Risks of Downloading PDF Tools Without Prior Approval
A cluster of PDF malware campaigns has been actively pushing trojanized PDF tools including OneStart, ManualReaderPro, PDFFlex, SmartEasyPDF, and others through search engine ads, SEO poisoning, and redirects targeting users searching for free PDF editors or converters.
Once installed, these applications silently deploy info stealing malware that harvests browser credentials, session tokens, and cloud authentication data without any visible indication to the user.
These campaigns matter to security teams not only because they are dangerous, but also because they reveal how quickly threats are detected.
By the time a SOC team identifies the compromise, the malware has typically been resident for days, sometimes longer, quietly exfiltrating data or dropping RAT on system. That gap between infection and detection is exactly where security metrics like MTTD and MTTR become critical.
Active PDF Malware Campaigns Identified
The campaigns observed include:
- OneStart PDF Campaign
- ManualFinder Campaigns
- ManualReaderPro Campaigns
- PDFFlex PDF Campaign
- SmartEasyPDF Campaign
- PDFast Campaign
- Shift PDF Campaign
- MyPDFSwitch Campaign
- PDFSupernova Campaign
- SlickPDFReader Campaign
- PDFStunner Campaign
- TamperedChef PDF Campaign
- ManualMate PDF Campaign
Who This Impacts
- Any organization where employees have the ability to download and install software from the internet
- SOC and Detection Engineering Teams benchmarking detection effectiveness against stealthy, user-initiated malware
Detailed Breakdown: How Fake PDF Tools Deliver Malware
- Luring users via SEO, ads and redirection: Threat actors use SEO poisoning, malicious ads/redirections to get people to download fake PDF editors. Search results or ads for “free PDF editor/converter” often point to sketchy sites. These look like legitimate software download pages but are attacker controlled.
- Installation of trojanized software: When a user clicks through, they download an installer (often an MSI or EXE). These installers typically do not require admin rights and sometimes does not even show user any dialogue box before installing – they install into the user’s profile. For example, once ran it drops a hidden updater (exe) into %APPDATA%\Roaming\INFOSTEALERPDF.
That updater is launched (often via a new scheduled task set to run at login) and executes PowerShell commands or runs malicious JavaScript files using node.exe
- Persistence on the system: After installation, these tools add persistence, so they survive reboots or even after uninstallation of the adware. E.g., OneStart (a Chromium-based “AI browser”) installs into the user profile (e.g. %LOCALAPPDATA%\OneStart.ai). It creates randomly named scheduled tasks that rerun its updater on each login.
In each case, legitimate Windows components (node.exe, mshta.exe or cmd.exe) end up running attacker scripts: for example, ManualReaderPro’s or PDFInstaller’s task runs Node.exe on a GUID-named .js script in the user’s Temp folder, which then makes a C2 connection (e.g. to api[.]cjby76nlcynrc4jvrb[.]com, api[.]pyej17uw09d1bqlndg[.]com, ap[i].cjby76nlcynrc4jvrb[.]com).
- Payload execution and data theft: Once the malware is running, it drops or unpacks its final infostealer payload. Analysis shows these payloads perform system reconnaissance (anti-sandbox checks) and then quietly steal data.
They harvest browser-stored credentials, cookies, and even Windows DPAPI secrets and OAuth tokens. For instance, researchers observed a OneStart-linked backdoor that extracted DPAPI secrets and allowed full remote control and data exfiltration.
The stolen credentials or session tokens can then be used to access cloud accounts (email, file shares, etc.) without obvious signs. Attackers are also dropping malicious remote executables onto the system.
The Metrics Angle: What These Campaigns Reveals About SOC Effectiveness
Campaigns like these are specifically engineered to extend dwell time. The malware installs without admin rights, uses legitimate system binaries for execution, avoids writing obvious artifacts to disk, and blends C2 traffic into normal outbound web activity. Every one of those design choices is aimed at increasing the gap between when the compromise happens and when a SOC team finds it.
MTTD (Mean Time to Detect) takes a direct hit here. Because the execution chain relies on trusted system processes — node.exe, mshta.exe — signature-based tools often miss it entirely.
MTTR (Mean Time to Respond) matters just as much once detection occurs. These campaigns steal session tokens, not just passwords — which means containment isn’t just resetting a credential. It requires revoking active sessions, auditing cloud account activity, and scoping whether tokens were already replayed.
Addressing these challenges requires integrated detection, response, and monitoring capabilities such as managed detection and response (MDR).
Why It Matters
- Credential and Session Theft — Harvested browser tokens allow attackers to access cloud accounts silently, bypassing MFA entirely since the session is already authenticated.
- Shadow IT as an Entry Point — A well-meaning employee installing a free tool outside of IT processes can open a network-wide breach. The human element here is not negligence — it is a gap in policy enforcement and awareness.
- Extended Dwell Time — These campaigns are built to be quiet. The longer they go undetected, the greater the data exposure and the harder the scoping exercise becomes during incident response.
- Reputational and Compliance Risk — Exfiltrated credentials used to impersonate employees in external communications, or exposed client data, carry regulatory and reputational consequences that extend well beyond the original endpoint compromise.
Recommendations to Prevent PDF Malware Attacks
- Use trusted sources only: Educate employees about avoiding downloading PDF tools from random ads or unfamiliar websites. Always consult IT professional from organization whether policies allow use of PDF tool, and if so, download from legitimate sources.
- Block malicious sites and domains: Configure web/DNS filters to block the known fake PDF sites and C2 domains. Use an ad-blocker or browser security extension to help prevent malvertising.
- Restrict installs and execution paths: Apply execution policies so that only approved installers (from IT-vetted repositories) can run. Many analysts recommend using application allowlists (AppLocker) to prevent unknown apps, and adblockers to stop malicious ads.
- Block known malicious hashes and signers: Update endpoint protection tools to block identified malware hashes (e.g. the above-mentioned campaign executable hashes noted below). Many incident responders advise adding these specific file hashes to your blocklists. Also, watch for and block executables signed by dubious authorities.
- User education & monitoring: Train users to be wary of unexpected downloads and pop-up installers, even if they look useful. Teach them to verify software sources and to report any auto-installs they didn’t initiate.
How ProArch Helps Strengthen Detection and Response
Organizations need advanced capabilities to detect stealthy threats like these.
With managed cybersecurity services and 24/7 threat detection and response, ProArch helps:
- Reduce MTTD and MTTR
- Detect living-off-the-land attacks
- Monitor identity and session misuse
- Strengthen endpoint and cloud security
Talk to our cybersecurity experts to assess your exposure and improve detection readiness.