Unmasking Malware Disguised as Free Productivity Tools
HuFiCon Management Memo:
Journey with the CISO
A mountain climb to cyber security resilience. Find out how to get to the summit of cyber security resilience in Inge van der Beijl's management memo, from her presentation at the Human Firewall Conference (HuFiCon) on the 14.11.2024.
The climb will take you from the base camp of foundational security to the high-camp of a security conscious culture, all the way to the summit consisting of strategic security integration.
Inge van der Beijl
Director Innovation
How Northwave’s SOC Disrupted a Fast-Spreading Attack
It’s a common occurrence in any office. An employee searches online for a simple, free solution for PDF editing. Google has pages of options, so they pick one of the top results. For due diligence, they check the website for the tool. It’s sleek and professional-looking, with Terms and Conditions and a Privacy Policy. A tech-savvy employee may even go one step further by verifying the application’s signed developer certificate. Since everything looks legit, the employee downloads the tool and converts the PDF. The application operates as expected and the employee goes on with their day, quickly forgetting about the programme saved on their company laptop.
And soon after, things start to take a bad turn.
In Northwave’s Security Operation Centre (SOC), a single alert tipped our analysts off to a widespread threat. At first glance, it didn’t seem very suspicious. Yet, something felt off. Further investigation uncovered a widespread malware campaign linked to free digital productivity tools. These applications are being promoted by various paid advertisements in search engines, such as Google Ads and have all the signs of being authentic. However, they are actually cleverly disguised malware. Before long, it became clear that this was far from an isolated event.
Unmasking Malvertisements
Over a period of three months, Northwave SOC analysts noticed a pattern taking shape across similar cases. Each time, a digitally signed application triggered an alert. And each time, the signed applications were free digital productivity tools, such as PDF converters and editors. At first glance, the tools appear to be products of legitimate companies that have paid for Search Engine Advertising (SEA).
However, weeks after installation, the application receives an update that drops new executables that directly establish persistence and generate periodic outgoing network traffic. Further analysis, supported by publicly available cyber threat intelligence, indicates files were repurposed, with different applications delivering distinct malware. Some turned devices into residential proxies for malicious traffic, others introduced capabilities for stealing information, and others acted as droppers that can execute second-stage payloads in memory.
Because these tools look legitimate and are commonly used across organisations, the malware spreads with ease. We traced hundreds of infected devices over a few months’ time. In each case, swift action by Northwave’s SOC contained the threat before it could progress further. During one large campaign we disrupted in October, our analysts uncovered several previously unknown Indicators of Compromise (IoCs). These insights enabled us to respond more proactively and improve our detection capabilities.
Northwave’s Computer Emergency Response (NW-CERT) and Cyber Threat Intelligence (CTI) teams have also supported the investigation. Recognising that this issue is far from an isolated event, we shared our findings, including the IoCs, with several security partners to improve threat detection across Europe. Using the Google Ads Transparency Center, we were also able to find and report the ad campaigns. Our investigation is ongoing as we try to uncover more decoys, how they relate to each other, and whether they might be products from a Malware as a Service (MaaS) provider.
.png?width=2000&height=755&name=Advertisment%20company%20website%20(1).png "Suspected malvertisment company website")
Detecting a Malvertisement Pattern
August 2025 PDF
Editor / ManualFinder
Multi-stage malware turning endpoints into residential proxies and introducing the TamperedChef backdoor.
Related: Epibrowser, OneStart Browser.
September 2025
Calendaromatic
Signed NeutralinoJS-based tool harvesting sensitive data. Uses Unicode homoglyph technique linked to TamperedChef.
Related: ImageLockerPDF Spark.
Flagged by MDE due to malicious signer Crowd Sync LLC; samples found on MalwareBazaar.
October 2025
Easy2Convert
File converter acting as a dropper for in-memory payloads.
Convertmate
Connected to the earlier PDF Editor/ManualFinder campaign (NCSC). Continued detections alongside Easy2Convert across multiple customers.
How Can Organisations Defend Against Malvertisements?
Malicious software, or malware, campaigns rely on social engineering tactics. By creating believable tricks, such as phishing links or deceptive online advertisements, they convince people to download harmful programmes.
With generative AI, we see that these campaigns are becoming more convincing and can be developed at a much faster pace. For example, AI can help threat actors develop the “backstory” for the campaign. In the recent cases we investigated, the attackers made decoy applications look authentic with:
- Professional websites, likely developed using generative AI
- Contact details for a registered company, possibly a shell company
- Signed developer files to evade detection by Microsoft Defender
Large Language Models (LLMs) can also be exploited to assist malware development, as one of our blue team analysts recently tested in a controlled experiment. With the added ease of creating and executing these types of attacks, we are likely to see even more of them in 2026.
That said, decoy “trojan horse” malware attacks are not a new technique and there are already some relatively easy ways to prevent them. Since these malvertisements prey on worker productivity, it’s important to keep employees from being exposed to them by:
- Promoting an authorised ad blocker for the workforce
- Identifying safe, authorised digital tools that meet employees’ productivity needs. Be sure to promote these tools internally, so people know which ones to use and how to get them.
Additionally, you can click here to access a table outlining the IoCs we have identified during our investigation. This table can be used to help validate whether any of these indicators appear in your environment.
As AI-assisted and agentic AI cyberattacks reshape our cyber threat landscape, a proactive SOC is imperative. With Northwave’s Managed Detection and Response (MDR), organisations gain a 24/7 SOC that continuously strengthens detection logic, builds automations to keep pace with attackers, and works hand-in-hand with our CTI and CERT teams to respond swiftly and decisively.
To learn more about what we can do for your defences, or if you have an incident and require support, get in touch with us today.
We are here for you
Need help with your cyber security or wondering how secure your business really is?
Get in touch and we will help you find the best solution.