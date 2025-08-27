Cybersecurity analysts have warned of a new malware campaign that disguises itself as a legitimate PDF editor but secretly converts infected devices into residential proxies, Cyber Security News reports.
According to ExpelSecurity, the attack leverages files signed with the certificate "GLINT SOFTWARE SDN. BHD." to appear credible, while deploying a trojan known as "ManualFinder." The infection process begins with JavaScript components launched through the problematic OneStart Browser, which creates scheduled tasks to ensure persistence. Researchers noted the malware communicates with command-and-control domains such as mka3e8[.]com to deliver additional payloads under the same fraudulent certificate. What makes this threat particularly deceptive is its dual nature: in sandbox testing, ManualFinder performs its advertised role of locating product manuals, masking its malicious intent. Behind the faade, however, the malware reroutes traffic through victim devices, enabling attackers to profit from proxy operations while concealing the true origin of illicit activity. Analysts stress the campaign reflects an advanced effort to evade traditional detection systems.
