Ddos 
Image: Expel
Expel researchers have lifted the veil on a long-running malware operation abusing the global trust model of software distribution. Their analysis shows that the developers behind AppSuite-PDF and PDF Editor campaignsβmalware now tracked as BaoLoaderβhave been systematically exploiting code-signing certificates for more than seven years.
As the report states, βWe demonstrate that the developers behind the recent AppSuite-PDF and PDF Editor campaigns have used at least 26 code-signing certificates over the last seven years to make their software appear legitimate.β
What initially looked like potentially unwanted programs (PUPs) has since been tied to fraud operations and backdoor activity. βRecent analysis of the software and the actorsβ connections to fraud suggest we should re-consider how we think about them.β
At the heart of the scheme is the abuse of code-signing certificates, which normally serve as digital trust anchors for Windows and macOS ecosystems. Expel explains, βThese actors register new businesses for receiving authorization to generate code-signing certificatesβ¦ They then use these certificates to sign their own malware, often disguised as potentially unwanted programs.β
This tactic mimics corporate identity theft. By registering shell companies in Panama, Malaysia, and even the United States, the operators obtained certificates that allowed malicious binaries to bypass antivirus and operating system warnings.
Notably, βthe actors used 15 code-signing certificates issued for companies in Panamaβ¦ [and] five certificates for companies in Malaysia. No other actors in the database use certificates from these countries.β
The malware ecosystem attributed to BaoLoader includes a string of PDF editors and utilitiesβAppSuite-PDF, ManualFinder, PDFTools, PDFProSuite, and OneStartβall distributed under different corporate guises but sharing certificate fingerprints.
One consistent behavior is the use of backdoored installers. βAppSuite-PDF is a simple app whose main functionality is to download and install the PDF Editor appβ¦ But it also comes with a backdoor.β
In addition, variants like OneStart have been spread via deceptive PDF editor ads and bundled software, showing how criminals leveraged everyday productivity tools as bait.
BaoLoaderβs abuse of certificates and distribution methods initially led some researchers to confuse it with Chromeloader and TamperedChef. Expel clarifies: βThese names have been mistakenly applied to this malware, but the distinction is important for research and law enforcement.β
While it shares traits with Chromeloaderβsuch as using scheduled tasks for persistence and loading Chrome extensionsβthe certificate history and infrastructure differ. Similarly, TamperedChefβs βrecipe appβ trojan had very different certificate origins.
BaoLoader is its own distinct malware family, with a unique footprint in certificate abuse and a focus on disguising itself as functional software.
Code-signing certificates are the backbone of trust in modern software. When abused at scale, they enable criminals to masquerade as legitimate developers. As Expel emphasizes, βCode-signing certificates are intended to validate that software is from a known providerβ¦ BaoLoader is an example of this, but went relatively unnoticed for years.β
For defenders, this means spotting anomalies in certificate use is just as critical as detecting malicious code. βThe clearest indicator is when the software, the metadata about the application, and the application itself donβt line up.β
Organizations are urged to adopt stricter application controls, such as Microsoftβs AppLocker or enterprise application whitelisting, to prevent unauthorized executables from runningβeven when they appear to be signed.
Related Posts:
- Nvidia’s leaked code-signing certificate is used by hackers to sign malware
- Russia Begins Systematic Blocking of Cloudflare, Throttling Internet Access to 16KB
- Expel Uncovers Malicious PUP Ecosystem Masquerading as Free Utility Apps
- Microsoft warned that a PDF editor was carrying a mining program after being hacked
- Hackers are selling legal Code Signing Certificates
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
