This post is also available in:
עברית (Hebrew)
The Dutch National Cyber Security Centre (NCSC) has issued a warning about an ongoing global campaign in which malware is being spread through software that appears legitimate—such as PDF editors and manual search tools. The campaign targets individual users and enterprises alike, turning infected machines into tools for masking cybercriminal activity.
Malicious actors are disguising their malware as everyday utilities, promoting them via online advertisements. Applications like ManualFinder and various PDF editing tools are among those used to lure unsuspecting users. Once installed, the software quietly executes malicious code that gives attackers control of the victim’s device.
According to the NCSC, compromised systems are being used as “residential proxies.” This allows attackers to route internet traffic through these machines, effectively borrowing the IP address of the victim. By doing so, malicious traffic can appear to originate from a regular household in the same country as the target, making it much harder for security teams to detect or trace the activity back to the actual source.
The malware typically executes a JavaScript file that communicates with multiple command-and-control (C2) servers, providing the attacker with remote access. Researchers have also identified potential interaction with browser data, although the full extent of this access is still under investigation.
There may be a connection to the OneStart Browser, a program that is often bundled with free software downloads. While not classified as malware, several antivirus providers categorize it as a Potentially Unwanted Application (PUA), due to its links to adware and spyware distribution.
The total number of affected devices is unknown, but the NCSC notes that the ease of installation and distribution via advertising suggests the malware could have reached a wide user base. Although current activity linked to the campaign has dropped, previously compromised systems remain vulnerable.
The NCSC urges organizations to take proactive measures, including blocking known malicious domains and scanning networks for indicators of compromise. As always, users are advised to download software only from trusted sources and to remain cautious when presented with online advertisements offering utility software.
