We’re seeing a significant uptick in a malware campaign that’s affecting multiple customers. This one’s worth knowing about if you’re in a SOC or working with EDR platforms.
The Campaign
Attackers are distributing malicious Node.js payloads disguised as manual reader and document utility applications. The names are designed to look legitimate: AllManualsReader, OpenMyManual, ManualFinder, AppSuitePDF, and OneStart.
Initial distribution appears to be through SEO poisoning. Users search for manuals or document tools, find these applications in search results, and download what they think is a legitimate utility.