Security Magic

In this series of YAPA (Yet Another PDF Application), I continue to document newly observed suspicious PDF converter applications. The latest one is Zapdf , which can be found on zappdfapp[.]com. This site was also document on Northwave Cyber Security , and Nextron 's websites, both of which host numerous IOCs for similar applications. The above image shows the a similar style to many other observed malicious pdf, document, and zip converter applications. Analysis: app.any.run sandbox run  shows initial telemetry traffic POST, as well as the download of an updater binary.  Some interesting notes on this when running on a test VM. The initial application is a .NET staging application, it extracts the "benign" Zapdf.exe (also a .NET application), but not before sending some telemetry, fingerprinting the system, creating persistence, and downloading the suspicious ZapUpdater.exe .  This initial .NET loader looks very similar to other YAPAs observed in the past. Slight obfus...

GalacticPDF is another PDF reader/converter application I ran across that has the look and feel of EvilAI and YAPA programs I've observed over the past year. Many of these programs have websites that have a similar look and feel to the image below: Certificate Signer: As with many of these programs, there is a valid certificate signer "MONKEY DIGITAL LTD". These do tend to have interesting names. Also, as far as I can tell, this one has only been used with GalacticPDF. Google Ads: One place I've started looking with these is in Google's Ad Transparency to see if it looks a little off, or maybe to pivot to other programs being advertised by the same advertiser. GalacticPDF is adverstied by " Kiruguard Ltd ". This doesn't tell me much, but it does give me some visuals that again, look very similar to other EvilAI campaigns. Analysis: Honestly, at first this one had me a bit perplexed. It's a rust based program, which is something I don't have ...

Hello World. I have looked at a few interesting samples earlier this month that appear to fall into the same realm as many of the EvilAI PDF converters which have been reported last year.  The difference in this one is that instead of being inno packed, or an electron app, or a .NET application like some of the variations observed so far, this one is a python compiled application. The initial application observed was " PDFly ", which, after some pivoting on other information led to the discovery  Ziply , as well as PDFClick , and Rapidoc . These findings were shared on my X post as well. The challenge with these is that I am unable to use pyinstxtractor/pyinstxtractor-ng, there seems to be some level of customized pyinstaller magic here that I just don't know enough about. What I do know is that when running these applications they do drop an AppData\Local\Temp\_MEIXXXX directory, common with PyInstaller, and there is an embedded resource zip file with another EXE of th...

Over the past couple weeks analysts have been looking at a suspicious 7zip installer which turns the host into a residential proxy (proxyware). I'm playfully calling this upStage Proxy (with a heroquest boardgame theme). More on the name will become clear in this article. The installer comes from 7zip[.]com, which, while looking professional, and having been around for quite some time, is in fact not the official site for the 7zip tool. The official site is 7-zip.org . *Update February 10, 2026: At this time the download link is now pointing to the official 7-zip.org download. The installer is signed by (now revoked) certificate:  "JOZEAL NETWORK TECHNOLOGY CO., LIMITED". The installer drops a version of 7zfm.exe that is also signed with this signer.  This version of 7zfm.exe differs from the official build in an important way, it has embedded within it 3 files ( upHreo.exe , hero.exe , and hero.dll ).  Analysis of this has been interesting, the main payloads are Go com...