Expel Uncovers Malicious PUP Ecosystem Masquerading as Free Utility Apps

For years, potentially unwanted programs (PUPs) have been associated with nuisance-level behavior—displaying ads, installing toolbars, or collecting minor telemetry. But according to new research from Expel, some PUPs are crossing into outright malware territory, acting as residential proxies, executing suspicious commands, and deploying hidden payloads.

As Expel researchers note, “While PUPs have traditionally displayed advertisements or collected personal information, we’re seeing activity where PUPs are dropping highly suspicious files, executing unexpected commands, and turning hosts into residential proxies. In our opinion, this activity pushes the line as to what should be considered PUP.”

Expel’s investigation began with an alert involving ManualFinder, an app that presents itself as a tool for locating instruction manuals. On the surface, it works as advertised. But underneath, it functions as a decoy for malicious behavior.

The report explains: “The manual search capability appears to just be a decoy, meant to distract from the program’s actual malicious behavior.”

ManualFinder uses scheduled tasks to execute hidden JavaScript via Node.js, which then installs the MSI package ManualFinder.msi. Logs showed this package was being executed silently using msiexec /qn /i, ensuring no visible prompts to the user.

ManualFinder is not alone. Expel uncovered a cluster of interconnected apps, including OneStart, AppSuite-PDF, and PDF Editor, distributed through large-scale ad campaigns that promote free PDF tools.

Interestingly, OneStart can download AppSuite-PDF, which in turn installs PDF Editor, and eventually leads to ManualFinder—a multi-stage distribution chain.

Expel highlights, “The initial downloads for OneStart, AppSuite-PDF, and PDF Editor are being distributed by a large ad campaign advertising PDFs and PDF editors. These ads direct users to one of many websites offering downloads of these apps.”

A key finding was the abuse of code-signing certificates. Expel traced these apps to entities such as GLINT SOFTWARE SDN. BHD. and ECHO INFINI SDN. BHD. in Malaysia, and Summit Nexus Holdings LLC in Wyoming—an address already linked to scams.

The researchers observed, “For most software, we expect a match between the metadata of the file, the code-signing certificate, and legal information about the application itself; however, with these apps, we don’t observe this consistency.”

This pattern of inconsistent or fraudulent signing suggests deliberate obfuscation to pass security checks.

Perhaps the most alarming discovery is that PDF Editor sometimes asks users for permission to turn their devices into residential proxies in exchange for using the app for free.

Expel states: “In some cases, running a copy of ‘PDF Editor’ on its own results in a message asking for the user’s consent to use their device as a residential proxy in return for using the free PDF Editing tool.”

Even worse, in other instances, Expel found browser file tampering, raising concerns about credential theft or surveillance.

During analysis, Expel found these apps communicating with domains such as mka3e8[.]com, which has previously been linked to OneStart Browser. VirusTotal records also showed over 70 malicious JavaScript files connecting to the same domain.

This overlap strengthens the case that these apps are part of a coordinated ecosystem designed to evade detection, monetize users, and establish proxy networks.

The researchers emphasize: “We recommend removing software from these certificate signers from your systems. We’ve reported the code-signing certificates to the certificate providers, and the certificates have been revoked. However, existing installations must be removed as well.”

Related Posts:

• ApateWeb Campaign: 130k Domains Serving Scareware & PUPs in Disguise
• Microsoft warned that a PDF editor was carrying a mining program after being hacked