NCSC Malware Campaign Uses Fake PDF Editors and Manual Finders

The NCSC malware campaign highlights a new wave of malicious apps disguised as PDF editors and manual finder tools. Attackers distribute these fake programs through paid ads and deceptive websites, infecting unsuspecting users.

How the Campaign Works

Threat actors promote trojanized software such as “ManualFinder” and fake PDF editors. Once installed, these apps secretly convert infected systems into residential proxies. Attackers then use the victim’s IP address to hide their identity and bypass detection.

Researchers found the malware achieves persistence by creating scheduled tasks and running hidden JavaScript code. This method allows the malware to operate quietly in the background while maintaining control of the device.

A Closer Look at ManualFinder

ManualFinder appears to be a useful tool, but it functions as a trojan. The installer runs stealthily, activating proxy features without alerting the user. Other applications, including “AppSuite-PDF,” “PDF Editor,” and “OneStart,” operate in the same way. All of them spread through malvertising campaigns.

Why the Attack Works

These apps look convincing and use advertisements to reach large audiences. Their professional design lowers suspicion and leads users to install them without caution. Once active, the malware strengthens persistence through registry entries and hidden tasks, making removal difficult.

How to Stay Protected

Organizations and users must stay alert. Avoid downloading productivity apps from advertisements or unknown sites. Use endpoint detection tools, enforce installation policies, and monitor systems for suspicious registry changes or scheduled tasks.

Conclusion

The NCSC malware campaign shows how easily criminals can disguise malware as trusted tools. Fake PDF editors and manual finders infect devices, hijack resources, and turn victims into unwilling proxy nodes. Strong policies and user awareness remain the best defense.