In recent weeks, cybersecurity investigators have uncovered a novel campaign in which hackers leverage seemingly benign potentially unwanted program (PUP) advertisements to deliver stealthy Windows malware.
The lure typically begins with ads promoting free PDF tools or desktop assistants that redirect victims to spoofed download sites.
Once users click through, a scheduled task silently retrieves a JavaScript loader from a temporary directory and executes it via Microsoft HTML Application Host (MSHTA).
This sequence installs a decoy application—ManualFinder—designed to appear legitimate while establishing footholds in target environments.
The decoy’s innocuous functionality masks a far more insidious objective. When run, ManualFinder requests no user interaction beyond the initial installation, quietly opening ports and relaying commands to remote infrastructure.
Expel analysts identified that the JavaScript loader reaches out to domains such as mka3e8.com and 5b7crp.com, previously associated with residential proxy services, indicating a broader scheme to conscript infected machines into proxy networks.
While initial infections have been linked to OneStart Browser installs, researchers observed that AppSuite-PDF and PDFEditor installers follow identical patterns, each signed by dubious code-signing certificates from entities like “GLINT SOFTWARE SDN. BHD.”
Expel researchers identified that the malware campaign’s impact extends beyond proxying. In certain environments, PDFEditor installations prompt users to consent to residential proxy use in exchange for free editing capabilities, effectively monetizing unsuspecting endpoints.
Other instances show the decoy apps modifying browser profiles and harvesting stored cookies, suggesting secondary data-exfiltration objectives.
By the time defenders detect unusual MSHTA invocations or node.exe processes running hidden JavaScript, the adversary has often already established persistence and network outposts.
In total, investigators have cataloged over 70 unique JavaScript variants, all reaching out to the same malicious domains.
Code snippets embedded in scheduled-task definitions reveal how persistence is maintained:-
schtasks /Create /TN "ManualFinderTask" /TR "mshta.exe "C:UsersAppDataLocalTemp.js"" /SC DAILY /ST 03:00 .webp "Hackers Using PUP Advertisements to Silently Drop Windows Malware 3")
The loader then executes:-
cmd[.]exe /d /s /c "msiexec /qn /i "C:UsersAppDataLocalTEMPManualFinder-v2.0.196.msi"" .webp "Hackers Using PUP Advertisements to Silently Drop Windows Malware 4")
Infection Mechanism
Delving deeper into the infection mechanism, the campaign exploits Windows scripting hosts and MSI installer features to achieve near-undetectable deployment.
The sequence begins when the scheduled task runs under the context of the SYSTEM-level svchost service, launching node.exe with a randomized JavaScript filename (e.g., 9b9797f4-274c-fbb9-81ae-3b4f33b7010a.js).
This script downloads the ManualFinder MSI from the attacker’s server and installs it with quiet flags (/qn /n) to suppress any user interface.
Because msiexec runs under cmd[.]exe with disabled autorun (/d) and custom quote handling (/s), traditional EDR alerts tied to user applications are often bypassed.
.webp "Hackers Using PUP Advertisements to Silently Drop Windows Malware 5")
Once installed, the malware registers its own service and scheduled tasks to re-execute the JavaScript loader at regular intervals, ensuring re-infection even after removal attempts.
This illustrates the MSHTA invocation code that enables this stealthy execution.
Boost your SOC and help your team protect your business with free top-notch threat intelligence: Request TI Lookup Premium Trial.
Source link
