← Back to Pulse Feed
PULSE DETAIL
PULSE NAME
New malware campaign discovered via ManualFinder
WHITE AlienVault 2025-09-03 Modified: 2025-09-03
59
IOCs
HIGH VOLUME
A global malware infection of Windows computers has been uncovered, stemming from software users installed themselves. The malware, disguised as legitimate PDF editors and manual finders, turns infected systems into residential proxies for malicious actors. The infection chain starts with deceptive ads posing as PDF manuals. The campaign, which appears to have ceased, was widespread due to large-scale advertising. The malware creates scheduled tasks, executes JavaScript files, and communicates with various C2 domains. It's potentially linked to the OneStart Browser, known for spreading spyware and adware. Authorities advise blocking access to related domains, checking for specific applications, and removing software signed by certain certificate issuers.
onestart browsercertificate abusepdf-editorjavascriptmanualfindertrojan:win64/infostealer!msrtrojan:win32/malgent!msrwindowsresidential proxy
MITRE ATT&CK & Malware Families
ATT&CK TECHNIQUES
Indicators of Compromise (10 / 59 total)
All FileHash-MD5 FileHash-SHA1 FileHash-SHA256 domain
TYPEINDICATORDESCRIPTIONCREATED
FileHash-SHA1 1b77beedb0b99bf5430c1a18315302399d07812c 2025-09-03
FileHash-SHA1 1eb5be9e5662811fa1412287fa8e5a2d88d0a4d2 2025-09-03
FileHash-SHA1 21df00ac8bf8baa1111f3fc564d27a9eabf0f097 2025-09-03
FileHash-SHA1 2ecd25269173890e04fe00ea23a585e4f0a206ad 2025-09-03
FileHash-SHA1 99201eee9807d24851026a8e8884e4c40245fac7 2025-09-03
FileHash-SHA1 a2278eb6a438dc528f3ebfeb238028c474401bef 2025-09-03
FileHash-SHA1 c60c964e4e0d40e5d038950d75db60b84d4cd911 2025-09-03
FileHash-SHA1 d249a92c9594c0410570a01abe2fce4cd16f762d 2025-09-03
FileHash-SHA1 e0db7b5eaf92feff220c805b0e5f3d8916e18d51 2025-09-03
FileHash-SHA1 f734dc5fb78cf67e63eae2830e656a70c015db15 2025-09-03
References (1)
↗ https://www.ncsc.nl/actueel/nieuws/2025/08/29/nieuwe-malwarecampagne-ontdekt-via-manualfinder