which was issued by GlobalSign, SSL.com, Sectigo, and DigiCert.\r\nThe first three were primarily used in the PDF campaign; however, the DigiCert-issued certificate was used with another\r\nsoftware often considered a PUP: Web Companion. The files from Eclipse Media Inc., issued by DigiCert, are important in\r\nthat they show a strong connection between different campaigns. The DigiCert issued cert was issued two years earlier to the\r\nsame business as indicated by the business’ serial number specified in the certificate (see Appendix for a table of the\r\nbusiness serial numbers for all the certificates.)\r\nThe files using this certificate represent a much earlier behavior of the developer: dropping files with many names, but only\r\ninstalling one application. In this case—as well as many earlier cases—the app installs Web Companion. In one example\r\nfile, VirusTotal flags the file’s primary name as “ZoomSetup_40356044.msi”, but the “Names” category on the details page\r\n(pictured below), VirusTotal show that the file was uploaded with many other names, such as “TinyTaskSetup…”,\r\n“WinRarSetup”, and “MinecraftSetup…”. Reviewing these names gives us a glimpse into the lures used to trick users into\r\ndownloading the files.\r\nhttps://expel.com/blog/the-history-of-appsuite-the-certs-of-the-baoloader-developer/\r\nPage 7 of 17\n\nTable 3: Representative sample using another set of certificates \r\nFile name Example SHA256\r\nSigner (x509\r\nCN)\r\nIssuer\r\nManualsViewer-v3.3.1233.0.msi\r\n7857a4020d08ec40f254847a9768da0432b0da6c90c7f18c68c05e0cfd0cec0b\r\nDigital\r\nPromotions\r\nSdn. Bhd.\r\nGlobalSign\r\nPDFTool-v3.2.1210.0_PDFTool.exe\r\nfd7912de8df0ae262d77df294db71a5fcd7abeb2895214fa4f06edd6f54cce42\r\nDigital\r\nPromotions\r\nSdn. Bhd.\r\nGlobalSign\r\nPDFViewer_47171210.msi 8dfb2197e19e9dfa09cd38bc039702cf4ea7df0c4f7c16fa5df80ba2e8267b92\r\nDigital\r\nPromotions\r\nSdn. Bhd.\r\nSSL.com\r\nPDFProSuite-Patch-v10.1.2103.0.msi\r\na1a42a82e51d2278d38370f23524d2a715bb511312722428b4bc7f817a5532ea\r\nDigital\r\nPromotions\r\nSdn. Bhd.\r\nSSL.com\r\nPDFProSuite-v10.1.2020.0.msi\r\n099c77409d23507d65ee7783575c77c4eeee86cd35b9338ac6fcdfef894ad472\r\nINCREDIBLE\r\nMEDIA INC\r\nGlobalSign\r\nEasyPDFManuals.msi 84781fa57f2c01eee0e0160734019bde86c212bbaab7fce9241f84e07cee11d6\r\nINCREDIBLE\r\nMEDIA INC\r\nGlobalSign\r\nhttps://expel.com/blog/the-history-of-appsuite-the-certs-of-the-baoloader-developer/\r\nPage 8 of 17\n\nPDFFlex-v3.202.1115.0.msi\r\nbbee7d6beb0b1fc2f19bbda5a0765c00af7ec16642f7b4ad6f7bc8f6d43a2cc7\r\nEclipse Media\r\nInc.\r\nGlobalSign\r\nPDFFlex-v4.110.1239.13.msi\r\n7022b6b2caa7ecfc1a9575b74cce793336fc5fe4571955b1240716d9ab4b9e84\r\nEclipse Media\r\nInc.\r\nSSL.com\r\nPDFFlex-v3.410.1238.10.msi\r\ne06c05b3e19e78108a4f4174219862c4680dd1ee4b5dbef18b9295fc846eda98\r\nECLIPSE\r\nMEDIA INC.\r\nSectigo\r\nZoomSetup_40356044.msi\r\n(file is an installer for\r\nWebCompanion)\r\nfe30b6b149d8a7e5da77faa6a6f36ce78132b682fde4f48fc77939de870bbabc\r\nEclipse Media\r\nInc.\r\nDigiCert\r\nFootnote: The Digicert-issued certificate for Eclipse Media Inc. uses the same RDN number as the same company name\r\ncertificates issued by Sectigo, GlobalSign, and SSL.com.\r\nWeb companion\r\nAs we saw in the above graph and table, certificates associated with BaoLoader are also being used to load a version of\r\nBrowser Assistant/Web Companion. The official Web Companion product is signed by “7270356 Canada Inc.” and is a\r\nproduct of LavaSoft (also known as Adaware and/or Avanquest). The actors had a much longer history of loading the Web\r\nCompanion software onto hosts and the actors re-sign some Web Companion dynamic link libraries (DLL) that are\r\ndeployed. These require additional analysis to understand if or how they were manipulated. (See table 4 below for a sample\r\nof the signed DLL observed.) \r\nThese files—and the ones mentioned below—exhibit behavior that most SOC analysts will recognize as known and/or\r\nexpected Web Companion behavior, executing the following PowerShell:\r\n“C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\powershell.exe” -noninteractive -ExecutionPolicy bypass -c\r\n“$w=”$env:APPDATA”+’/BBWC/’;\r\n[Reflection.Assembly]::Load([System.IO.File]::ReadAllBytes($w+’Newtonsoft.Json.dll’));\r\n[Reflection.Assembly]::Load([System.IO.File]::ReadAllBytes($w+’System.Data.SQLite.dll’));\r\n[Reflection.Assembly]::Load([System.IO.File]::ReadAllBytes($w+’ICSharpCode.SharpZipLib.dll’));\r\n[Reflection.Assembly]::Load([System.IO.File]::ReadAllBytes($w+’LZ4.dll’));$f=$w+’WC.txt’;$h=Get-Content -Path $f -\r\nRaw;$h=Get-Content -Path $f -Raw;[byte[]]$bytes=($h -split ‘(.{2})’ -ne ” -replace ‘^’,’0X’);\r\n[Reflection.Assembly]::Load($bytes);[WebCompanion.StartUp]::Start()”\r\nThis behavior is noteworthy in that it clearly identifies it as Web Companion installation. It’s also noteworthy because the\r\nbehavior exhibited by this PowerShell is generally treated as highly suspicious, but is considered acceptable because many\r\nconsider Web Companion as standard adware. This borderline-acceptable behavior seemed to play well with the actors using\r\nWeb Companion.\r\nhttps://expel.com/blog/the-history-of-appsuite-the-certs-of-the-baoloader-developer/\r\nPage 9 of 17\n\nAs in other cases, we see the actors leverage certificates with the same certificate signer provided by multiple issuers:\r\n“Astral Media Inc” was issued by GlobalSign, SSL.com, and DigiCert. And “Interlink Media Inc.” was issued both by\r\nGlobalSign and SSL.com. \r\nWith many of the certificates discussed here, files using them have been uploaded to VirusTotal with a wide range of names\r\nassociated with the same file. One example is “e1d6ea166a0a09b4af4f697a0a88ff8b638f7f1738b0a5fa14f43bdf8e85739e”,\r\nwhich was uploaded under many names, including “PDFViewer”, “FreeRecipe”, “FreeManuals”, and others.\r\nOther signed files during this period include applications such as “Launch Browser” (Interlink Media Inc./SSL.com), which\r\nwas an alternative version of the OneStart Browser.\r\nhttps://expel.com/blog/the-history-of-appsuite-the-certs-of-the-baoloader-developer/\r\nPage 10 of 17\n\nImage: Launch Browser installer prompt. This file was uploaded as PDFViewer, FreeRecipe, FreeManuals,\r\netc. First submitted to VirusTotal on 2024-01-15\r\n(e1d6ea166a0a09b4af4f697a0a88ff8b638f7f1738b0a5fa14f43bdf8e85739e)\r\nImage: OneStart installer prompt. This file was uploaded to VirusTotal as “PDFViewer”. First uploaded to\r\nVirusTotal on 2023-09-18. (a704398d2446d297938d773f22e3a703b8e8b9a411edcf0f821dff6e975f2724)\r\nTable 4: Representative sample using another set of certificates \r\nFile name Example SHA256 Signer\r\n(x509\r\nCN)\r\nIssuer\r\nhttps://expel.com/blog/the-history-of-appsuite-the-certs-of-the-baoloader-developer/\r\nPage 11 of 17\n\nIEBrowserAssistantSetup.msi 10acb7208a455b07940336a489f7c3cf34904f887b1f8904f5bff54569963f0b\r\nASTRAL\r\nMEDIA\r\nINC.\r\nGlobalSign\r\nBAv1411302.msi 3276154a7f2ea64e43cf6dbec33bfb20ee0d46b2ca03d5d0c7f51ec803f7101d\r\nAstral\r\nMedia Inc\r\nSSL.com\r\nBAv1403298.msi 35ab1c46e0341e6cda9ba1db61e8d8c0496df90ee758ed02d15f564a62b35da8\r\nAstral\r\nMedia\r\nInc.\r\nDigiCert\r\nEasyQuickManuals_46736718.msi\r\n/ PDFViewer_46586326.msi\r\n45fb5807dc1f88cb65dbfe611028ad09f1e85ab0ab244a1f691408c063851cc1\r\nInterlink\r\nMedia\r\nInc.\r\nGlobalSign\r\nLaunchBrowserInstaller-v5.2.153.0.msi /\r\nPDFViewer_45578527.msi\r\n34c12da57921ab46ae9f06b321b3d47cc41d7bcb66d6635e3db58d3f6e7c4156\r\nInterlink\r\nMedia\r\nInc.\r\nSSL.com\r\nPDFViewer_46214966.msi e1d6ea166a0a09b4af4f697a0a88ff8b638f7f1738b0a5fa14f43bdf8e85739e\r\nBlaze\r\nMedia Inc\r\nSectigo\r\nPDFTools_12345678.msi e505e4bc6c76f8ccd1d626832d1d5d5d2852a5c78016c43bdc2f502af6e40396\r\nDrake\r\nMedia Inc\r\nEntrust\r\nCSharpDLL.dll 5bff84ba6e59086ca5ae880f0f299b59bc222a1e85f57ef620d5f725fc398ff8\r\nBlaze\r\nMedia Inc\r\nSectigo\r\nDarkNet.dll 162e65e8e74ed4637184a827629636f0c687c008e0937537fe32ca85ab21bd71\r\nBlaze\r\nMedia Inc\r\nSectigo\r\nWindowsDisplayAPI.dll 492193072be8c959112abd720360cedb24f564f27c375bf57346030b78b4db96\r\nBlaze\r\nMedia Inc\r\nSectigo\r\nOperaSharpDLL.dll 7ba95a9470697f33c5bd4e047253c2df035aedb96856126642af89c348bf3652\r\nInterlink\r\nMedia\r\nInc.\r\nGlobalSign\r\nWebCompanion.dll 3a3511aa0c7e42daa2b6467bdd6fd2006605c6a72667300ee3740df930be51d2\r\nMillennial\r\nMedia\r\nInc.*\r\nDigiCert\r\n*This cert was used only to sign Web Companion DLL. However, due to the actors’ use of certificates issued to similarly-named companies — namely, the ones seen in this table, which are all registered in Panama — we’re highly confident the\r\ncertificate was theirs as well.\r\nhttps://expel.com/blog/the-history-of-appsuite-the-certs-of-the-baoloader-developer/\r\nPage 12 of 17\n\nNot only PDF editors\r\nWhile the above analysis focused on PDF editors, manual finders, and OneStart, the actor team didn’t just target users\r\nlooking for this help. They also targeted broader audiences looking for games, wallpapers, and other software (note the re-use of “Drake Media Inc”). This time, it uses a certificate from GlobalSign, whereas above, Entrust issued it.\r\nThe team of malicious actors used the “Drake Media Inc” certificate to sign the file “EmuWCOfferSetup-1.0.0.110.msi” to\r\nVirusTotal, which was later distributed disguised as games. We suspect that the “EmuWCOfferSetup-1.0.0.110.msi” file was\r\nuploaded by the actors themselves; the name differs from the other uploads, follows the same version naming convention,\r\nand contains the acronym “WC”, which likely means “Web Companion,” as it also installs Web Companion.\r\nWe’ve seen these dynamically-named applications used by the Baoloader developers before. However, with the Baoloader\r\nmalware specifically, the lures are normally productivity apps (PDF Editors and popular collaboration tools). And yet this\r\ntime, there are also versions of the malware disguised as game installers.\r\nhttps://expel.com/blog/the-history-of-appsuite-the-certs-of-the-baoloader-developer/\r\nPage 13 of 17\n\nTable 5: Representative sample using another set of certificates uploaded imitating game installers\r\nFile name Example SHA256 Signer Issuer\r\nFirst\r\nVirusTotal\r\nSubmission\r\ndate\r\nEmuWCOfferSetup-1.0.0.110.msi\r\naad5be480738f546f7538f70463f4144bb5654cf74bbf99aa9b5b2917164cbb4\r\nDrake\r\nMedia\r\nInc.\r\nGlobalSign 2023-11-06\r\ngames_1329303.exe 6b6fc62a294d5ef1c619d623f1cf6d735d9f191df9ef5c745b0881b1e01b8565\r\nRealistic\r\nMedia\r\nInc.\r\nDigiCert 2018-12-06\r\nChromeloader, is that you?\r\nThe early deviation into deploying games is interesting because this behavior is remarkably close to what we’ve seen of the\r\nmalware “Chromeloader.” In fact, the malware shares many similarities, such as\r\nHeavy certificate abuse, including certificates for organizations with multiple issuers\r\nDuring lifetime, using payload to load Chrome extensions\r\nDuring lifetime, using node.exe to execute malicious JavaScript\r\nUse cloudfront domains in the first stage of the malware\r\nUse DGA or random domain names for second-stage command and control\r\nUse scheduled tasks for persistence mechanism\r\nTarget both Windows and MacOS*\r\n*BaoLoader’s MacOS targeting hasn’t been thoroughly explored. From what we identified, this was only found recently (the\r\nfirst submission was uploaded to VirusTotal on 2025-06-24). They recreated a ManualFinder app which received a\r\ndeveloper ID that’s since been revoked. The developer ID is for “IENGINEERING PRIVATE LIMITED”.\r\nHowever, our research leads us to believe that BaoLoader and Chromeloader are either completely unrelated or separate\r\nteams that work independently based on their certificate abuse trends. BaoLoader often uses certificates from Panama,\r\nMalaysia, and the US. Chromeloader often uses certificates from Israel, Germany, Great Britain, and Slovenia. Further, we\r\ndidn’t observe the same certificates used across the two different malware. \r\nFor certificates used by Chromeloader, see certgraveyard.org/lookup?detail_type=malware\u0026query=Chromeloader (requires\r\nGitHub login).\r\nhttps://expel.com/blog/the-history-of-appsuite-the-certs-of-the-baoloader-developer/\r\nPage 14 of 17\n\nNot Chromeloader, but maybe TamperedChef?\r\nThe name TamperedChef became associated with BaoLoader after a tweet by Karsten Hahn. The tweet followed research\r\nfrom GDATA where TamperedChef was grouped into some other apps that have functional capabilities but fit the concept of\r\na trojan. Like TamperedChef, AppSuite-PDF and other apps have been functional (for the most part). GDATA argues that\r\nthis is due to AI enabling cybercriminals to create more convincing applications. The name TamperedChef started being\r\napplied to the campaign by accident and has now stuck. The original TamperedChef name was a joke name given to a\r\ndifferent malware—a malware which offered a recipe app, but had covert means of communication, including hidden\r\ncharacters. \r\nImage: Twitter user @ly7ine showing an example of hidden characters in a recipe.\r\nThis malware was distributed under a few different names, such as “RecipeLister,” “LookUpKitchen,” and “Fast-Forks” of\r\nwhich, “RecipeLister.exe” was the most common. After they were exposed by certificate revocation and public blogs, the\r\nactor moved onto a different theme: apps allowing users to search for pictures (see image below).\r\nhttps://expel.com/blog/the-history-of-appsuite-the-certs-of-the-baoloader-developer/\r\nPage 15 of 17\n\nImage: Twitter user @HuntYethHounds shows the owner of Fast-Forks re-used the template of their website for a new\r\nwebsite. The icon and favicon still show “Fast-Forks”.\r\nTamperedChef’s use of hidden content in webpages differs significantly tactics used by  BaoLoader. The two also differ in\r\ntheir use of code-signing certificates: TamperedChef used code-signing certificates issued to companies in Ukraine and\r\nGreat Britain while BaoLoader consistently used certificates from Panama and Malaysia as mentioned above. We don’t see\r\nany connection linking the original TamperedChef and BaoLoader.\r\nFile name SHA256 hash Signer Issuer\r\nFirst\r\nVirusTotal\r\nSubmission\r\ndate\r\nRecipeLister.exe 1619bcad3785be31ac2fdee0ab91392d08d9392032246e42673c3cb8964d4cb7\r\nGlobal\r\nTech Allies\r\nltd\r\nSSL.com 2025-05-06\r\nForks.exe d8bff72de51213510004a2652b9e31b48a25e2eb0d7184fab4ef9014fc85e145\r\nIT\r\nBRIDGE\r\nCONNECT\r\nLLC\r\nGlobalSign 2025-06-11\r\nWhy it matters\r\nCode-signing certificates are intended to validate that software is from a known provider (and is likely safe). When software\r\nis signed and distributed by dozens of providers, it should raise suspicion. BaoLoader is an example of this, but went\r\nrelatively unnoticed for years. It’s only the recent changes to their behavior that’s put their infrastructure and malware in the\r\nspotlight. However, their abuse of code-signing certificates has been a known issue, as evidenced by certificate providers\r\nrevoking the certificates over the years.\r\nAnalysis of irregularities around code-signing can provide defenders early warning that something’s wrong. The clearest\r\nindicator is when the software, the metadata about the application, and the application itself don’t line up. This can help\r\ndefenders identify malicious programs even when antivirus or other tools haven’t identified suspicious indicators. Code-signing certificates can also be used for threat hunting to identify files already known to be malicious by the security\r\ncommunity. \r\nOrganizations should consider controls available to them to prevent unwanted and malicious software in their environment.\r\nSuch unwanted software may be downloaded for many reasons—by accident from phishing emails, users attempting to\r\ndownload a PDF editing tool to help them do their job, or many other situations. However, many controls exist to help\r\nprevent these software—such as AppLocker for Windows—and application whitelisting. These tools play a vital part in\r\nkeeping known (and stealthy) malicious files off systems.\r\nQuestions or additional insights regarding BaoLoader or any of the analysis detailed here? We’d love to hear from you.\r\nReach out anytime at intel@expel.com.\r\nAppendix\r\nThe following are the company details extracted from the code-signing certificates. In most certificates, the signer’s state,\r\ncountry, locality (region), and business serial number are available. Some columns have been removed for readability, but\r\nthe full data can be viewed here: https://certgraveyard.org/lookup?detail_type=malware\u0026query=BaoLoader and\r\nhttps://certgraveyard.org/lookup?detail_type=malware\u0026query=OneStart.\r\nSigner\r\nIssuer\r\nshort\r\nValid start\r\ndate\r\nCountry Locality\r\nRDN serial\r\nnumber\r\nApollo Technologies Inc SSL.com 7/28/23 PA Panama City 155722923\r\nAstral Media Inc SSL.com 4/11/23 PA Panama City 155704413\r\nAstral Media Inc. DigiCert 5/10/21 PA Panama City 155704413\r\nASTRAL MEDIA INC. GlobalSign 5/3/23 PA Panama City 155704413\r\nhttps://expel.com/blog/the-history-of-appsuite-the-certs-of-the-baoloader-developer/\r\nPage 16 of 17\n\nBlaze Media Inc. DigiCert 9/19/22 PA Panama City 155704406\r\nCaerus Media LLC SSL.com 9/04/24 US Delaware 6125248\r\nDigital Promotions Sdn. Bhd. GlobalSign 3/6/24 MY Skudai 1505433-P\r\nDigital Promotions Sdn. Bhd. SSL.com 4/3/24 MY Skudai 202301011511\r\nDigital Promotions Sdn. Bhd. SSL.com 6/15/23 MY Skudai 202301011511\r\nDrake Media Inc Entrust 4/12/23 PA Panama City 155704428\r\nDrake Media Inc GlobalSign 3/24/23 PA\r\nCuidad de\r\nPanama\r\n155704428\r\nECHO INFINI SDN. BHD. SSL.com 1/13/25 MY Skudai 202401031184\r\nECHO INFINI SDN. BHD. SSL.com 1/13/25 MY Skudai 202401031184\r\nEcho Infini Sdn. Bhd. GlobalSign 12/9/24 MY Johor Bahru 1577033-U\r\nEclipse Media Inc SSL.com 7/2/24 PA Panama City 155704432\r\nEclipse Media Inc. DigiCert 1/21/22 PA Panama City 155704432\r\nECLIPSE MEDIA INC. Sectigo 6/20/24 PA ?Not specified? 155704432\r\nEclipse Media Inc. GlobalSign 1/17/24 PA Panama City 155704432-2-2021\r\nGLINT SOFTWARE SDN.\r\nBHD.\r\nSSL.com 4/24/25 MY Skudai 202401011747\r\nINCREDIBLE MEDIA INC GlobalSign 4/18/24 PA\r\nCuidad de\r\nPanama\r\n155722937\r\nInterlink Media Inc. GlobalSign 11/2/23 PA\r\nCuidad de\r\nPanama\r\n155704402\r\nInterlink Media Inc. SSL.com 5/24/23 PA Panama City 155704402\r\nMillennial Media Inc. DigiCert 2/28/22 PA Panama City 155704409\r\nOnestart Technologies LLC SSL.com 3/6/25 US Delaware 10070121\r\nOnestart Technologies LLC DigiCert 5/16/25 US Delaware 10070121\r\nRealistic Media Inc. DigiCert 8/2/18 VG Road Town 1817807\r\nSource: https://expel.com/blog/the-history-of-appsuite-the-certs-of-the-baoloader-developer/\r\nhttps://expel.com/blog/the-history-of-appsuite-the-certs-of-the-baoloader-developer/\r\nPage 17 of 17\n\n https://expel.com/blog/the-history-of-appsuite-the-certs-of-the-baoloader-developer/  \nBlaze Media Inc. DigiCert 9/19/22 PA Panama City 155704406\nCaerus Media LLC SSL.com 9/04/24 US Delaware 6125248\nDigital Promotions Sdn. Bhd. GlobalSign 3/6/24 MY Skudai 1505433-P\nDigital Promotions Sdn. Bhd. SSL.com 4/3/24 MY Skudai 202301011511\nDigital Promotions Sdn. Bhd. SSL.com 6/15/23 MY Skudai 202301011511\nDrake Media Inc Entrust 4/12/23 PA Panama City 155704428\n  Cuidad de\nDrake Media Inc GlobalSign 3/24/23 PA 155704428\n  Panama \nECHO INFINI SDN. BHD. SSL.com 1/13/25 MY Skudai 202401031184\nECHO INFINI SDN. BHD. SSL.com 1/13/25 MY Skudai 202401031184\nEcho Infini Sdn. Bhd. GlobalSign 12/9/24 MY Johor Bahru 1577033-U\nEclipse Media Inc SSL.com 7/2/24 PA Panama City 155704432\nEclipse Media Inc. DigiCert 1/21/22 PA Panama City 155704432\nECLIPSE MEDIA INC. Sectigo 6/20/24 PA ?Not specified? 155704432\nEclipse Media Inc. GlobalSign 1/17/24 PA Panama City 155704432-2-2021\nGLINT SOFTWARE SDN.  \n SSL.com 4/24/25 MY Skudai 202401011747\nBHD.   \n  Cuidad de\nINCREDIBLE MEDIA INC GlobalSign 4/18/24 PA 155722937\n  Panama \n  Cuidad de\nInterlink Media Inc. GlobalSign 11/2/23 PA 155704402\n  Panama \nInterlink Media Inc. SSL.com 5/24/23 PA Panama City 155704402\nMillennial Media Inc. DigiCert 2/28/22 PA Panama City 155704409\nOnestart Technologies LLC SSL.com 3/6/25 US Delaware 10070121\nOnestart Technologies LLC DigiCert 5/16/25 US Delaware 10070121\nRealistic Media Inc. DigiCert 8/2/18 VG Road Town 1817807\nSource: https://expel.com/blog/the-history-of-appsuite-the-certs-of-the-baoloader-developer/   \n  Page 17 of 17",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://expel.com/blog/the-history-of-appsuite-the-certs-of-the-baoloader-developer/"
	],
	"report_names": [
		"the-history-of-appsuite-the-certs-of-the-baoloader-developer"
	],
	"threat_actors": [],
	"ts_created_at": 1775434749,
	"ts_updated_at": 1775826786,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/4dd18c84b3d9efe983e4f45840cb804c12dd2ed8.pdf",
		"text": "https://archive.orkl.eu/4dd18c84b3d9efe983e4f45840cb804c12dd2ed8.txt",
		"img": "https://archive.orkl.eu/4dd18c84b3d9efe983e4f45840cb804c12dd2ed8.jpg"
	}
}