{ "id": "0c5c0b9d-91e3-40a2-975e-988561c47e17", "created_at": "2026-04-06T00:08:20.84797Z", "updated_at": "2026-04-10T03:36:47.697219Z", "deleted_at": null, "sha1_hash": "be5cb4b2fbbbd0eec6e23ffdb275ccd5e05b1233", "title": "Backdoor in \"AppSuite PDF Editor\": A Detailed Technical Analysis", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 2391771, "plain_text": "Backdoor in \"AppSuite PDF Editor\": A Detailed Technical\r\nAnalysis\r\nBy G DATA Security Center\r\nPublished: 2025-09-16 · Archived: 2026-04-05 15:46:57 UTC\r\nSome threat actors are bold enough to submit their own malware as false positive to antivirus companies and\r\ndemand removal of the detection. This is exactly what happened with AppSuite PDF Editor. Initially, automation\r\nflagged it as a potentially unwanted program—a verdict that is typically reserved for legitimate software with\r\nshady features like unwanted advertisement or installation of third-party programs without proper consent. In the\r\ncase of AppSuite, however, we found a backdoor.\r\nAnalysis by Karsten Hahn and Louis Sorita\r\nHigh-ranking websites\r\nThreat actors are leveraging websites, which have high-ranking search results, to lure users into downloading a\r\ndeceptively functioning 'productivity tool' or 'command center' for PDF management. The websites have\r\nsimilarities to the download pages of JustAskJacky and other classical trojan horses we described earlier in this\r\nblog article. \r\nThese different websites download the very same MSI installer[1].\r\nFigure 1: PDF editor is advertised on various websites with different designs\r\nAppSuite Microsoft installer\r\nhttps://www.gdatasoftware.com/blog/2025/08/38257-appsuite-pdf-editor-backdoor-analysis\r\nPage 1 of 17\n\nThe downloadable installer[1]\r\n is a Microsoft Installer (MSI) file that was created with an  open-source version of\r\nWiX, which is a 'set of tools that build Windows Installer packages'.\r\nUpon execution and accepting the EULA, the installer immediately downloads the PDF editor program from\r\nvault[.]appsuites[.]ai to the '%USERPROFILE%\\PDF Editor' directory.\r\nIt then executes the main application with no arguments which is equivalent to starting the --install routine, which\r\nwe will describe later. It also creates an autorun entry that supplies the command line argument --cm=--fullupdate\r\n(sic!) for the next run of the malicious application.\r\nAppSuite PDF Editor\r\nThe editor itself is an Electron application, a framework that allows developers to build cross-platform desktop\r\napplications with JavaScript. The program is installed to '%USERPROFILE%\\PDF Editor' or\r\n'%LOCALAPPDATA%\\Programs\\PDF Editor'\r\nComponents overview\r\nThe following components are the most important in our analysis, you will find the sample hashes in the\r\nindicators of compromise section at the bottom:\r\nFilename Path Description\r\npdfeditor.js[2]\r\nPDF Editor\\resources\\app\\w-electron\\bin\\release\r\nmain code, contains the backdoor\r\npackages.json PDF Editor\\resources\\app\r\nmain code execution reference for\r\npdfeditor.js\r\nUtilityAddon.node[3]\r\nPDF Editor\\resources\\app\\w-electron\\bin\\release\\libhelper DLL, among others used for\r\npersistence with scheduled tasks\r\nLOG1\r\nPDF Editor\\resources\\app\\w-electron\\bin\\release\\default\r\nencoded JSON file with settings\r\nLOG0\r\nPDF Editor\\resources\\app\\w-electron\\bin\\release\\default\r\ntemporary JSON file\r\nPDFEditorSetup.exe[4] PDF Editor\\\r\nNSIS installer that contains all relevant files,\r\nadds RUN entry to registry that executes the\r\napplication with command line switch --\r\ncm=--fullupdate\r\nPDF Editor.exe[5] PDF Editor\\ this is a standard Electron app launcher\r\nhttps://www.gdatasoftware.com/blog/2025/08/38257-appsuite-pdf-editor-backdoor-analysis\r\nPage 2 of 17\n\nFilename Path Description\r\nUninstall PDF\r\nEditor.exe[6]\r\nPDF Editor\\ the uninstaller of the program\r\nThe main component is the file pdfeditor.js[2] which contains JavaScript code that is obfuscated with\r\nObfuscator.io and additionally features custom string obfuscation routines.\r\nCommandline switches and GUI\r\nThe script pdfeditor.js[2] takes the following command line arguments (see also figure 4).\r\nCommand line\r\nswitch\r\nMeaning\r\nBackdoor\r\nroutine\r\n--c and --cm\r\nmissing\r\nInitiates installation --install\r\n--c=0  \r\nskips main backdoor code and immediately runs GUI if the file\r\n\\\\mode.data exists\r\nnone\r\n--cm=--cleanup\r\nUnregisters from the server and deletes scheduled tasks\r\nPDFEditorScheduledTask and PDFEditorUScheduledTask\r\n--cleanup\r\n--cm=--\r\npartialupdate\r\nContacts server for configurations, reads browser keys and changes\r\nbrowser settings, can execute arbitrary commands\r\n--check\r\n--cm=--\r\nfullupdate       \r\nContacts server for configurations, reads browser keys and changes\r\nbrowser settings, can execute arbitrary commands, additionally kills\r\nspecific processes\r\n--reboot\r\n--cm=--\r\nenableupdate\r\nAdds the RUN key PDFEditorUpdater with --cm=--fullupdate\r\ncommandline switch\r\nnone\r\nhttps://www.gdatasoftware.com/blog/2025/08/38257-appsuite-pdf-editor-backdoor-analysis\r\nPage 3 of 17\n\nCommand line\r\nswitch\r\nMeaning\r\nBackdoor\r\nroutine\r\n--cm=--\r\ndisableupdate\r\nRemoves the RUN key PDFEditorUpdater none\r\n--cm=--\r\nbackupupdate\r\nPolls the server for actions to execute, these actions allow among others\r\nadditional malware downloads, data exfiltration, and registry changes, the\r\ncommand line switch is often run through a recurring scheduled task\r\n--ping\r\nAppSuite translates many of the innocent looking command line arguments into what it calls “wc routines”: --\r\ninstall, --ping, --check, --reboot, --cleanup. We believe that these may have been the original command line\r\nswitches that were wrapped into more innocent-looking commands. They represent the core routines of the\r\nbackdoor, which we describe in the following sections.\r\nFigure 4: Handling of the command line switches\r\nExcept for the --c switch, all other command line switches create an instance of the main backdoor code and run it.\r\nAfter the backdoor code, a file named mode.data toggles whether a GUI is shown or if the application is silent.\r\nThe file mode.data must exist in the 'working directory', which is\r\n%USERPROFILE%\\PDF Editor\\resources\\app\\w-electron\\bin\\release\r\nIf that is the case, the program will open a graphical user interface (GUI) that allows users to edit PDF files (see\r\nfigure 5). The GUI is internally a browser window that opens the URL hxxps://pdf-tool.appsuites(dot)ai/en/pdfeditor\r\nhttps://www.gdatasoftware.com/blog/2025/08/38257-appsuite-pdf-editor-backdoor-analysis\r\nPage 4 of 17\n\nwith the user agent PDFFusion/93HEU7AJ. Without that specific user agent the website stays blank, probably to\r\nforce people to use the AppSuite program instead of their own browser.\r\nBecause the PDF editing is done via a browser window, the majority of the pdfeditor.js code is dedicated to\r\nbackdoor and adware routines. Out of 3661 lines of deobfuscated code, only 17 open the browser window and\r\nthus run the decoy application.\r\nFigure 5: The GUI of PDF editor is actually a browser window\r\nBackdoor routine --install\r\nThe backdoor invokes the --install routine if the caller did not supply any of the command line switches --c or --\r\ncm. The script checks if it already has an installation ID, which is abbreviated as ‘iid’ in the script. This install ID\r\nis saved alongside other settings in the LOG1 file and it is empty per default \r\nIf there is no installation ID, the script checks if an SID exists. If it does not exist, it obtains it via the\r\nUtilityAddon.node[3] DLL function get_sid(). If the SID exists, it will continue by registering the application to\r\nthe C2 server, first via node-fetch on:\r\nhxxps://appsuites(dot)ai/api/s3/new?=fid=ip\u0026version=1.0.28\r\nhttps://www.gdatasoftware.com/blog/2025/08/38257-appsuite-pdf-editor-backdoor-analysis\r\nPage 5 of 17\n\nFigure 6: Node-fetch request on appsuites(dot)ai /api/s3/new\r\nAnd if that does not work, it tries:\r\nhxxps://sdk.appsuites(dot)ai/api/s3/new?fid=ip\u0026version=1.0.28\r\nThe supplied version is the hardcoded version of the backdoor. The server responds with a JSON that provides the\r\ninstallation ID.\r\nThe backdoor converts the SID to a hex string representation and saves installation ID and SID values to LOG1.\r\nIn LOG1 the SID value is called ‘usid’ and the installation ID is called ‘iid’.\r\nAfterwards, regardless if obtaining SID and installation ID had been successful, pdfeditor.js also triggers\r\nscheduled task creation for two tasks:\r\n1. PDFEditorScheduledTask runs the application with --cm=--partialupdate which triggers the --check\r\nroutine once\r\n2. PDFEditorUScheduledTask runs the application with --cm=--backupupdate, which repeatedly triggers the\r\n–-ping routine\r\nFigure 7: Creation of scheduled tasks via UtilityAddon.node\r\nhttps://www.gdatasoftware.com/blog/2025/08/38257-appsuite-pdf-editor-backdoor-analysis\r\nPage 6 of 17\n\nThe script calls the export functions of UtilityAddon.node to create the scheduled tasks. If the exported function\r\nmutate_task_schedule returns false, it calls create_task_schedule and repeat_task_schedule, which supply the\r\nparameters to initiate a --check once and a repeated --ping.\r\nFollowing the function FUN_1800006940 from mutate_task_schedule, two hex values are typecasted into 'IID *'\r\n(Interface Identifiers) which is a GUID struct (Globally Unique Identifier).\r\nThese hex data when converted into GUID are actually Task Scheduler Component Object Model:\r\nc7a4ab2fa94d1340969720cc3fd40f85\r\n{2FABA4C7-4DA9-4013-9697-20CC3FD40F85969720CC3FD40F85}\r\nCOM interface ITaskService\r\n9f36870fe5a4fc4cbd3e73e6154572dd\r\n{0F87369F-A4E5-4CFC-BD3E-73E6154572DDBD3E73E6154572DD}\r\nCOM class Schedule.Service\r\nThe function mutate_task_schedule checks if the Task Scheduler and Scheduled Task class object already has\r\nthe PDFEditorScheduledTask taskname and returns true or false accordingly.\r\nThe sixth parameter 0x5a2, 1442 in decimal, of the create_task_schedule function is multiplied by 600,000,000\r\n(100-ns ticks), which is equivalent to 1 minute and is added to the current local/system time which will be the\r\nexecution of the scheduled task. This means that the scheduled execution of the PDF Editor.exe with --cm=--\r\npartialupdate switch will be after 1 day, 0 hour and 2 minutes.\r\nThis behavior ensures that no suspicious activity is shown in automatic sandbox systems, which commonly do not\r\nwait one day for a scheduled task execution.\r\nFigure 10: Decompiled code of create_task_schedule export function of UtilityAddon.node dll\r\nhttps://www.gdatasoftware.com/blog/2025/08/38257-appsuite-pdf-editor-backdoor-analysis\r\nPage 7 of 17\n\nBackdoor routine --cleanup and infection remediation\r\nThe --cleanup routine is commonly called from the uninstaller, a separate NSIS executable distributed with the\r\nprogram. The uninstaller indeed removes the backdoor files, likely to avoid raising suspicion. After all, the threat\r\nactors attempted to appeal the potentially unwanted verdict, probably hoping that we would not be able to\r\ndeobfuscate the code and only rely on dynamic analysis. A non-functional uninstaller would have undermined\r\ntheir appeal.\r\nThe cleanup routine sends its installation ID to the remote server via one of:\r\nhxxps://appsuites(dot)ai/api/s3/remove?iid=\u003ciid\u003e\r\nhxxps://sdk.appsuites(dot)ai/s3/remove?iid=\u003ciid\u003e\r\nAfterwards it deletes the two scheduled tasks PDFEditorScheduledTask and PDFEditorUScheduledTask.\r\nYou might be wondering at this point if the official AppSuite uninstaller will fully remediate the infection. But this\r\nis a fallacy. Firstly, the backdoor sometimes creates additional scheduled tasks in the --check or --reboot routine.\r\nSecondly, any backdoor infection provides unauthorized access for threat actors to the system, which means they\r\ncan install additional malware and autorun routines. Thirdly, we do not trust that the uninstaller works as\r\ndescribed for all versions of the backdoor, because threat actors created it.\r\nBecause of that unauthorized access any backdoor infection that successfully contacted the command and control\r\nserver should be cleaned by repaving the system, which means formatting the affected drives and re-installing the\r\noperating system. In case of AppSuite, repaving is necessary if the backdoor’s scheduled tasks have been\r\nexecuted.\r\nFigure 11: NSIS setup script showing --cm=--cleanup switch being set during uninstallation\r\nBackdoor routine --ping\r\nThe --ping routine only works if the program already received an installation ID. If that is the case, it builds an\r\nActionRequest object (object name by us) which consists of the following fields:\r\nhttps://www.gdatasoftware.com/blog/2025/08/38257-appsuite-pdf-editor-backdoor-analysis\r\nPage 8 of 17\n\nProgress\r\nActivity\r\nSession\r\nTimezone\r\nVersion\r\nNextURL\r\nValue containing the lists: File, Reg, URL and Proc\r\nThe backdoor encrypts this ActionRequest object with AES-128-CBC encryption, using 0x10 random bytes as the\r\ninitialization vector or IV. The backdoor derives the encryption key from the installation ID. To do so, it removes\r\nall ‘-’ characters from the installation ID string and builds the encryption key by concatenating\r\n‘276409396fcc0a23’ with the first 0x10 bytes of the processed installation ID.\r\nThe function then prepends four magic bytes and the IV in uppercase to the encrypted buffer and returns that as a\r\ndata blob:\r\nIV | 0x41, 0x30, 0x46, 0x42 | AES-encrypted struct\r\nFigure 12: Deobfuscated code for AES-128-CBC encryption and the encrypted ActionRequest struct\r\n(click to enlarge)\r\nThe backdoor sends this data blob together with the ‘iid’ as parameter via POST to\r\nhxxps://on.appsuites(dot)ai/ping\r\nThe script decrypts the server response with AES-128-CBC by using again the installation ID to derive the key.\r\nThe first 0x20 bytes of the message are the IV.\r\nThe backdoor unpacks the decrypted response into the ActionRequest object again. Each list in the\r\nActionRequest.Value member contains actions or activities that the backdoor shall perform.\r\nFile – list of file related actions\r\nReg – list of registry related actions\r\nUrl – list of URL related actions\r\nProc – list of process related actions\r\nFor each list, the script calls a handler to execute the queued actions one after another. The activity enum\r\ndetermines what kind of action is performed. The enum has one of the following values:\r\nEXISTS 0x1\r\nhttps://www.gdatasoftware.com/blog/2025/08/38257-appsuite-pdf-editor-backdoor-analysis\r\nPage 9 of 17\n\nREAD 0x2\r\nWRITE 0x3\r\nDELETE 0x4\r\nEXTRACT 0x5\r\nThe following functions are available for each of the activity lists, controlled by the activity enum:\r\nActivity list Activity enum Meaning of command\r\nFile\r\nEXISTS Check if file or folder exists\r\nREAD Read file to hex string\r\nWRITE Write file\r\nDELETE Delete file\r\nEXTRACT Extract chromium preferences\r\nReg\r\nEXISTS Check if registry value exists\r\nREAD Read registry value\r\nWRITE Write registry value\r\nDELETE Delete registry value\r\nURL WRITE Download and save file\r\nProc\r\nEXISTS Check if process exists and return true or false\r\nREAD Return process image path and exists flag\r\nThe script obtains the process list by calling the UtilityAddon.node GetPsList() function.\r\nThese commands allow the backdoor to load additional malware onto the system and to persist or run it via the\r\nregistry activities. Reading file and registry allows threat actors to exfiltrate any files or settings from the system.\r\nThe process listing helps to gauge which security software might be on board and whether the system is real or\r\njust an analysis sandbox. This way threat actors can decide whether taking any action, like downloading additional\r\nmalware, is worthwhile.\r\nThe activity lists do not allow arbitrary command execution; this is rather part of the --check and --reboot core\r\nroutines.\r\nBackdoor routines --check and --reboot\r\nFor both routines, --check and --reboot, the backdoor calls the same internal function. If the --reboot command\r\nwas supplied, the backdoor will later kill certain processes, but everything else is the same for --check and --\r\nreboot.\r\nhttps://www.gdatasoftware.com/blog/2025/08/38257-appsuite-pdf-editor-backdoor-analysis\r\nPage 10 of 17\n\nFirst, the script prevents multiple runs by verifying the presence and the last modified time of the file\r\n%USERPROFILE%\\PDF Editor\\resources\\app\\w-electron\\bin\\release\\state\r\nIf that file is younger than 900,000 ms, which is 15 minutes, the backdoor will terminate itself. If the file is older,\r\nit will delete the state file and continue. If the state file does not exist, the backdoor creates the file and writes an\r\nempty string into it.\r\nNext, the backdoor decodes the LOG0 file if it exists and copies the SID and installation ID to LOG1. It then\r\nchecks if it has an installation ID in LOG1 and aborts if it does not have one.\r\nAfter that it starts a bootstrap function to obtain the options configuration from the server. Based on the error\r\nmessages that function was likely called GetRtc by the malware developer(s).\r\nFigure 12: Bootstrap or GetRtc function that fetches command line templates from the server\r\nThe bootstrap function uses a hardcoded, XOR obfuscated ‘e-key’ value and the installation ID to derive an AES-256-CBC encryption key. The e-key value is\r\n517876386D6E68D72F5C89EB99E432DC7A592CC32478D0373193000D7DC88FC7\r\nThe key consists of: first 0x18 bytes of e-key | first 0x8 bytes of installation ID\r\nThe function then encrypts the installation ID, version and an ‘isSchedule’ flag, which is set to 0, with the\r\npreviously derived key. The backdoor saves the result as hex string in a data blob. Then it sends the data blob,\r\ninstallation ID and IV as parameters with POST to hxxps://sdk.appsuites(dot)ai/api/s3/options\r\nThe response of the C2 server is a JSON object with file paths, settings and command templates. Among others it\r\ncontains paths for Wave browser, Shift browser and OneLaunch profiles and settings. The command templates are\r\nused in other parts of the code to be executed with, e.g., cmd.exe or reg.exe. Because the commands are set via the\r\nhttps://www.gdatasoftware.com/blog/2025/08/38257-appsuite-pdf-editor-backdoor-analysis\r\nPage 11 of 17\n\noptions configuration obtained from the C2, the backdoor has a flexible way to adjust its available commands on\r\nthe fly.\r\nTo put it bluntly: This means AppSuite threat actors may execute arbitrary commands on the infected\r\nsystem. This is also the main reason we classify this malware as backdoor and not just as loader or stealer.\r\nAt this point the following actions of the backdoor depend on the supplied command templates, but we inferred a\r\nmeaning for some of them without the templates.\r\nThe backdoor checks if Wave browser, Shift browser, OneLaunch and two other configurable paths exist on the\r\nsystem and sets flags accordingly which trigger later if scheduled tasks or other autorun methods should be\r\ncreated for these applications. The names of these scheduled tasks are ShiftLaunchTask, OneLaunchLaunchTask,\r\nWaveBrowser-StartAtLogin.\r\nFigure 13: Command templates and arguments are supplied to a string format function to create the\r\nfinal command and execute it. Here we inferred from the decrypted strings and their usage that two\r\nof the command templates are likely meant to contain reg add and reg query commands\r\nThe backdoor proceeds to request another configuration from the server, more specifically from\r\nhxxps://sdk.appsuites(dot)ai/api/s3/config\r\nThis time the server supplies flags and strings for the following values:\r\nFlag or field Meaning or target\r\nKey saved to\r\nLOG1\r\nwc Disables all handlers for the flags below at once if set to false -\r\nhttps://www.gdatasoftware.com/blog/2025/08/38257-appsuite-pdf-editor-backdoor-analysis\r\nPage 12 of 17\n\nFlag or field Meaning or target\r\nKey saved to\r\nLOG1\r\nwcs\r\nFor Chromium browser: Sends pref and spref to C2, gets modified\r\nversions and writes them back\r\nc-key\r\n  unused -\r\nwdc\r\nFor Chromium browser: Sends pref and spref to C2, gets modified\r\nversions and writes them back\r\ncw-key\r\nwde\r\nFor Chromium browser: Sends pref and spref to C2, gets modified\r\nversions and writes them back\r\nce-key\r\nol and ol_deep Read and write OneLaunch settings and data ol-key\r\nwv and\r\nwv_deep\r\nRead and write Wave browser settings and data wv-key\r\nsf and sf_deep Read and write Shift browser settings and data sf-key\r\npas and\r\npas_deep\r\npossibly OneLaunch password manager pas-key\r\ncode unused -\r\nreglist list of registry keys and values to add -\r\nExcept for code and reglist, all the previous items are boolean flags. Each flag triggers a specific handler function,\r\nwhich means these are switches provided by the C2 server that turn certain functionality on or off. We inferred the\r\nmeaning of the flags ol, wv, sf and their *_deep variants based on the strings used for the scheduled tasks. For the\r\nother switches like wdc an wde we suspect that Edge and Chrome are targeted. But we are not sure because it\r\ndepends on the options config and its command templates.\r\nThe code field is unused in the current sample. The reglist is supposedly a list of registry values that the backdoor\r\napplies to the system. After processing all entries of the reglist, the script calls the special handlers for the flags.\r\nThe handlers for wv, sd and ol read settings files of the applications OneLaunch, Wave Browser and Shift Browser\r\nand extract keys from them. Those keys are saved as ol-key, sf-key and wv-key in the LOG1 file. The handlers\r\nalso add scheduled tasks for their corresponding applications.\r\nThe pas handler likely deals with the OneLaunch password manager. We assume that because the OneLaunch-related registry values. The pas-key is also saved to the LOG1 file.\r\nThe handlers of wdc, wcs and wde target Chromium based browsers. Each handler is likely for a different flavor\r\nof these browsers, e.g. Edge or Chrome. They send the pref and spref files to the server, obtain modified versions\r\nfrom the server and write them back. They execute custom queries on the browser cache files and send the result\r\nto the server. Furthermore, the handlers obtain the profile.info_cache and the saved os_crypt.encrypted_key values\r\nhttps://www.gdatasoftware.com/blog/2025/08/38257-appsuite-pdf-editor-backdoor-analysis\r\nPage 13 of 17\n\nand decode them with the GetOsCKey() function of UtilityAddon.node. The obtained keys are saved to LOG1\r\nunder the names c-key (for wcs), cw-key (for wdc) and ew-key (for wde).\r\nIn summary, these handlers allow the backdoor to query, exfiltrate and manipulate any data or settings of these\r\nbrowsers, including saved credentials, browser history, cookies or setting custom search engines.\r\nFigure 14: The wcs handler syncs Chromium pref and spref files and applies a list of registry values.\r\nEvent logging\r\nAppSuites has an event logging mechanism with 68 event codes and three log levels. It sends all steps of\r\nexecution and any exceptions to the server.\r\nThe event object has the following values:\r\nbid – code\r\nc – context information\r\ne – string representation of exception object\r\ni – installation ID (iid) or the string ‘initialization’ if it does not exists yet\r\nl – log level, INFO (1), ERROR (-1) or DEBUG (0)\r\nm – one of 68 event codes\r\np – flag of unknown meaning, currently always set to 1\r\ns – current command string\r\nv – version string\r\nThe context information in c is a string representation of a list, where each element is separated by ‘|’. The event\r\nlogger translates boolean values to the characters ‘1’ or ‘0’. The context is used to provide additional information,\r\ne.g., a JSON object that AppSuite tried to parse while an exception occurred.\r\nhttps://www.gdatasoftware.com/blog/2025/08/38257-appsuite-pdf-editor-backdoor-analysis\r\nPage 14 of 17\n\nThis event object is encrypted with AES-256-CBC, using the first 0x18 bytes of the e-key followed by the first\r\n0x8 bytes of the installation ID as key. If the installation ID does not exist yet, the script uses the string\r\n‘initialization’ instead.\r\nThe backdoor sends the encrypted data blob, IV (initialization vector) and installation ID as parameters via POST\r\nrequest to hxxps://appsuites(dot)ai/api/s3/event\r\nForensic value of LOG1 and LOG0\r\nLOG1 and LOG0 reside in the following folder:\r\n%USERPROFILE%\\PDF Editor\\resources\\app\\w-electron\\bin\\release\\default\r\nLOG1 is an encoded JSON file that holds installation ID (‘iid’), SID (‘usid’), backdoor-specific encryption key\r\n(‘e-key’) and browser keys ('c-key', ‘wv-key’, ‘sf-key’, ‘ol-key’, ‘cw-key’, ‘pas-key’).\r\nPer default only the size has a value, any other values are empty at first and may be added later during execution\r\nof the backdoor.\r\nWe created the following Python script to decode LOG1:\r\nThe decoded LOG1 tells analysts whether the backdoor already received an installation ID and whether it\r\nextracted application keys.\r\nLOG0 is not directly created in the code. Its only reference is a function that is called from the --check and --\r\nreboot routines and copies ‘usid’ (SID) and ‘iid’ (installation ID) values from LOG0 to LOG1. We suspect that the\r\nmalware developers might use it for local debugging, because the installation ID is required before most of the\r\nbackdoor’s code executes properly. With the LOG0 file the developer could set the installation ID and SID\r\nimmediately and does not have to wait for the server’s response.\r\nIt might also be a way to change these values remotely via the file download actions of the backdoor without\r\ncausing any syncing issues while the program is running.\r\nMalware classification and relation to OneStart\r\nThere is no doubt in our view: AppSuite PDF Editor is malicious. It is a classic trojan horse with a backdoor that\r\nis currently massively downloaded. For instance, we saw 28,689 download attempts last week in our telemetry.\r\nWe announced our findings early on social media such as X, LinkedIn, Bluesky and Mastodon (see [P4],[P5]).\r\nStill, many security vendors classify the program as potentially unwanted application rather than malware.\r\nPotentially unwanted also implies that the software is sometimes wanted. Yes, AppSuite includes a functioning\r\nPDF editor, but who would knowingly trade that for a backdoor? We hope that this article changes the perception.\r\nSome security experts have pointed to links between AppSuite and OneStart PDF Editor, suggesting that the same\r\nthreat actor is behind both applications [P1,P2]. At this stage, we can neither confirm nor rule out that connection.\r\nWhat is clear, however, is that the two programs differ in their code base, and OneStart requires its own dedicated\r\nanalysis.\r\nhttps://www.gdatasoftware.com/blog/2025/08/38257-appsuite-pdf-editor-backdoor-analysis\r\nPage 15 of 17\n\nThe boldness of AppSuite threat actors in submitting their malware as false positives is not an isolated incident. In\r\nrecent weeks, we had multiple attempts by threat actors to challenge our verdicts while posing as legitimate\r\nsoftware publishers. Security vendors must be aware of this ploy and remain suspicious of such files.\r\nWhat remains without question: Free PDF editors are highly sought after, and if the most convincing options come\r\nfrom threat actors, we do have a problem.\r\nIndicators of compromise\r\nThe following files and URLs were the basis of our analysis and revealed the file locations and persistence\r\nindicators below.\r\nAdditionally we provide the deobfuscated script[7] for fellow researchers. We renamed function and variable\r\nnames manually, so they should not be used as basis for detection signatures. Most strings of the sample are\r\nencrypted in the original file and will only appear in memory. \r\nInstall locations\r\n%LOCALAPPDATA%\\Programs\\PDF Editor\r\n%USERPROFILE%\\PDF Editor\r\nSample hashes\r\n[1] MSI: fde67ba523b2c1e517d679ad4eaf87925c6bbf2f171b9212462dc9a855faa34b\r\n[2] pdfeditor.js: b3ef2e11c855f4812e64230632f125db5e7da1df3e9e34fdb2f088ebe5e16603\r\n[3] UtilityAddon.node: 6022fd372dca7d6d366d9df894e8313b7f0bd821035dd9fa7c860b14e8c414f2\r\n[4] PDFEditorSetup.exe: da3c6ec20a006ec4b289a90488f824f0f72098a2f5c2d3f37d7a2d4a83b344a0\r\n[5] PDF Editor.exe: cb15e1ec1a472631c53378d54f2043ba57586e3a28329c9dbf40cb69d7c10d2c\r\n[6] Uninstall PDF Editor.exe: 956f7e8e156205b8cbf9b9f16bae0e43404641ad8feaaf5f59f8ba7c54f15e24\r\n[7] Deobfuscated pdfeditor.js: 104428a78aa75b4b0bc945a2067c0e42c8dfd5d0baf3cb18e0f6e4686bdc0755\r\nPersistence values and user agent\r\nUser Agent - PDFFusion/93HEU7AJ\r\nScheduled task 1 – PDFEditorScheduledTask executing\r\n%USERPROFILE%\\PDF Editor\\PDF Editor.exe --cm=--partialupdate\r\nScheduled task 2 – PDFEditorUScheduledTask executing\r\n%USERPROFILE%\\PDF Editor\\PDF Editor.exe --cm=--backupupdate\r\nhttps://www.gdatasoftware.com/blog/2025/08/38257-appsuite-pdf-editor-backdoor-analysis\r\nPage 16 of 17\n\nScheduled task 3 – ShiftLaunchTask\r\nScheduled task 4 – OneLaunchLaunchTask\r\nScheduled task 5 – WaveBrowser-StartAtLogin\r\nRUN key PDFEditorUpdater with value\r\n%USERPROFILE%\\PDF Editor\\PDF Editor.exe\r\nC2 URLs\r\nhxxps://appsuites(dot)ai\r\nhxxps://sdk.appsuites(dot)ai\r\nhxxps://log.appsuites(dot)ai\r\nhxxps://on.appsuites(dot)ai\r\nDownload URLs\r\nhxxps://vault.appsuites(dot)ai/AppSuite-PDF-1.0.28.exe\r\n[D1] hxxps://pdfmeta(dot)com\r\n[D2] hxxps://pdfartisan(dot)com\r\n[D3] hxxps://appsuites(dot)ai\r\n[D4] hxxps://pdfreplace(dot)com\r\nSource: https://www.gdatasoftware.com/blog/2025/08/38257-appsuite-pdf-editor-backdoor-analysis\r\nhttps://www.gdatasoftware.com/blog/2025/08/38257-appsuite-pdf-editor-backdoor-analysis\r\nPage 17 of 17", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://www.gdatasoftware.com/blog/2025/08/38257-appsuite-pdf-editor-backdoor-analysis" ], "report_names": [ "38257-appsuite-pdf-editor-backdoor-analysis" ], "threat_actors": [ { "id": "9f101d9c-05ea-48b9-b6f1-168cd6d06d12", "created_at": "2023-01-06T13:46:39.396409Z", "updated_at": "2026-04-10T02:00:03.312816Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "CHROMIUM", "ControlX", "TAG-22", "BRONZE UNIVERSITY", "AQUATIC PANDA", "RedHotel", "Charcoal Typhoon", "Red Scylla", "Red Dev 10", "BountyGlad" ], "source_name": "MISPGALAXY:Earth Lusca", "tools": [ "RouterGod", "SprySOCKS", "ShadowPad", "POISONPLUG", "Barlaiy", "Spyder", "FunnySwitch" ], "source_id": "MISPGALAXY", "reports": null }, { "id": "18a7b52d-a1cd-43a3-8982-7324e3e676b7", "created_at": "2025-08-07T02:03:24.688416Z", "updated_at": "2026-04-10T02:00:03.734754Z", "deleted_at": null, "main_name": "BRONZE UNIVERSITY", "aliases": [ "Aquatic Panda", "Aquatic Panda ", "CHROMIUM", "CHROMIUM ", "Charcoal Typhoon", "Charcoal Typhoon ", "Earth Lusca", "Earth Lusca ", "FISHMONGER ", "Red Dev 10", "Red Dev 10 ", "Red Scylla", "Red Scylla ", "RedHotel", "RedHotel ", "Tag-22", "Tag-22 " ], "source_name": "Secureworks:BRONZE UNIVERSITY", "tools": [ "Cobalt Strike", "Fishmaster", "FunnySwitch", "Spyder", "njRAT" ], "source_id": "Secureworks", "reports": null }, { "id": "6abcc917-035c-4e9b-a53f-eaee636749c3", "created_at": "2022-10-25T16:07:23.565337Z", "updated_at": "2026-04-10T02:00:04.668393Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "Bronze University", "Charcoal Typhoon", "Chromium", "G1006", "Red Dev 10", "Red Scylla" ], "source_name": "ETDA:Earth Lusca", "tools": [ "Agentemis", "AntSword", "BIOPASS", "BIOPASS RAT", "BadPotato", "Behinder", "BleDoor", "Cobalt Strike", "CobaltStrike", "Doraemon", "FRP", "Fast Reverse Proxy", "FunnySwitch", "HUC Port Banner Scanner", "KTLVdoor", "Mimikatz", "NBTscan", "POISONPLUG.SHADOW", "PipeMon", "RbDoor", "RibDoor", "RouterGod", "SAMRID", "ShadowPad Winnti", "SprySOCKS", "WinRAR", "Winnti", "XShellGhost", "cobeacon", "fscan", "lcx", "nbtscan" ], "source_id": "ETDA", "reports": null }, { "id": "d53593c3-2819-4af3-bf16-0c39edc64920", "created_at": "2022-10-27T08:27:13.212301Z", "updated_at": "2026-04-10T02:00:05.272802Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "Earth Lusca", "TAG-22", "Charcoal Typhoon", "CHROMIUM", "ControlX" ], "source_name": "MITRE:Earth Lusca", "tools": [ "Mimikatz", "PowerSploit", "Tasklist", "certutil", "Cobalt Strike", "Winnti for Linux", "Nltest", "NBTscan", "ShadowPad" ], "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775434100, "ts_updated_at": 1775792207, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/be5cb4b2fbbbd0eec6e23ffdb275ccd5e05b1233.pdf", "text": "https://archive.orkl.eu/be5cb4b2fbbbd0eec6e23ffdb275ccd5e05b1233.txt", "img": "https://archive.orkl.eu/be5cb4b2fbbbd0eec6e23ffdb275ccd5e05b1233.jpg" } }