The AppSuite PDF Editor disguises itself as a functional PDF editor, but upon closer analysis, it turns out to be a sophisticated Trojan with backdoor functionality. The malware enables attackers to persistently compromise systems, exfiltrate sensitive data, and execute arbitrary commands. Security analyses show how threat actors imitate legitimate software to evade detection by security solutions.

Camouflage and distribution

The malware is distributed via highly rated websites that appear to be reputable download portals. Users download an MSI installer that installs the program in the directory %USERPROFILE%\PDF Editor. After execution, a seemingly harmless GUI for PDF editing opens, which uses a browser internally and addresses the URL hxxps://pdf-tool.appsuites(dot)ai. The malware checks the browser’s user agent to ensure that the user interface is displayed correctly.

The main component is the obfuscated Electron application pdfeditor.js. Only a very small part of the code is actually used for PDF display; the majority implements backdoor and adware routines. This structure allows for effective camouflage while the actual attacks run in the background.

Another notable tactic used by the attackers is to submit the malware as a “false positive” to antivirus vendors in order to force the removal of the detection. In this way, the software is initially classified as potentially harmless by security solutions, even though it is already actively compromising systems.

How the backdoor works

The malware implements several routines that perform different tasks:

• --install: Registers the system with the command-and-control server (C2), generates an installation ID (iid) and a system ID (SID), and creates scheduled tasks: PDFEditorScheduledTask for one-time checks (--check) and PDFEditorUScheduledTask for recurring actions (--ping). This delay is intended to circumvent sandbox analysis.
• --ping: Establishes an encrypted connection to the server, encrypts action requests via AES-128-CBC with a key derived from the installation ID. The malware receives commands that enable it to monitor processes, reading files and registry entries, and reloading additional malware.
• --check and --reboot: Use the same internal function; --reboot also terminates certain processes. To prevent multiple executions, the backdoor checks a state file in the user profile. If this is less than 15 minutes old, the program terminates automatically.
• --cleanup: Supposedly removes the backdoor, but only deletes certain tasks. Persistent backdoor components and reloaded malware remain intact, so that complete cleanup is only possible by reinstalling the system (“repaving”).

Data management and C2 communication

The backdoor manages two log files: LOG0 and LOG1. LOG1 contains the installation ID, SID, and later extracted keys from browsers. LOG0 is presumably used for debugging or manipulation purposes by the attackers. Without a valid installation ID, the malware aborts execution.

The backdoor uses the bootstrap function “GetRtc” to load configuration data from the C2 server. For authentication, it uses an AES-256-CBC key derived from a hard-coded e-key and the installation ID. The server’s response provides, among other things:

• Paths to applications and profiles (e.g., Wave, Shift, OneLaunch, Chromium)
• Command templates that can be flexibly executed via cmd.exe or reg.exe
• Boolean flags that activate specific handlers

These mechanisms enable attackers to execute any remote commands and dynamically control the backdoor functionality.

Browser and system exfiltration

Specific handlers specifically access installed browsers:

• Chromium-based browsers (Edge, Chrome, etc.)
• Wave Browser
• Shift Browser
• OneLaunch

The handlers extract passwords, cookies, browser settings, and histories, manipulate registry values, change pref files, and synchronize them with the C2 server. In addition, they can read specific stored keys and save them in LOG1.

With these functions, the malware can:

• read and exfiltrate sensitive data
• change browser configurations
• create persistent autorun routines
• reload additional malware

All actions are logged via an encrypted event logging system and sent to the C2 server. This allows attackers to continuously monitor backdoor activities.

Security assessment

The analysis clearly shows that AppSuite PDF Editor is not harmless software, but a classic Trojan with backdoor functionality. The visible PDF editor is merely a cover. The malware creates persistent access rights, allows controlled remote control, and can compromise sensitive data.

Particularly critical is the tactic of submitting the software as a “false positive” to security providers. This delays detection by security solutions and makes preventive defense more difficult.

For infected systems, the backdoor can only be completely removed by reinstalling the operating system. Using the integrated uninstaller is not sufficient, as persistent tasks and downloaded malware remain.

Conclusion

AppSuite PDF Editor highlights the dangers of disguised malware that imitates legitimate software in order to compromise systems unnoticed. Organizations and users should classify the software as malware and critically question free PDF tools from unknown sources. The analysis underscores the need to use a combination of file monitoring, network monitoring, and incident response processes to detect such threats early on.