Analysis reveals that the developers behind the AppSuite-PDF and PDF Editor campaigns have abused at least 26 distinct code-signing certificates over the past seven years to lend legitimacy to their malware, collectively tracked as BaoLoader.
Previously classified as potentially unwanted programs (PUPs), recent investigations and connections to outright fraud warrant reclassification and heightened scrutiny.
Threat actors leverage code-signing certificates to bypass security controls by impersonating legitimate businesses.
By registering new entities—often shell companies with minimal online presence—they secure certificates from widely trusted authorities such as DigiCert, GlobalSign, SSL.com, Entrust, and Sectigo.
These certificates embed a cryptographic hash of the installer, instilling false confidence that the software is untampered and from a trusted provider.
Our research, in collaboration with CertCentral.org, identified 26 unique certificates issued to 24 companies in Panama, Malaysia, the United States, the British Virgin Islands, and elsewhere, used exclusively to sign BaoLoader components.
Unusually, the actors obtained multiple certificates for the same organizational identity from different issuers on 11 occasions—strong evidence they orchestrated the certificate procurement themselves rather than buying resold certificates.
Linking Campaigns Through Certificates
AppSuite-PDF and PDF Editor installers masquerade as useful productivity tools but deploy a persistent backdoor.
AppSuite-PDF is a simple app whose main functionality is to download and install the PDF Editor app that allows users to edit PDFs.
Signer names such as GLINT SOFTWARE SDN. BHD., ECHO INFINI SDN. BHD., and Summit Nexus Holdings LLC appear repeatedly on VirusTotal submissions dating back to mid-2025.
A cluster of certificates under “Apollo Technologies Inc.”, “Caerus Media LLC,” and “Onestart Technologies LLC” were used to sign OneStart installers, which are bundled with covert PDF Editor payloads.
Prior to these campaigns, the same actors operated under identities like “Digital Promotions Sdn. Bhd.”, “Eclipse Media Inc.”, “Astral Media Inc.”, and “Blaze Media Inc.” to distribute Web Companion installers and PUPs disguised with names such as “ZoomSetup,” “FreeManuals,” and “Launch Browser.”
Their consistent version naming convention (e.g., “-vX.X.XXXX.X”) links all these artifacts to the BaoLoader umbrella.
Despite superficial similarities—certificate abuse, Chrome extension loaders, scheduled tasks, and use of node.exe—BaoLoader exhibits a unique certificate geography, favoring issuers in Panama, Malaysia, and the US. In contrast, Chromeloader certificates originate primarily from Israel, Germany, the UK, and Slovenia, with no overlap in certificate serial numbers or organizations.
TamperedChef, a separate trojan campaign, employed certificates for companies in Ukraine and Great Britain and incorporated hidden HTML characters for covert command channels—tactics absent in BaoLoader flows.
Misattribution risks undermining incident response and law enforcement efforts, underscoring the need for precise naming: BaoLoader remains distinct and should not be conflated with Chromeloader or TamperedChef.
Implications for Defenders
Code-signing certificate abuse represents a potent evasion technique. Organizations relying solely on certificate presence as a trust signal risk installing malicious software.
Defender playbooks should include certificate provenance checks, anomaly detection when new or multiple certificates appear for the same signer, and rapid revocation response coordination with CAs.
Application whitelisting solutions such as AppLocker can block unsigned or untrusted signed files, while threat hunting can leverage community-maintained certificate blocklists.
CertCentral.org’s database of over 1,500 abused certificates serves as a critical resource for detection and remediation.
BaoLoader’s multi-year campaign highlights the evolving sophistication of PUP-style malware and the necessity of continuous monitoring of certificate ecosystems.
As threat actors refine their impersonation strategies, defenders must treat certificate metadata and signing patterns as high-fidelity indicators.
Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant Updates.
Source link
