A global malware infection of Windows computers has been uncovered, stemming from software users installed themselves. The malware, disguised as legitimate PDF editors and manual finders, turns infected systems into residential proxies for malicious actors. The infection chain starts with deceptive ads posing as PDF manuals. The campaign, which appears to have ceased, was widespread due to large-scale advertising. The malware creates scheduled tasks, executes JavaScript files, and communicates with various C2 domains. It's potentially linked to the OneStart Browser, known for spreading spyware and adware. Authorities advise blocking access to related domains, checking for specific applications, and removing software signed by certain certificate issuers.