PDF Editor: When an office tool becomes a place for spreading malware

Overview

Recently, a popular free PDF editing software has been misused to spread trojan malware. This software is designed to turn users' devices into proxy nodes, contributing to a botnet infrastructure for illegal activities.

On the surface, this PDF Editor presents itself legitimately, claiming that users agree to let the software use their device resources and IP address to "fetch public web data." However, this is just a cover for malicious behavior. The trojan is installed silently without user interaction. It automatically modifies the registry and creates background processes to maintain access even after a system reboot.

Scope of Impact

• Takes control of the user's system

• Exploits the victim's machine as a proxy (Proxy Botnet)

• Leaks personal data and system information

• Bypasses traditional security mechanisms

• Reinfection or installs additional malware

Campaign Details

Initially, the attackers trick victims into downloading the malware through enticing offers. The malicious file PDFEditor_Setup.exe is often promoted on fake websites with attractive content like "Free PDF Editor" and "No registration required." Of course, these software programs have fake digital signatures, which help them bypass browser or operating system warnings.

Once the victim has downloaded and installed this software, the malware will execute and begin to extract the actual malware (svhost.exe) into the temporary folder or C:\Users\Public\. The attackers can use the Process Hollowing technique to run svhost.exe anonymously under a legitimate Windows process like explorer.exe.

After that, the malware will create a persistence mechanism by writing a key into the Registry to automatically launch every time the victim restarts the computer.

Once logged in, the attacker will continue to maintain a constant connection to C2 servers like mka3e8[.]com or y2iax5[.]com to receive remote commands. Here, the victim's machine will send the information that the malware has collected back to the C2 server: OS, IP, hostname, user. Additionally, the server can send commands to:

• Turn the machine into an intermediary proxy

• Download and execute additional malicious files

• Capture data/screenshots

Finally, the hacker will carry out the final malicious actions in the campaign:

• Forward network traffic from other IPs → exploited in a botnet

• Anonymize the attacker, enabling:

  • Access to illegal websites

  • Sending spam

  • Conducting DDoS attacks

Recommendations

1. Only download software from trusted sources

• Avoid unknown "free" websites.

• Prefer downloading from:

  • The official website of the publisher

  • Microsoft Store, Apple Store, or other reputable software stores

2. Do not run “.exe” files from ads or emails

• It's dangerous to run files with extensions like .exe, .bat, .scr, .com from unknown sources.

3. Install reliable security software

• Use antivirus/anti-malware software that is regularly updated (Windows Defender, Kaspersky, ESET…)

• Enable features like:

  • Behavior monitoring

  • Alerts for registry changes or unusual processes

Conclusion

The campaign of spreading trojans hidden in fake PDF software is a typical example of exploiting the demand for popular software to deceive users, thereby secretly taking control of systems and joining a botnet network.

Although the distribution method is relatively simple — through a fake .exe installer posing as legitimate software — the malware has the ability to hide thoroughly, create persistence mechanisms, and especially turn the victim's machine into an intermediary proxy for large-scale attack activities.

IOC

1. File Hash

• 27fb60fa0e002bdb628ecf23296884d3

• d09b667391cb6f58585ead314ad9c599

• 1efaffcd54fd2df44ab55023154bec9b

2. Domain C2

• mka3e8[.]com

• y2iax5[.]com

Reference

1. PDF Editor Turns Malicious - Hackers Deploy Trojan to Hijack Devices as Proxies

2. Threat Actors Weaponize PDF Editor Trojan to Convert Devices into Proxies