Security Magic

Fake WinDirStat & LightShot Apps Deliver Go Backconnect Proxy Malware PUBLIC RESEARCH — DEFENSIVE ANALYSIS Fake WinDirStat & LightShot Apps Deliver Go Backconnect Proxy Malware Sample SHA-256 09049e365c86e0bc6192fb1601d0fbe6bf2235f9f3e26ea1c83e26f41d041530 ASAR SHA-256 0efb10e5e2c77be36bbce5375a9e862c205b4837a951f0df62266370c75a26ed Analysis Date 2026-05-02 Analyst Static / Dynamic / Malcat MCP Threat Level Critical Table of Contents Executive Summary Public Release Notes File Overview & Metadata YARA Signature Hits Malcat Kesakode Corroboration VirusTotal Vendor Detections Related Samples & Campaign Expansion sandbox Sandbox Corroboration Independent Static Validation: REMnux MCP Attack Chain — Electron Trojan Loader Related OSINT: Fake WinDirStat Distribution C2 Infrastructure & Network Indicators Background Runtime...

YAPA (Yet Another PDF Application), EvilaAI, MediaArena, or whatever you want to call these, are continuously trying new tactics/techniques to evade detection. In this latest YAPA, I look at PDFizer, which uses Wix MSI installer to assist with making detection more difficult. I first posted a similar file,  FlyPDFy   on this  X post   PDFizer: MD5: 5843ff0c676bcf99039b2b46035fdf8e Signer: Shappi Corp Download: https://pdf-izer[.]com/ SandBox Run : File Extraction: Since this is a Wix installer, we can use Dark.exe to extract the MSI Then we can use a tool like less-msi to further extract all the remaining files: PDFCoreLibrary.dll  (.NET) PDFizer.exe  (.NET) PDFRefresh.exe (GO) It does appear that the .NET files are benign. However the MSI does create a scheduled task to run the PDFRefresh hourly. Interesting parts of the .NET: MessageBox.Show("Hello, I am just an ugly Test Update ...") public string GetHelloWorld()  {return "Hel...