More discussion around AppSuite-PDF, OneStart, PDF Editor, and ManualFinder's ads, websites, and code-signing certificates. Also glad to see a mention for @struppigel 's write up on JustAskJacky and other apps. Seems like there is still a lot to publish about all of this.
More discussion around AppSuite-PDF, OneStart, PDF Editor, and ManualFinder's ads, websites, and code-signing certificates. Also glad to see a mention for @struppigel 's write up on JustAskJacky and other apps. Seems like there is still a lot to publish about all of this.
@SquiblydooBlog @struppigel This is a concerning development. First there were nodejs based stealer/rat packed using nsis. Now there is nodejs based backdoor packed using nsis. TAs have put some thought into their operation and are patient enough to start their operation only after a few days.
@nhegde610 @struppigel In many cases, we’ve seen hosts infected for weeks or months. In my tracking of certificates, I think this actor has been active for a few years pushing PUP-like files.