Analysis links OneStart, AppSuite, and ManualFinder to the same actor and shared server infrastructure by demonstrating that replacing domains in network requests produces valid responses across samples. The actor(s) used evolving installers and lures (e.g., FreeManuals, PrintRecipe, games, “AI”) and have reused CloudFront-backed random domains and installers that in older samples launch node.exe or run PowerShell to execute JavaScript from %temp%. #OneStart #AppSuite
Keypoints
- OneStart installs a Chromium-derived browser under %appdata%OneStart.ai and uses a custom update URL onestartapi[.]com for Advanced Installer configuration.
- OneStart browser extensions include one (memhbiihnoblfombkckdfmemihcnlihc) that tracked booking.com and earlier versions silently installed a “Capital one shopping” extension and tracked youtube.com.
- Older OneStart installers run PowerShell scripts containing random domain names and valid product IDs; those domains match patterns seen in ManualFinder incidents (e.g., 7df4va[.]com, mka3e8[.]com).
- Replacing AppSuite and ManualFinder domains with OneStart domains produced valid server responses, proving shared actor and infrastructure across AppSuite, OneStart, and ManualFinder.
- Some older installers deployed node.exe to run JavaScript from %temp% and installed components like SecureBrowser/LaunchBrowser, DesktopBar (DBar), and BrowserAssistant.
- Infrastructure uses many random-length domains and CloudFront aliases; actor campaign lures evolved over years (games, manuals, print recipes, “AI”).
- Multiple signed installers and sample hashes are provided, showing long-lived activity and reuse of server infrastructure for distribution and updates.
MITRE Techniques
- [T1204] User Execution – Installer packages (MSI) and lure content (FreeManuals, PrintRecipe, games) were used to get users to run installers that deploy malicious components. Quote: ‘Installs and use node.exe to run JavaScript.’
- [T1059] Command and Scripting Interpreter – PowerShell scripts run after installation to perform further actions and fetch payloads. Quote: ‘a few PowerShell scripts were run.’
- [T1059.007] JavaScript – node.exe was used to run JavaScript from %temp% to contact hardcoded domains and execute malicious logic. Quote: ‘node.exe has been used to run a JavaScript file from the %temp% directory.’
- [T1105] Ingress Tool Transfer – Components and updates were retrieved from attacker-controlled URLs and CloudFront aliases (onestartapi[.]com and random cloudfront domains). Quote: ‘onestartapi[.]com/api/bb/updates.txt’ and ‘random domain names of same length which are aliases to CloudFront hosted resources.’
- [T1071] Application Layer Protocol – HTTPS requests to attacker domains were used for configuration and command retrieval (e.g., https://7df4va[.]com/r1?…). Quote: ‘the script tries to contact https://7df4va[.]com/r1?ei=… and the server responds.’
- [T1195] Supply Chain Compromise / Compromise Software Update Mechanism – Customized Chromium update checks and Advanced Installer config files were used to deliver or configure extensions and updates. Quote: ‘customized Chromium update to check https://onestartapi[.]com/api/bb/updates.txt’ and ‘update config file for “Advanced Installer”.’
Indicators of Compromise
- [File Hash ] OneStart installers and samples – 44ad9111f14c83be400bba303df5dc54ab699bb4f6e8144d052ac19812cd4fac (OneStart Installer), 1ff8268fa64c8f55eb750c4433c1e9e47dc7359b7fcc653215423ed3fe5d8b4d (OneStartInstaller-v4.5.224.8.msi)
- [File Hash ] DLLs and scripts – 77e4dab34cb6c2169c47463b4ed81efe61185446c304b392dd9b0cbe2b31c67c (onestart.dll), 7ad613dee75da11ef9b7a92823bda3e290491e245956f5a192a3207a5f11d9a0 (PowerShell script run from %temp%)
- [File Hash ] Older adware/game samples – be50abcaa65744e1d62ed858911a8ed665a4743a1f1e6db515cbd661052bd3f9 (installer for SecureBrowser/DesktopBar/BrowserAssistant), 6b6fc62a294d5ef1c619d623f1cf6d735d9f191df9ef5c745b0881b1e01b8565 (GameOffer.exe)
- [Domain ] Command and update infrastructure – 7df4va[.]com, mka3e8[.]com, onestartapi[.]com (used for updates and responding to malicious JavaScript)
- [Signer ] Signed installers – OneStart Technologies LLC, Interlink Media Inc., Blaze Media Inc., Realistic Media Inc., Digital Promotions Sdn. Bhd. (used as publisher names on installers)
Read more: https://www.gdatasoftware.com/blog/2025/09/38262-appsuite-onestart-deception