AppSuite PDF Editor Backdoor

26 Sep 2025

AppSuite PDF Editor Backdoor


Situation

A malicious campaign is distributing a PDF‐editor software called AppSuite PDF Editor under the guise of a productivity tool. The campaign uses a combination of promotional websites (including via Google Ads) and fake or misleading domain names to lure users to download the software. On first download/install, the program functions as a basic PDF editor but includes or later activates a backdoor / information‑stealing malware (“TamperedChef”) that can exfiltrate data, modify systems, and maintain persistence.

Problem

The software behaves maliciously: after installation, it creates persistence mechanisms (registry Run keys, scheduled tasks) and various command‑line switches (–cm=–fullupdate, etc.) allow threat actors to enable malicious functionality. The backdoor routines can perform arbitrary commands provided by remote servers (C2), manipulate browser settings, exfiltrate browser stored credentials/cookies, read, write, delete files and registry entries. The threat actor delays activation of the malicious portions to avoid detection. The “weaponization” occurs after some time (e.g. ~56 days into campaign in one observed case) so that initial scans appear benign.

Risk

Users of the software (individuals or in organizations) risk having sensitive data exfiltrated: browser credentials, cookies, stored profile info, etc. Persistence means even if users uninstall, parts of the malware may remain via scheduled tasks / autorun entries / registry keys, enabling reactivation or further compromise. Remote control via C2 allows adversaries flexibility: injecting commands, deploying further malware, modifying system configurations. The campaign’s reach is broad: multiple European organizations have already been affected. Because the software is distributed via ads and high‑ranking websites, the potential exposure is large.

Impact

  • Data breach: loss or exposure of credentials, cookies, browsing data, possibly other sensitive files. Compromise of user privacy and security;
  • System integrity: capability to execute arbitrary code / commands may lead to further malware installations, or even full system compromise;
  • Operational risk: persistently compromised endpoints, harder remediation. Risk of lateral movement in enterprise environments if multiple endpoints are infected;
  • Reputation and legal risk for organizations that allow deployment (knowingly or unknowingly) of such software. Possibly regulatory penalties if sensitive personal data is affected.

Mitigation/Prevention

  • Software sourcing discipline: Only download software from known, trusted vendors. Avoid downloading applications from unknown domains or via ads unless verified;
  • Ad verification / blocking: Use ad‑blockers, domain reputation filtering, and monitor ads to avoid malicious software promotion;
  • Endpoint protection and behavior monitoring: Use EDR tools that monitor for suspicious persistence (registry Run keys, scheduled tasks from untrusted executables in user directories), file behavior (modifying browser profile data), or unusual network connections to C2‑style domains;
  • Code signing validation: Check digital certificates, and whether the signer is reputable, whether certificate usage is consistent. The campaign used certificates from several companies (possibly fake or shell / unknown entities);
  • Delaying activation detection: Since malicious behavior is delayed, periodic re‑scanning and monitoring of “trusted” utilities installed should be part of security posture.

 

IOC’s

  • File hashes
    • MSI installer: fde67ba523b2c1e517d679ad4eaf87925c6bbf2f171b9212462dc9a855faa34b
    • js: b3ef2e11c855f4812e64230632f125db5e7da1df3e9e34fdb2f088ebe5e16603
    • node: 6022fd372dca7d6d366d9df894e8313b7f0bd821035dd9fa7c860b14e8c414f2
    • exe: da3c6ec20a006ec4b289a90488f824f0f72098a2f5c2d3f37d7a2d4a83b344a0
    • PDF Editor.exe: cb15e1ec1a472631c53378d54f2043ba57586e3a28329c9dbf40cb69d7c10d2c
    • Uninstall PDF Editor.exe: 956f7e8e156205b8cbf9b9f16bae0e43404641ad8feaaf5f59f8ba7c54f15e24
    • Other SHA256 from Truesec for various PDF Editor / Elevate files.
  • Persistence / Scheduling / Registry
    • Scheduled tasks: PDFEditorScheduledTask, PDFEditorUScheduledTask
    • Other scheduled tasks (e.g. ShiftLaunchTask, OneLaunchLaunchTask, WaveBrowser-StartAtLogin)
    • Registry Run key: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\PDFEditorUpdater with argument –cm=–fullupdate
    • Command‑line switches: –install, –cm=–fullupdate, –partialupdate, –backupupdate, –check, –ping, –reboot, –cleanup
  • C2 / Hosting / Download URLs & Domains
    • appsuites.ai (download)
    • ai, sdk.appsuites.ai, on.appsuites.ai, log.appsuites.ai
    • Numerous fraudulent / look‑alike / promotional domains (pdfreplace.com, pdfartisan.com, pdfmeta.com, etc.)
  • Certificates signed by companies such as ECHO Infini SDN BHD, GLINT By J SDN. BHD, SUMMIT NEXUS Holdings LLC, BHD among others.


Links

https://www.truesec.com/hub/blog/tamperedchef-the-bad-pdf-editor
https://www.gdatasoftware.com/blog/2025/08/38257-appsuite-pdf-editor-backdoor-analysis
https://www.techradar.com/pro/security/hackers-are-distributing-a-fake-pdf-editor-loaded-with-tamperedchef-credential-stealing-malware
https://www.nomios.pl/en/news-blog/tamperedchef-malware-hidden-in-fake-pdf-editor/
https://cyberpress.org/code-signing-certificates-exploit/

Note: this component is only available for the blocks: platinum