Beyond Potentially Unwanted Apps: Malware Behind Fake PDF Converters Beyond Potentially Unwanted Apps Malware Behind Fake PDF Converters Version: 1.2 – 12-04-2025 Author: Serkan Sirmaci, Cyber Security Analyst @ Controlware CSIRT Contact: threatreport@controlware.de www.controlware.de blog.controlware.de Author: Serkan Sirmaci Version: 1.2 Classification: EXTERN Status: December 2025 Status: Final Page 2 von 19 Headquarters: Controlware GmbH  Waldstraße 92  63128 Dietzenbach  GERMANY Phone +49 6074 858-00  Fax +49 6074 858-108  info@controlware.de  www.controlware.de Register court Offenbach a.M.  HRB no. 6431  VAT-ID DE 113 539 225  Tax no. 04423035231 Managing Directors: Bernd Schwefing, Michael Küchen; Chairman of the Supervisory Board: Christof Ziegler Beyond Potentially Unwanted Apps: Malware Behind Fake PDF Converters Author: Serkan Sirmaci Version: 1.2 Classification: EXTERN Status: December 2025 Status: Final Page 3 von 19 Dear Readers, PDF converters are among the most frequently searched tools in search engines. The most common use cases are converting PDF files to Word, Word to PDF, or merging several PDFs. Attackers actively exploit this popularity. PDF tools appear harmless, solve everyday problems, and are intentionally searched for by users. This creates a situation where users willingly download and execute installers or use online con- verters without being suspicious. These fake online converter websites and supposedly trustworthy install- ers then serve as an initial access point for various types of malwares, which can silently embed themselves into the system and often become active only weeks later. In recent campaigns, attackers combine several techniques to remain undetected. They use SEO manip- ulation, typo squatting (registering domains that look almost identical to legitimate ones), and malvertising (purchasing online ads that redirect users to malicious sites) to push their fake services to the top of search results. Introduction In recent months, during our threat-hunting activities, we have noticed a new distribution trend involving “PDF Converter” themed software. These tools are delivered through Google ads or SEO poisoning and appear to offer a simple free file conversion service to users. However, many of these samples contain Adware/PUA or beyond a PAU features. Distributors make these tools seem legitimate by using modern user interface, fake reviews, and positive user comments, which makes this trend even more risky. Tools had abused code-signing certificates to look more trustworthy and to bypass SmartScreen, but in most cases the certificates are already revoked. In this write-up, we reviewed the technical features of these campaigns, the strategies used to deceive users, and the security risks they pose. How did it start As the Controlware CSIRT, we first detected the active distribution of several PDF Converter tools, likely connected to each other, through EDR systems in October 2025. The initial alert was triggered by a tool named CrystalPDF, which had been added to MalwareBazaar by Karsten Hahn. He also shared his partial analysis of this sample on X In the following days, we began receiving similar alerts for several other PDF converter tools. We launched a hunting activity to determine whether they were present across our customer environments. This search revealed many matches, which led us to investigate them in more detail. Our goal was to understand how dangerous they might be, to determine whether there was any relationship between the different samples and to identify what kind of hunting strategy could be used to detect these tools effectively. We selected six different PDF converters for further analysis. https://bazaar.abuse.ch/browse/tag/CrystalPDF/ https://x.com/struppigel/status/1977691895250772086?s=42 Beyond Potentially Unwanted Apps: Malware Behind Fake PDF Converters Author: Serkan Sirmaci Version: 1.2 Classification: EXTERN Status: December 2025 Status: Final Page 4 von 19 Technical overview We have observed following notable suspicious indicators during our analysis: 1. Many of the analyzed tools maintain persistence by creating a scheduled task.  "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Sched- ule\TaskCache\Tree\ConvertMateTask"  "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Sched- ule\TaskCache\Tree\Crystal_updater"  "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Sched- ule\TaskCache\Tree\Easy2ConvertTask"  "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT \CurrentVersion\Sched- ule\TaskCache\Tree\PDC_Update" This task runs a .NET executable dropped in folder under AppData\Local (Figure 1) during installation, usually named to resemble a legitimate updater. Figure 1 Controlware CSIRT-AppData Folder Through this task, the software establishes regular connections to remote servers using a recurring pattern of infrastructure. The same directory also contains a dropped text file (Figure 1), which appears to store a UUID used during these network communications. Figure 2 Controlware CSIRT-dnSpy Beyond Potentially Unwanted Apps: Malware Behind Fake PDF Converters Author: Serkan Sirmaci Version: 1.2 Classification: EXTERN Status: December 2025 Status: Final Page 5 von 19 The traffic is sent in JSON format and protected with AES encryption (Figure 3). Most of the contacted domains are already marked as suspicious by several security vendors on VirusTotal. Figure 3 Controlware CSIRT-dnSpy 2. Most of their certificates have been revoked by the issuer (Figure 4). It appears that when their certificates are revoked, the threat actors switch to a new code-signing certificate. CrystalPDF and PDFSpark are examples of this behavior. Figure 4 Virus Total Beyond Potentially Unwanted Apps: Malware Behind Fake PDF Converters Author: Serkan Sirmaci Version: 1.2 Classification: EXTERN Status: December 2025 Status: Final Page 6 von 19 3. Uninstall options are fake, it removes only the shortcuts and the uninstall registry keys and connects to a domain to show “Good by” but the malware continues to run, and the scheduled task remains active (Figure 5). Figure 5 Controlware CSIRT-dnSpy 4. They are using reverse strings or simple obfuscations (Figure 6, 7). Figure 6 Controlware CSIRT-dnSpy Beyond Potentially Unwanted Apps: Malware Behind Fake PDF Converters Author: Serkan Sirmaci Version: 1.2 Classification: EXTERN Status: December 2025 Status: Final Page 7 von 19 Figure 7 Controlware CSIRT-dnSpy We identified that ConvertMate redirects users to the installation page of a Chrome extension called BriefMe (Figure 8). The extension performs its summarization function by connecting to an Amazon service, and technically it has permission to read and modify data on all visited websites. The domain listed in the extension’s privacy information is not reachable, and the developer’s email domain redirects to another extension download page, which belongs to a password manager. However, the extension still requires user interaction for installation, so no silent deployment is possible. Figure 8 Controlware CSIRT-dnSpy-Chrome Web Store Beyond Potentially Unwanted Apps: Malware Behind Fake PDF Converters Author: Serkan Sirmaci Version: 1.2 Classification: EXTERN Status: December 2025 Status: Final Page 8 von 19 5. We detected that PowerDoc and PDFClick were performing browser hijacking (Figure 9). Figure 9 Controlware CSIRT-Google Chrome Browser Beyond Potentially Unwanted Apps: Malware Behind Fake PDF Converters Author: Serkan Sirmaci Version: 1.2 Classification: EXTERN Status: December 2025 Status: Final Page 9 von 19 Threat Intelligence Findings After analyzing the tools, we collected several indicators and used them to understand how closely these artifacts might be related. Some of the findings suggested that many of them are linked to the same eco- system or operation. Explained below, we identified that PDFSpark differs from the other samples in several ways. Figure 10 Obsidian Graph View 1. Based on the domains we identified that ConvertMate and PDFSpark connect to two of the same domains (Figure11, 12). PDFSpark has two different versions, and the one signed by Crowd Sync LLC was observed to communicate with the same two domains as ConvertMate. Beyond Potentially Unwanted Apps: Malware Behind Fake PDF Converters Author: Serkan Sirmaci Version: 1.2 Classification: EXTERN Status: December 2025 Status: Final Page 10 von 19 Figure 11 Virus Total Figure 12 Virus Total The version of PDFSpark signed by Mainstay Crypto LLC and the version signed by Crowd Sync LLC show different download mechanisms and remote communication patterns. For example:  The Crowd Sync LLC version downloads the converted file from pdfspark[.]s3[.]us-east-2[.]amazonaws[.]com  The Mainstay Crypto LLC version uses different buckets: pdfsparkcomponent[.]s3[.]us-east-2[.]amazonaws[.]com, electronparts[.]s3[.]us-east-1[.]amazo- naws[.]com Additionally, PDFSpark’s overall infrastructure differs from the other five tools analyzed. While the other tools are distributed as direct .NET compiled binaries (Easy2Convert and PDFCLick are C++, but drops a .NET updater during installation), PDFSpark is packaged using Inno Setup, which sets it apart from the rest. Beyond Potentially Unwanted Apps: Malware Behind Fake PDF Converters Author: Serkan Sirmaci Version: 1.2 Classification: EXTERN Status: December 2025 Status: Final Page 11 von 19 2. Five of the analyzed tools were found to perform PDF conversion through an external service. These tools use CloudConvert (Figure 13), a well-known third-party provider that offers API-based file conversion. CloudConvert is based in Germany (Lunaweb GmbH) and operates with paid, usage-based plans. This finding is notable because all the reviewed tools are distributed for free and do not display any advertise- ments. The fact that they spend money to provide this service without generating any revenue may indicate that the operation is motivated by other aims. Figure 13 Obsidian-CloudConvert Official Web Page During our analysis, we did not observe any direct CloudConvert API calls made by PDFSpark for the conversion process. Instead, the tool connects to an Amazon S3 storage service. According to CloudConvert’s documentation, converted files can be downloaded in two different ways: 1. If there is no external export method (such as S3 or Azure), CloudConvert provides a temporary download URL (S3) valid for 24 hours. 2. If the client has a custom export method configured, the converted file is exported directly to that storage endpoint. These findings suggest that PDFSpark may still be using CloudConvert in the background, considering its relationship with ConvertMate, as previously noted, it would not be a surprise if this scenario were true, but it is not possible to say this for certain. Figure 14 Controlware CSIRT-Obsidian-Canvas https://cloudconvert.com/api/v2/quickstart#quickstart-result https://www.lunaweb.de/ Beyond Potentially Unwanted Apps: Malware Behind Fake PDF Converters Author: Serkan Sirmaci Version: 1.2 Classification: EXTERN Status: December 2025 Status: Final Page 12 von 19 3. Domains where the tools are downloaded from and the domains, they connect to are registered through GoDaddy or Amazon and use Cloudflare as their name server. However, the situation is different in the case of PDFSpark, as the domains appear to be registered through different companies based in the Ba- hamas and the United States (Figure 15). Figure 15 Controlware CSIRT-Whois Lookup 4. The download pages contain false information (Figure 16), for example, they claim the tool works offline and does not require an internet connection. Figure 16 Controlware CSIRT-Download Pages-FAQ Beyond Potentially Unwanted Apps: Malware Behind Fake PDF Converters Author: Serkan Sirmaci Version: 1.2 Classification: EXTERN Status: December 2025 Status: Final Page 13 von 19 5. The download pages have a similar appearance (Figure 17), and they show similar pop-ups during the download process. Figure 17 Controlware CSIRT-After Download 6. Searches in the Google Ads Transparency Center show that the CrystalPDF and Powerdoc tools are dis- tributed by the same advertiser (Figure 18). It was also observed that both are published by an additional, different advertiser. Figure 18 Google Ads Transparency Center The download URL for CrystalPDF is no longer active; however, Powerdoc can still be downloaded from two different URLs. Since the ad campaigns remain active, we continue to detect a significant number of downloads. Beyond Potentially Unwanted Apps: Malware Behind Fake PDF Converters Author: Serkan Sirmaci Version: 1.2 Classification: EXTERN Status: December 2025 Status: Final Page 14 von 19 7. On the download page of ConvertMate, we identified an email address (Figure 19) in the contact section, and according to VirusTotal, the associated domain has been linked to multiple Adware/PUA samples, and even to the Neshta malware family, which is known for injecting itself into other files to spread and cause damage. Figure 19 Download Page-Vitus Total Many of the related files were previously signed with a code-signing certificate by the same company “CANDY TECH LTD” and were distributed under names such as “GifsMakerPro,” “ScreensRecorder,” and “ZipMakerPro.” (Figure 20). Figure 20 Virus Total Beyond Potentially Unwanted Apps: Malware Behind Fake PDF Converters Author: Serkan Sirmaci Version: 1.2 Classification: EXTERN Status: December 2025 Status: Final Page 15 von 19 Possible Hunting Approaches It is highly likely that the tools we analyzed represent only the visible part of the iceberg, and we can assume that many other tools with different behavior patterns are also being distributed. Therefore, focusing on detecting the dominant behaviors of the analyzed tools can at least help us identify indicators related to the known and active campaign. The hunting rules we created within this scope are provided below. False positives may occur, but the rules can be optimized over time. To detect possible malicious PDF Tools. Figure 21 Controlware CSIRT-SIGMA rule Beyond Potentially Unwanted Apps: Malware Behind Fake PDF Converters Author: Serkan Sirmaci Version: 1.2 Classification: EXTERN Status: December 2025 Status: Final Page 16 von 19 Some matches we found. Figure 22 Controlware CSIRT-MS Defender-Advanced Threat Hunting To detect installed potential malicious PDF Converter tools. Figure 23 Controlware CSIRT- SIGMA rule Beyond Potentially Unwanted Apps: Malware Behind Fake PDF Converters Author: Serkan Sirmaci Version: 1.2 Classification: EXTERN Status: December 2025 Status: Final Page 17 von 19 Some matches we found; Figure 24 Controlware CSIRT-MS Defender-Advanced Threat Hunting Final Assessment PDF converter scams demonstrate how professional attackers operate today: they combine social engi- neering, legitimate code-signing certificates, and technical obfuscation to remain under the radar for ex- tended periods. This is precisely why a reactive security model is no longer sufficient. Threat hunting is the most effective way to stay ahead of such campaigns. Only through proactive, hy- pothesis-driven investigation can anomalies be detected before a backdoor becomes active. Threat hunt- ing determines time-to-detection and supports attack prevention by uncovering the preparatory steps taken by adversaries. Based on the red flags mentioned above, these tools cannot be classified as typical PUAs. The remote server communication patterns seen in the tools we analyzed indicate that they are fully capable of delivering a second-stage payload at any moment. Therefore, the most reasonable ap- proach is to treat these tools as malware and take appropriate action. Recommended mitigation measures  Users should be made aware of the importance of not clicking on advertisements  Users who really need a PDF converter should not search for it themselves on the internet and should not download it through ads  Trusted ad blockers can be used to prevent advertisements.  The tracking-prevention option in browsers should be enabled Beyond Potentially Unwanted Apps: Malware Behind Fake PDF Converters Author: Serkan Sirmaci Version: 1.2 Classification: EXTERN Status: December 2025 Status: Final Page 18 von 19 IoCs ConvertMate: SHA256:08b9f93000512b45f8c2e8d3d6624536b366e67c40fd4b958db58e3a1d129c3d 5b4861baeb563875c99614bd6586a9e3b1bd2fef835afffa03210e86eeb6c775 dcownil[.]com conmateapp[.]com banifuri[.]com takelecon[.]com chrialletworton[.]com confetly[.]com climatcon[.]com CrystalPDF: SHA256:0602811ee5babfd67089b9adb3397201924fc86943a1a544c3d6dd66a18fc16c 51d4b6935205b8aef162daa87935ee0f0fb6a1b3fedcaaadff2eaa8075aaf3fe crystalpdf[.]com ramiort[.]com strongdwn[.]com windwn[.]com negmari[.]com Easy2Convert: SHA256:c60a9792f93e923834545153ec31f3420878c0d94c011a6b7ef30b5a2074a38a 27262f4bf8096f04e53309d4ce603cfbeb27ed10abdf1c461d3ccb14e012f61e ez2convertapp[.]com comitoni[.]com barinoty[.]com relivanyo[.]com hagalilk[.]com eloknys[.]com PDF Spark: SHA256:415b6d1bb78cb74a468b29e7af09e885999cfcabf2c413f3bf533c2191d4e626 7ed76946c8ef0829f1011ce230cae7b63c3bf061de1e5f9d8da616a97ad6e4c5 pdfsparkware[.]com sparkonsoft[.]com pdfsetup[.]com pdfsparkapi[.]com PowerDoc: SHA256:b3afc517095d0362a32c5655f7572123e5db2e09fe24f6f917b880d6a969c682 ulinikio[.]com getpowerdoc[.]com shtimat[.]com powerdocapp[.]com Beyond Potentially Unwanted Apps: Malware Behind Fake PDF Converters Author: Serkan Sirmaci Version: 1.2 Classification: EXTERN Status: December 2025 Status: Final Page 19 von 19 PdfClick: SHA256:09474277051fc387a9b43f7f08a9bf4f6817c24768719b21f9f7163d9c5c8f74 50651ed57b60d48da11117a170241da8669bf0e6e7ea76d7f2d364db80e16d6f pdfclickapp[.]com runeton[.]com hamarit[.]com netarlio[.]com altinory[.]com oblifagi[.]com Beyond Potentially Unwanted Apps