Security Magic

Earlier this week, while analyzing yet another "free PDF converter" called PrimePDFConvert , I quickly observed behavior that is very similar to PDFSupernova , a browser hijacking malware I wrote about earlier this month. There are a few key differences in this variant however, most notable is a daily scheduled task, that runs c:\programdata\primepdfconvert.exe that "checks in", and can act as a malicious .NET loader. The installer displays a clean, modern UI with a loading spinner, progress bars, and a lengthy EULA referencing “browser extensions” and “added search capabilities.” At first glance, it looks like a run-of-the-mill PUP (potentially unwanted program). But underneath the surface? It's a modular, remotely controlled malware loader with daily persistence, browser hijacking capabilities, and a Roslyn-powered remote code execution API. Red Flags Packed by Costura.Fody Full screen focus during install Writes daily persistence (programdata exe that ru...

TL;DR “SystemShock is a malicious DLL loaded by Electron Apps masquerading as production tools. The DLL performs anti-analysis and anti-vm checks and then attempts to download or run additional code. The file also sends data that is likely stealing information and sending screenshots. More about the specifics of the Electron Apps found can be read on Malware Analysis: Fake Google Meet Application .” Background:  Earlier in the week I ran across some fake video conferencing applications, these gave the user the impression that they were installers for tools such as MS Teams, Google Meet, and Zoom. However, none of these were signed by their respective organizations.  A review of the applications showed a complex and layered approach to hide a DLL that performs anti-analysis and anti-VM checks. The DLL also acts as a downloader for additional malware, AMSI bypass tools, and even appears to send out some recon data in the for...

TL;DR elevate.exe is an open-source UAC helper commonly bundled with Windows installers and Electron builds — usually legitimate, but sometimes recompiled/signed and abused by threat actors (observed in recent EvilAI, TamperedChef, and BaoLoader campaigns). I was reading through an article by TRUESEC , and one thing that struck myself and my peers was the elevate.exe file that exists in the samples that were analyzed. I mentioned to my peer that I see this file in many electron apps I've analyzed this year. We kicked around the idea of how to build detection for this, but we needed to understand what it is. Firstly, as pointed out by TRUESEC, elevate.exe is a tool by Johannes Passing, found on the github repo . The tool can be shipped/packaged with windows executables which, on their own do not elevate privileges, this helper will invoke UAC to elevate privileges of the designated application. Initially, after readin...

Several Windows applications that present themselves as legitimate utilities—Internet speed testers, “manual reader” and “finder” tools, certain PDF utilities, and even some AI search frontends such as   justaskjacky   have been observed to drop a portable Node runtime folder alongside a heavily obfuscated JavaScript payload. The visible executable performs as expected to the users, however the installer also extracts the Node runtime, a scheduled task, and  an obfuscated *.js file that don’t appear necessary for the application's primary function. That JavaScript is executed by the dropped Node instance via a scheduled task (observed to run on roughly a 12-hour cycle). Its capabilities include encoded/obfuscated network communications and the potential to execute arbitrary code delivered by the server. Because the JS runs independently from the main executable and is persistent via scheduled tasks, it significantly increases the attack surface:...

UPDATE: September 18, 2025  Another variant of what I've been looking at over the past week caught my eye today. Just wanted to give a real quick review of this, showing the POST encoding/decoding process. OpenMyManual.exe (9f948215b9ee7e7496ce3bc9e46fda56b50cc8905b88535225c7651007f660d5) Drops a copy of node.exe as well as a malicious JS file (2cd68ea7f02e8cfaded52d64c2cb71b64560b3799c948960db37e827618ff22d) Like in my last post, you can run this through a js deobfuscato, make a couple quick edits, and the run node.exe with the --insert-brk to set breakpoints and step through the program: What you eventually get is the C2 (api.evil.com/nss), the POST data, and how that POST data is being encoded and sent out to the C2. The 16 byte buffer is the XOR key, the 176 byte buffer is what becomes the Base64 (shown here as _0xda4df9).  To date, I have not got a response back from any of these C2's. I've looked at several of these, they all so far have a pattern like ^api.[a-zA-Z0...

  **Update** After a bit of analysis, it looks like I can force the deobfuscated code to run by "patching" following bit: "return (await _0x324dc7(_0x26c49f.HKLM, "Software\\Microsoft\\Cryptography", "MachineGuid")).value;" Once that done, I can use --inspect-brk, use dev view and set a breakpoint at the end, on the eval. In Process Hacker I can see the POST. The Payload can be decoded in cyberchef, it's Base64 decode, send to HEX, use the first 16 bytes as an XOR key, then take the remaining HEX, (From HEX) and apply the XOR key. You will get something like: {"Event":"heartbeat","MachineId":"f4f34c43-9bc1-4a9a-b55f-1d4dd97e0e88","SessionId":"125cc3b3-bc56-474d-817b-badc96d07202","Version":"0.0.2","OSVersion":"10.0.26100","args":""} Since Args doesn't return anything, it's likely not weaponized yet. The deobfuscated ...