Skip to content
arrow-alt-circle-up icon

Cyber Incident?

arrow-alt-circle-up icon

Call 00800 1744 0000

arrow-alt-circle-up icon

Indicators of Compromise (IoCs) Identified in Northwave's Malvertisement Investigation    

Reported August-November 2025  

HuFiCon Management Memo:
Journey with the CISO

A mountain climb to cyber security resilience. Find out how to get to the summit of cyber security resilience in Inge van der Beijl's management memo, from her presentation at the Human Firewall Conference (HuFiCon) on the 14.11.2024.

The climb will take you from the base camp of foundational security to the high-camp of a security conscious culture, all the way to the summit consisting of strategic security integration. 

inge_van_der_beijl
Inge van der Beijl

Director Innovation

Malware-Campaign
Published: 25 November 2025

Since August 2025, Northwave’s Security Operations Center (SOC), Computer Emergency Response (NW-CERT) and Cyber Threat Intelligence (CTI) teams have been investigating a widespread malware campaign connected to digital productivity tools downloaded through Search Engine Advertising (SEA) campaigns. Below is a table of the Indicators of Compromise (IoCs) that we have uncovered in our investigation and shared with security partners in Europe.

We recommend using them to help validate whether any of these indicators appear in your environment.

Signer

File with hash

download domain

C2

Sherlock Tech Ltd,

PDFclick.exe 09474277051fc387a9b43f7f08a9bf4f6817c24768719b21f9f7163d9c5c8f74

pdfclickapp[.]com

oblifagi[.]com
ddl[.]dwnpdfoc[.]com
runeton[.]com

PDFDoc.exe: cb42e3a751ff526912bb41337a9205cbe145f5fe80869341c79d5358c863c549

pdfdocapp[.]com

WHATECH MOBILE CO., LIMITED

NotAWord.exe
f3c11d0d18c5fe7c40c2ff833a618a46873ae99b0e7525f692d407395fd61b8b

notawordapp[.]com

oblifagi[.]com
notirino[.]com

My Tech Media LTD

ZapPDF.exe
84459f055a271cf9229ff0aa82981b47a2870f1ea6307a6078a30ae67eae1762

zappdfapp[.]com

oblifagi[.]com
enilord[.]com

Sorbet Live LTD

InfiniteDocs.exe
b2edaaea9039be5d4352b8a18cfa92140b4888c4a255d98c5ee806afdcba4293

infinitedocsapp[.]com

oblifagi[.]com
boholich[.]com

PowerDoc.exe
865e689218d52d0d179659c1a9929231f9f4af0738835f768aff4242818b5a02

getpowerdoc[.]com

ulinikio[.]com

BLUE TAKIN LTD

Easy2Converter.exe
2090e639bb9ed9c115bdfdf31fb52d4f6f5547d3
01c4af64821a9fd3db7c85256c509e79333bf124
98566a05b89e6412a9f6149dcc3bac9334022bde

xilopra[.]com
ez2convertapp[.]com

confetly[.]com
takelecon[.]com
banifure[.]com
hagalilk[.]com
orluyafi[.]com
comitoni[.]com
eloknys[.]com, mokliey[.]com
salionb[.]com

CANDY TECH LTD

Onezip.exe

e8b89b9fc60dc8ddb861369a7ab2cc319f23495022c4d1feb6e0cc4f3a87214c

onezipapp[.]com

lolidwni[.]com
oneoni[.]com

Convertmate.exe
08b9f93000512b45f8c2e8d3d6624536b366e67c40fd4b958db58e3a1d129c3d
e0db7b5eaf92feff220c805b0e5f3d8916e18d51

UpdateRetreiver.exe
6bf2cc4e9d9901541214d7efc8bb8bb24ef5bddc238598333c843e421c042c6b

Uninstaller.exe
e95de8452d32b439e0286868ed16f63943af3bc059dca6bcb48d1cbe2431440e

conmate_update.ps1
372d89d7dd45b2120f45705a4aa331dfff813a4be642971422e470eb725c4646

Convert Mate.exe d9f9584f4f071be9c5cf418cae91423c51d53ecf9924ed39b42028d1314a2edc

conmateapp[.]com

dcownil[.]com
banifuri[.]com

Red Root LTD

ConvertyFile.exe
3d82200083a86df09c3b16c9095b844738a76863b1b01092b6c4dbef3b974b12

convertyfileapp[.]com

lukgiop[.]com
olienti[.]com

A1A Marketing Ltd.

 

crystal-pdf[.]com

 

PDFConfigurator.dll
719745be56e42e898d28aeefd254df630adba06eef3add08854b9cd9ae6b9a75

free-pdf-creator[.]com

api[.]free-pdf-creator[.]com

PDFStar.dll
6bf3714dc85237c453c5ede22d155c6135f46557e57242b0d782cf8a20f1b935

pdf-star[.]com

api[.]pdf-star[.]com

powerdoc.exe
b3afc517095d0362a32c5655f7572123e5db2e09fe24f6f917b880d6a969c682

powerdocapp[.]com

yablinov[.]com

CROWN SKY LLC

7ZSfxMod_x64.exe
796a0393c6411b3af155cf98c029d002a439f5b1

calendaromatic-win_x64.exe
69934dc1d4fdb552037774ee7a75c20608c09680128c9840b508551dbcf463ad

downloaded ZIP archive
81f6a9bdc25d10944a41fc8b3cac16350454a9f88ece1d2260e1fe9ae10ef6ff

Calendaromatic[.]com

 

Crowd Sync LLC

PDFSparkOnSoft_82046.exe, setup.exe
38d37ae2a3b016c5172568bc708e2890fc8e413e7502e84b706725a6915bb95e

PDF spark setup
e36882cc0a81ca1bd282e3fd314c59f2adc2ff1b6fc1ed6290ac68a4cc57edf3
9d9aaca4217ab036a788f2d8280b54dac3d1f2daaca5fa45261598a7da752d2e

setup.tmp
60fe51310585d95f48fc5fed54d27c78d409290b3d77866b35772c253219ea26

SparkSoftinc[.]com
pdfsparkware[.]com
sparkonsoft[.]com

getappsgroups[.]com

GLINT SOFTWARE SDN. BHD.

Summit Nexus Holdings LLC.

Echo Infini Sdn Bhd.

Apollo Technologies Inc.

ManualFinder-v2.0.196.msi
f734dc5fb78cf67e63eae2830e656a70c015db15

ManualFinderApp.exe
1eb5be9e5662811fa1412287fa8e5a2d88d0a4d2

AppSuite-PDF.msi
1b77beedb0b99bf5430c1a18315302399d07812c

pdfeditorsetup.exe
21df00ac8bf8baa1111f3fc564d27a9eabf0f097

PDF Editor.exe
2ecd25269173890e04fe00ea23a585e4f0a206ad

PDF Editor.exe
a3d937bcd92fc8a06e47aca8c5c7f56d175a1573

pdfmeta[.]com

y2iax5[.]com
5b7crp[.]com
mka3e8[.]com
9mdp5f[.]com

We are here for you

Need help with your cyber security or wondering how secure your business really is?
Get in touch and we will help you find the best solution.

.