{
	"id": "d3d98dd3-5a40-4215-98ce-1e3fbfdf4160",
	"created_at": "2026-04-10T03:20:26.249544Z",
	"updated_at": "2026-04-10T03:22:17.149316Z",
	"deleted_at": null,
	"sha1_hash": "744b0fbb9a1bea96d4f05037604a0cd5097051bb",
	"title": "Threat Actors Weaponize PDF Editor Trojan to Convert Devices into Proxies",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 364926,
	"plain_text": "Threat Actors Weaponize PDF Editor Trojan to Convert Devices\r\ninto Proxies\r\nBy Aman Mishra\r\nPublished: 2025-08-21 · Archived: 2026-04-10 02:33:27 UTC\r\nResearchers have discovered a complex campaign using trojanized software that uses authentic code-signing\r\ncertificates to avoid detection and turn compromised machines into unintentional residential proxies, according to\r\na recent threat intelligence notice from Expel Security.\r\nThe operation begins with files bearing the code-signing signature of “GLINT SOFTWARE SDN. BHD.,” a\r\nseemingly legitimate entity whose credentials have been abused to lend credibility to malicious payloads.\r\nMalicious Code-Signing\r\nCentral to this scheme is a JavaScript dropper that facilitates the installation of a trojan dubbed “ManualFinder.”\r\nThis dropper is deployed through persistent mechanisms tied to the OneStart Browser, a known problematic\r\napplication with a history of suspicious behavior.\r\nThe persistence is achieved via a scheduled task that executes the JavaScript file from the user’s temporary\r\ndirectory, ensuring the malware remains active across system reboots.\r\nOnce activated, the JavaScript establishes outbound connections to command-and-control (C2) domains such as\r\nmka3e8[.]com and y2iax5[.]com, from which it retrieves and installs the signed ManualFinder executable.\r\nhttps://gbhackers.com/threat-actors-weaponize-pdf-editor-trojan/\r\nPage 1 of 4\n\nManual Finder\r\nThis multi-stage infection chain highlights the attackers’ focus on stealth and reliability, exploiting trusted\r\ncertificates to bypass endpoint security controls and user scrutiny.\r\nDual-Function Malware\r\nFurther analysis reveals the insidious nature of the payloads involved. One of the signed files masquerades as a\r\nbenign PDF editor but harbors trojan capabilities that covertly reconfigure the compromised device into a\r\nresidential proxy node.\r\nThis transformation allows threat actors to route malicious traffic through the victim’s IP address, effectively\r\nanonymizing their operations while potentially implicating the infected user in illicit activities.\r\nThe ManualFinder application, when executed in a controlled sandbox environment, presents itself as a legitimate\r\nutility designed to assist users in locating product manuals, complete with functional search features.\r\nHowever, its deployment context raises alarms: it is involuntarily installed via the OneStart Browser, despite the\r\nassociated website promoting it as a free tool without providing any direct download options.\r\nThis discrepancy suggests a deliberate strategy to distribute the malware through bundled or hijacked software\r\nchannels, capitalizing on OneStart’s established reputation for sketchy practices.\r\nhttps://gbhackers.com/threat-actors-weaponize-pdf-editor-trojan/\r\nPage 2 of 4\n\nAccording to the report, Expel’s investigation underscores how such dual-purpose malware blends utility with\r\nmalice, complicating detection efforts as the benign facade can deceive both users and automated scanners.\r\nThe overall campaign reflects an evolving threat landscape where attackers weaponize everyday productivity\r\ntools, turning them into vectors for proxy networks that support activities like distributed denial-of-service attacks,\r\ndata exfiltration, or anonymized cyber espionage.\r\nThe implications of this trojan are significant for cybersecurity professionals, as it demonstrates the abuse of code-signing infrastructure and the challenges in monitoring persistent, low-profile infections.\r\nOrganizations are advised to scrutinize software signatures, monitor scheduled tasks for anomalous JavaScript\r\nexecutions, and block known C2 domains to mitigate risks.\r\nBy converting devices into proxies, attackers not only expand their infrastructure but also expose victims to legal\r\nand reputational hazards, emphasizing the need for robust threat hunting and endpoint protection strategies.\r\nIndicators of Compromise (IOCs)\r\nIndicator Type Description Value\r\nFile Hash (MD5) PDF Editor Trojan d09b667391cb6f58585ead314ad9c599\r\nFile Hash (MD5) ManualFinder Executable 1efaffcd54fd2df44ab55023154bec9b\r\nFile Hash (MD5) OneStart Browser 27fb60fa0e002bdb628ecf23296884d3\r\nDomain Command-and-Control (C2) mka3e8[.]com\r\nDomain Command-and-Control (C2) y2iax5[.]com\r\nFind this News Interesting! Follow us on Google News, LinkedIn, and X to Get Instant Updates!\r\nhttps://gbhackers.com/threat-actors-weaponize-pdf-editor-trojan/\r\nPage 3 of 4\n\nAman Mishra\r\nAman Mishra is a Security and privacy Reporter covering various data breach, cyber crime, malware, \u0026\r\nvulnerability.\r\nSource: https://gbhackers.com/threat-actors-weaponize-pdf-editor-trojan/\r\nhttps://gbhackers.com/threat-actors-weaponize-pdf-editor-trojan/\r\nPage 4 of 4",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://gbhackers.com/threat-actors-weaponize-pdf-editor-trojan/"
	],
	"report_names": [
		"threat-actors-weaponize-pdf-editor-trojan"
	],
	"threat_actors": [],
	"ts_created_at": 1775791226,
	"ts_updated_at": 1775791337,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/744b0fbb9a1bea96d4f05037604a0cd5097051bb.pdf",
		"text": "https://archive.orkl.eu/744b0fbb9a1bea96d4f05037604a0cd5097051bb.txt",
		"img": "https://archive.orkl.eu/744b0fbb9a1bea96d4f05037604a0cd5097051bb.jpg"
	}
}