Indicators of Compromise (IoCs) Identified in Northwave's Malvertisement Investigation

Since August 2025, Northwave’s Security Operations Center (SOC), Computer Emergency Response (NW-CERT) and Cyber Threat Intelligence (CTI) teams have been investigating a widespread malware campaign connected to digital productivity tools downloaded through Search Engine Advertising (SEA) campaigns. Below is a table of the Indicators of Compromise (IoCs) that we have uncovered in our investigation and shared with security partners in Europe.

We recommend using them to help validate whether any of these indicators appear in your environment.

Signer	File with hash	download domain	C2
Sherlock Tech Ltd,	PDFclick.exe 09474277051fc387a9b43f7f08a9bf4f6817c24768719b21f9f7163d9c5c8f74	pdfclickapp[.]com	oblifagi[.]com ddl[.]dwnpdfoc[.]com runeton[.]com
Sherlock Tech Ltd,	PDFDoc.exe: cb42e3a751ff526912bb41337a9205cbe145f5fe80869341c79d5358c863c549	pdfdocapp[.]com	oblifagi[.]com ddl[.]dwnpdfoc[.]com runeton[.]com
WHATECH MOBILE CO., LIMITED	NotAWord.exe f3c11d0d18c5fe7c40c2ff833a618a46873ae99b0e7525f692d407395fd61b8b	notawordapp[.]com	oblifagi[.]com notirino[.]com
My Tech Media LTD	ZapPDF.exe 84459f055a271cf9229ff0aa82981b47a2870f1ea6307a6078a30ae67eae1762	zappdfapp[.]com	oblifagi[.]com enilord[.]com
Sorbet Live LTD	InfiniteDocs.exe b2edaaea9039be5d4352b8a18cfa92140b4888c4a255d98c5ee806afdcba4293	infinitedocsapp[.]com	oblifagi[.]com boholich[.]com
Sorbet Live LTD	PowerDoc.exe 865e689218d52d0d179659c1a9929231f9f4af0738835f768aff4242818b5a02	getpowerdoc[.]com	ulinikio[.]com
BLUE TAKIN LTD	Easy2Converter.exe 2090e639bb9ed9c115bdfdf31fb52d4f6f5547d3 01c4af64821a9fd3db7c85256c509e79333bf124 98566a05b89e6412a9f6149dcc3bac9334022bde	xilopra[.]com ez2convertapp[.]com	confetly[.]com takelecon[.]com banifure[.]com hagalilk[.]com orluyafi[.]com comitoni[.]com eloknys[.]com, mokliey[.]com salionb[.]com
CANDY TECH LTD	Onezip.exe e8b89b9fc60dc8ddb861369a7ab2cc319f23495022c4d1feb6e0cc4f3a87214c	onezipapp[.]com	lolidwni[.]com oneoni[.]com
CANDY TECH LTD	Convertmate.exe 08b9f93000512b45f8c2e8d3d6624536b366e67c40fd4b958db58e3a1d129c3d e0db7b5eaf92feff220c805b0e5f3d8916e18d51 UpdateRetreiver.exe 6bf2cc4e9d9901541214d7efc8bb8bb24ef5bddc238598333c843e421c042c6b Uninstaller.exe e95de8452d32b439e0286868ed16f63943af3bc059dca6bcb48d1cbe2431440e conmate_update.ps1 372d89d7dd45b2120f45705a4aa331dfff813a4be642971422e470eb725c4646 Convert Mate.exe d9f9584f4f071be9c5cf418cae91423c51d53ecf9924ed39b42028d1314a2edc	conmateapp[.]com	dcownil[.]com banifuri[.]com
Red Root LTD	ConvertyFile.exe 3d82200083a86df09c3b16c9095b844738a76863b1b01092b6c4dbef3b974b12	convertyfileapp[.]com	lukgiop[.]com olienti[.]com
A1A Marketing Ltd.		crystal-pdf[.]com
	PDFConfigurator.dll 719745be56e42e898d28aeefd254df630adba06eef3add08854b9cd9ae6b9a75	free-pdf-creator[.]com	api[.]free-pdf-creator[.]com
	PDFStar.dll 6bf3714dc85237c453c5ede22d155c6135f46557e57242b0d782cf8a20f1b935	pdf-star[.]com	api[.]pdf-star[.]com
	powerdoc.exe b3afc517095d0362a32c5655f7572123e5db2e09fe24f6f917b880d6a969c682	powerdocapp[.]com	yablinov[.]com
CROWN SKY LLC	7ZSfxMod_x64.exe 796a0393c6411b3af155cf98c029d002a439f5b1 calendaromatic-win_x64.exe 69934dc1d4fdb552037774ee7a75c20608c09680128c9840b508551dbcf463ad downloaded ZIP archive 81f6a9bdc25d10944a41fc8b3cac16350454a9f88ece1d2260e1fe9ae10ef6ff	Calendaromatic[.]com
Crowd Sync LLC	PDFSparkOnSoft_82046.exe, setup.exe 38d37ae2a3b016c5172568bc708e2890fc8e413e7502e84b706725a6915bb95e PDF spark setup e36882cc0a81ca1bd282e3fd314c59f2adc2ff1b6fc1ed6290ac68a4cc57edf3 9d9aaca4217ab036a788f2d8280b54dac3d1f2daaca5fa45261598a7da752d2e setup.tmp 60fe51310585d95f48fc5fed54d27c78d409290b3d77866b35772c253219ea26	SparkSoftinc[.]com pdfsparkware[.]com sparkonsoft[.]com	getappsgroups[.]com
GLINT SOFTWARE SDN. BHD. Summit Nexus Holdings LLC. Echo Infini Sdn Bhd. Apollo Technologies Inc.	ManualFinder-v2.0.196.msi f734dc5fb78cf67e63eae2830e656a70c015db15 ManualFinderApp.exe 1eb5be9e5662811fa1412287fa8e5a2d88d0a4d2 AppSuite-PDF.msi 1b77beedb0b99bf5430c1a18315302399d07812c pdfeditorsetup.exe 21df00ac8bf8baa1111f3fc564d27a9eabf0f097 PDF Editor.exe 2ecd25269173890e04fe00ea23a585e4f0a206ad PDF Editor.exe a3d937bcd92fc8a06e47aca8c5c7f56d175a1573	pdfmeta[.]com	y2iax5[.]com 5b7crp[.]com mka3e8[.]com 9mdp5f[.]com
International Holdings, LLC	ConverKit.exe/pdfeditor 11d342f01a9deb1d8dbeb8030255fdd5ec4ba4f5c9029d38e0c71d3e885f6ddf	cleareditpdf[.]com	paperappsetup[.]com
Byte Media Sdn. Bhd.	smartopenpdf.msi / gopdfmanuals.msi / propdfhub.msi / easypdfmanuals.msi SHA1: 0e1768aa430ffc39f241e84a59948c673621f47d Epi-PDF.msi MD5: 3c0be43e5ea87f036146fe91b9f331c3		potential C2 `pdf[.]epibrowser[.]com` api[.]epibrowser[.]com
Mainstay Crypto LLC	pdfsetupapp.exe MD5: 82e96a9b701a836e9d14c8425d34fe17
Tropical RIiff Ltd	PDFly.exe SHA1: f9214faac7b8fdd6857d780ce233a98b182562d2		https[://]gomeetpdfly[.]llc
Unsigned	RapiDoc.exe f1f08a1e5b0c455917cab77c50e70a8d461dffc13e79502cf122c9f4f0e8243c e93de0fb0cdb85b3e854ea4d33e3f3984671dff32363bff4b6730eeabc8fa2e3 d6bbb7442f5fcd31394687ad184b13925a8d92f380927157b81b23964efd038d cf3b71a228bce1e5fbc1fd105ba2117c350c583fcedd39d4a2ea8db36f6967ed c1d834f73fd075c9b5f39a9b17c323855b8f70aaf33345a6121bef0301bd81d3 b6498d37adf6ecd7c0eea02308ec9d977f5de08d991cd9e5d2526702c25e2e97 9431ab21fe532258800165fbd70b26de9f841e331aef0149887d103c7dafbe35 8da1c71b2854afd697188146991cf5291285543ca07ee284c4deab5bec6bf367 7cf27dd4eb518a9be0ae6f6eed10e28be5e2b5bcda30c9e8ece12c858b11c50b 705fb51773e0f9a4f7786fedd05f27beedeadb05ed1ea8beb9648fa55261823e 521e83f1c6a9a08b84c14fe26946a7c053e2ec0f6ce1bf87faefc1efefe416e4 51940e488e68ac6ebca411f766be963e4afe12c8d6619d755563755ae3577799 486bf3f347fafc080b2d2a9800aa7f5bfd65e877e8f091235ff28f9600792d06 38f853d00b2395df952ccabea0ccc047e8766799db64d740ad4fab0ca91ec865 160a2d5fb5b4ce813db69bd09a18dae9f8ce0ed3b186f7a5f386d3a8a9e304fc 0f50374b2590effaf52727ee535483abccef6145a2b36c10586e121ed0b46c4d fbfac20afd272f21238f53c89f9a0aa53a83b290c8adbaceac5ae9c5ca48701c 0c299bf87b2f2551115d622acc066ba9a63f721a293191468b505294acc02b1e 23c26a74eb4e854bf629325a86738c59001975e5a3b5baba0ab7cd44ecc2291a 94060edbe8efac192ec6cb453d8cbe70a92ff0afbca61d75494eb59c501cf196	doctwoli[.]com/

Cyber Incident?

Call 00800 1744 0000

Indicators of Compromise (IoCs) Identified in Northwave's Malvertisement Investigation

HuFiCon Management Memo:
Journey with the CISO

Inge van der Beijl

We are here for you

Business

Bytes

Behaviour

Cyber Incident?

Call 00800 1744 0000

Indicators of Compromise (IoCs) Identified in Northwave's Malvertisement Investigation

HuFiCon Management Memo:Journey with the CISO

Inge van der Beijl

We are here for you

Business

Bytes

Behaviour

HuFiCon Management Memo:
Journey with the CISO