When a Free PDF Editor Costs All Your Passwords. The Price of "Free" in 2025
For two months, Google Ads showed safe advertising, and then it became dangerous.
For two months, Google Ads showed safe advertising, and then it became dangerous.
Specialists from Truesec reported on a large-scale malicious campaign in which threat actors promoted a fake PDF editing application called "AppSuite PDF Editor" through Google Ads. Behind its seemingly legitimate appearance hid the info-stealer TamperedChef, capable of extracting confidential information from infected devices.
Analysis showed that the operation is run by a well-organized group using multiple applications that can download each other and draw victims' systems into schemes involving residential proxies. Some of these programs also mislead users by offering free functionality in exchange for consent to use their devices as part of a proxy network.
Truesec identified over 50 domains hosting malicious builds signed with fake digital certificates from at least four different companies, including ECHO Infini SDN BHD, GLINT By J SDN. BHD, and SUMMIT NEXUS Holdings LLC.
According to Truesec's technical report, TamperedChef's malicious activity was not activated immediately. At first, the application behaved like a normal PDF editor, and only on August 21st—almost two months after the start of the ad campaign—did it receive an update that launched the malicious functions. It was then that the malicious version with the -fullupdate argument, which activates the info-stealer, was downloaded onto the user's system.
The infected application checks for the presence of security solutions on the machine and then extracts data from browsers using the Windows component DPAPI (Data Protection API)—a standard mechanism for protecting sensitive information. This allows TamperedChef to steal passwords, cookies, and other personal data stored on users' systems.
The investigation revealed that the threat actors used at least 5 unique Google Ads campaign identifiers, indicating a broad geography and targeted distribution. Notably, the malicious activity was activated closer to the end of the 60-day lifespan of the advertisements, which may indicate a strategy to maximize the number of downloads before enabling the malicious function.
The programs were distributed through dozens of websites advertising AppSuite PDF Editor as a free and convenient tool. Among the downloaded executable files were other applications, such as OneStart and Epibrowser—browsers that were previously classified as Potentially Unwanted Programs (PUPs) but in this case demonstrated behavior characteristic of full-fledged malware.
In parallel with Truesec, an investigation was conducted by analysts from Expel. They confirmed that OneStart, AppSuites PDF, and another component called ManualFinder can execute suspicious commands, download malicious modules, and enroll devices in residential proxy networks.
In some cases, users were shown a window offering free use of the PDF editor in exchange for permission to use their device as part of proxy infrastructure. The researchers emphasize that the proxy network provider could be a legitimate company and not directly linked to the campaign, with the threat actors simply acting as affiliates, profiting at the users' expense.
Although some of the mentioned programs are formally classified as PUPs, the researchers stress that their functionality fully meets the criteria of malware. Installing such applications can lead not only to data leaks but also to the uncontrolled use of systems in proxification schemes and the further spread of threats.
Truesec and Expel have published full reports with a large number of IoC (Indicators of Compromise) identifiers so that administrators and cybersecurity specialists can identify infected systems and prevent infrastructure compromise.
