Analysis Summary

Cybersecurity analysts have uncovered a stealthy malware campaign in which attackers distribute Windows malware through advertisements for seemingly benign potentially unwanted programs (PUPs). Victims are lured with ads promoting free PDF tools or desktop assistants, which redirect them to spoofed download sites hosting installers like ManualFinder, AppSuite-PDF, and PDFEditor. These decoy applications appear legitimate and function normally, but silently create scheduled tasks that leverage Microsoft HTML Application Host (MSHTA) to execute hidden JavaScript loaders. Researchers have already documented more than 70 unique variants of these loaders, all contacting the same malicious domains for payload delivery.

According to the Researcher, once executed, the loader retrieves an MSI installer from attacker-controlled infrastructure, typically under SYSTEM-level svchost context, and installs the malware silently using msiexec with suppressed interface flags. This technique bypasses common endpoint detection and response (EDR) monitoring tied to user applications. To ensure persistence, the malware registers both scheduled tasks and services that continuously re-trigger the loader, even after attempted removal. The campaign’s reliance on MSHTA, cmd.exe, and node.exe for script execution makes the activity blend in with legitimate Windows processes, delaying detection.

The malware’s primary functionality is twofold: building residential proxy networks and enabling further exploitation. In many cases, infected devices are conscripted into proxy services through domains such as mka3e8.com and 5b7crp.com, previously linked to proxy infrastructure. Some decoy installers even openly prompt users to “consent” to proxy use in exchange for free features, effectively monetizing unsuspecting endpoints. Beyond proxying, investigators also observed evidence of browser manipulation, with modules modifying profiles and harvesting stored cookies indicating secondary objectives such as credential theft and session hijacking.

This campaign highlights how attackers are combining PUP-style lures with stealthy Windows scripting abuse to establish durable footholds in victim environments. By masking malicious operations behind legitimate-looking applications and code-signed installers from questionable entities such as “GLINT SOFTWARE SDN. BHD.,” the adversaries bypass user suspicion and technical controls alike. The use of scheduled tasks, MSHTA loaders, and silent MSI installs demonstrates an evolving trend in malware delivery that blends persistence, monetization, and data exfiltration, leaving defenders to detect subtle anomalies like unusual MSHTA invocations or hidden node.exe activity before adversaries consolidate control.

Impact

• Gain Access

Indicators of Compromise

SHA1

• 4d038fc13242ac69151ad60176bf211529cfcf94
• 5d3ed7eebabe79cbcb4bb60907037728f00caa32
• 0999ec3e6a51ba69510911ff90659d3a62d7dc9f
• 73d85e518aec23a1064fa34ba449a37a9e2b798f
• 036f5c24f5df5e1e09305033933811d6688d2b42
• 1eb5be9e5662811fa1412287fa8e5a2d88d0a4d2

Remediation

• Block all threat indicators at your respective controls.
• Search for indicators of compromise (IOCs) in your environment utilizing your respective security controls.
• Block and monitor MSHTA.exe, node.exe, and suspicious cmd.exe invocations in enterprise environments, as these are abused for stealthy execution.
• Restrict or disable Windows Script Host (WSH) functionality (JavaScript/VBScript execution) on endpoints where not required.
• Implement application whitelisting (AppLocker, WDAC) to prevent execution of unauthorized MSI installers and scripts from temporary directories.
• Monitor for and investigate creation of scheduled tasks and services that invoke scripts or installers from unusual paths (e.g., AppData\Local\Temp).
• Deploy EDR rules to detect silent msiexec /qn or msiexec /n installs, which attackers use to suppress UI and evade detection.
• Regularly validate code-signing certificates used by installed applications; block or flag those from suspicious or untrusted publishers.
• Enforce DNS filtering and block outbound traffic to known malicious domains (mka3e8.com, 5b7crp.com) and associated infrastructure.
• Use browser hardening policies to prevent unauthorized modification of profiles and storage of sensitive session cookies.
• Conduct user awareness training to warn about risks of downloading free software from ads, pop-ups, or unverified websites.
• Perform regular threat hunting for unusual persistence mechanisms and recurring infections, ensuring compromised endpoints are fully reimaged if necessary.