In late October 2025, CIS CTI observed increased detections of a fake PDF converter called Crystal PDF on U.S. SLTT endpoints; analysis shows it is a managed .NET (F#) staged loader that performs in-memory execution, process injection, sandbox/VM checks, and contacts likely C2 domains. CIS links its spread to malvertising and SEO poisoning, notes use of revoked digital signatures and similarities to other fake PDF tools, and recommends MS-ISAC membership along with provided IOCs and mitigation guidance. #CrystalPDF #MS-ISAC
Keypoints
- Crystal PDF is a managed .NET (F#) staged loader first observed in November 2024 and detected in October 2025 across multiple U.S. SLTT organizations via CIS MDR alerts.
- The binary samples used revoked digital signatures (Long Sound LTD, VAST LAKE LTD), showed PE obfuscation (future COFF timestamps, empty import tables, multiple headers), and appear to be primarily fileless with in-memory execution.
- Observed behaviors include sandbox/VM detection, process spawning and injection (CreateRemoteThreadEx and RWX memory), COM object abuse via rundll32 with SHCreateLocalServerRunDll, and registry modifications under ExplorerSessionInfo and Internet SettingsCache.
- Network activity uses standard .NET networking functions (AsyncDownloadFile, AsyncDownloadString, HTTPClient, WebClient) and DNS resolution for suspected C2 domains negmari[.]com, ramiort[.]com, and strongdwn[.]com.
- CIS assesses with moderate confidence that threat actors will continue to distribute fake PDF converters via malvertising and SEO-poisoning campaigns to deliver staged loaders and secondary payloads (commonly infostealers).
- CIS recommends U.S. SLTT organizations join MS-ISAC for tailored reporting, IOCs, and incident response guidance to bolster defenses against Crystal PDF and similar threats.
MITRE Techniques
- [T1055 ] Process Injection – Crystal PDF allocates RWX memory and uses remote thread creation to inject code into other processes (‘Crystal PDF was also observed with read/write/execute memory allocation and CreateRemoteThreadEx calls, which indicates the malware uses process injection.’)
- [T1105 ] Ingress Tool Transfer – The loader likely retrieves a secondary payload from remote infrastructure or contains an embedded payload decrypted/executed in memory (‘For the second stage, it is likely that Crystal PDF either downloads an additional payload or contains an embedded payload that must be decrypted and executed in memory.’)
- [T1071.001 ] Application Layer Protocol: Web Protocols (HTTPS) – Uses .NET networking functions to communicate with C2 over HTTP/S (‘…makes use of standard .NET networking functions, specifically AsyncDownloadFile, AsyncDownloadString, HTTPClient, and WebClient.’)
- [T1027 ] Obfuscated Files or Information – Samples show obfuscation through future COFF timestamps, empty import tables, multiple PE headers, and encryption/compression hiding embedded payloads (‘the binaries of all three samples contained different future common object file format (COFF) timestamps… empty import tables, and multiple PE headers, which points to obfuscation.’)
- [T1497 ] Virtualization/Sandbox Evasion – Performs sandbox and VM checks and uses timing delays/looped environment checks to detect and evade analysis environments (‘the payload runs in memory as well as performs sandbox and VM checks.’ / ‘the threat utilizes timing delays and looped environment checks to detect virtualization’)
- [T1553.002 ] Code Signing – Uses valid digital certificates to appear legitimate; certificates were later revoked when abuse was detected (‘At the time of analysis, Crystal PDF was using digitally signed certificates by Long Sound LTD and VAST LAKE LTD, which have since been revoked.’)
- [T1620 ] Reflective Code Loading – Executes obfuscated payloads directly in memory as a staged loader, indicating reflective or in-memory execution of secondary components (‘Crystal PDF executes an obfuscated payload in memory… contains an embedded payload that must be decrypted and executed in memory to function.’)
Indicators of Compromise
- [Domain ] suspected C2 domains observed in DNS queries – negmari[.]com, ramiort[.]com, strongdwn[.]com
- [Code signing certificate ] signing authorities used by samples – Long Sound LTD, VAST LAKE LTD
- [File path ] common execution locations observed – Temporary directory (%TEMP%), Downloads folder
- [Process name ] unusual child processes spawned after execution – WerFault.exe, rundll32.exe (rundll32 invoked with SHCreateLocalServerRunDll)
- [Registry key ] registry activity consistent with staging/persistence – ExplorerSessionInfo, Internet SettingsCache
- [PE metadata ] sample artifacts indicating obfuscation – future COFF timestamp (e.g., 2085-09-21), empty import tables
Read more: https://www.cisecurity.org/insights/blog/malicious-crystal-pdf-converter-detected-on-sltt-networks