NCSC stumbles upon new malware campaign involving PDF editors and manual finders

Published: 1 September 2025
Last updated: 1 September 2025
pdf icon pixelated bug malware
Image by Cybernews.

The National Cyber Security Centre (NCSC) from the Netherlands has warned of a global campaign in which criminals are distributing seemingly innocent tools, such as a PDF editor or manual finder, to infect systems with malware.

System administrators must be vigilant about applications like ManualFinder, PDF editors, and similar software. Scammers are trying to infect the computers of gullible people by running paid advertisements and persuading users to download the editing software.

The malware allows malicious threat actors to misuse the victim’s infected system as a so-called “residential proxy.”

ADVERTISEMENT

Attackers route their traffic through these residential proxies to obtain an IP address from a specific country where the intended target is located. This lets them mask their criminal activities and make it appear as if the victim is carrying out malicious actions. It also makes it harder for security researchers and law enforcement authorities to locate them.

Once the malicious software is installed, it runs a JavaScript file that communicates with numerous command-and-control (C2) servers.

“Researchers have also observed that in some cases, the software interacts with data in the browser. The extent of this interaction and possible access to other aspects of the browser is currently being investigated,” the NCSC said in a public statement.

onestar browsel logo malware
Image by Cybernews.

According to NCSC cybersecurity experts, there appears to be a connection with the OneStart Browser. This tool is often bundled with other software applications, but is described by several antivirus vendors as a Potentially Unwanted Application (PUA).

OneStart Browser is often associated with the distribution and installation of spyware and adware.

It remains unclear how many devices have been infected. Because the malicious software was easily installed, the NCSC suspects there may be many victims.

vilius jurgita Ernestas Naprys Izabelė Pukėnaitė
Stay informed and get our latest stories on Google News
Google News Follow us
ADVERTISEMENT

For the moment, the malicious advertisement campaign appears to have stalled, with virtually no new activities having been observed. This doesn’t mean the threat is over: infected devices are still in danger.

Therefore, the NCSC recommends blocking domains used by attackers and checking corporate networks for known indicators of compromise (IoC).

Share
Post
Share
Share
Share
More from Cybernews
DuckDuckGo AI hallucinates Trump's death after AI data poisoning campaign
Peppa Pig AI contract sparks fears over child actors signing away their voices
Microsoft increases Xbox prices again: “Never thought I'd see the day video games become an investment”
UK hospital reports itself after 40 staff accessed crocodile attack victim’s records
Microsoft extends Windows 10 update program as users refuse to upgrade
Australia tightens teen social media ban amid Reddit reports of easy bypassing
ADVERTISEMENT