Threat Research

AppSuite PDF Editor Backdoor: A Detailed Technical Analysis

GDataSecurity
AppSuite PDF Editor Backdoor: A Detailed Technical Analysis

AppSuite PDF Editor is a trojanized Electron-based PDF editor that contains a full-featured backdoor capable of persistence, scheduled tasks, browser data exfiltration, and remote command execution. The campaign uses high-ranking websites and a Microsoft Installer to distribute the MSI which downloads the malicious app from vault.appsuites.ai. #AppSuite #OneStart

Keypoints

  • AppSuite PDF Editor installer (MSI) downloads an Electron app from vault.appsuites.ai and installs it under user-local paths, then launches it with a backdoor –install routine.
  • The main backdoor logic resides in pdfeditor.js (obfuscated) and uses a native UtilityAddon.node DLL for functions like SID retrieval, scheduled-task creation, and process listing.
  • The backdoor registers with C2 endpoints (appsuites.ai / sdk.appsuites.ai / on.appsuites.ai), obtains an installation ID (iid), and creates scheduled tasks and RUN key for persistence.
  • Command-line switches (–install, –ping, –check, –reboot, –cleanup, etc.) map to backdoor routines enabling configuration polling, encrypted ActionRequests, file/registry/process actions, and remote-driven arbitrary commands via server-supplied templates.
  • Browser-targeting handlers can read and modify Chromium-based profile files and OneLaunch/Wave/Shift application data to extract keys and exfiltrate or manipulate browser credentials and settings.
  • The backdoor uses AES-based encryption schemes derived from iid and a hardcoded e-key for secure communication and an event-logging mechanism that posts encrypted logs to the C2.
  • Removal via the provided uninstaller may be incomplete; if the backdoor contacted C2 and scheduled tasks executed, full remediation requires repaving the system.

MITRE Techniques

  • [T1071 ] Application Layer Protocol – Backdoor communicates with C2 over HTTPS to endpoints like ‘https://on.appsuites.ai/ping’ and ‘https://sdk.appsuites.ai/api/s3/options’ to receive commands and configurations. Quote: ‘…sends this data blob together with the ‘iid’ as parameter via POST to hxxps://on.appsuites(dot)ai/ping…’
  • [T1105 ] Ingress Tool Transfer – The MSI installer downloads the PDF editor executable from vault.appsuites.ai into ‘%USERPROFILE%PDF Editor’. Quote: ‘…the installer immediately downloads the PDF editor program from vault[.]appsuites[.]ai to the ‘%USERPROFILE%PDF Editor’ directory…’
  • [T1053 ] Scheduled Task/Job – Creates scheduled tasks PDFEditorScheduledTask and PDFEditorUScheduledTask to run recurring backdoor routines (–partialupdate, –backupupdate). Quote: ‘…triggers scheduled task creation for two tasks: PDFEditorScheduledTask … PDFEditorUScheduledTask …’
  • [T1543 ] Create or Modify System Process – Adds RUN key ‘PDFEditorUpdater’ and other autoruns to persist execution with ‘–cm=–fullupdate’. Quote: ‘…Adds the RUN key PDFEditorUpdater with –cm=–fullupdate commandline switch…’
  • [T1106 ] Native API – Uses a native DLL UtilityAddon.node to call functions like get_sid(), mutate_task_schedule and GetPsList for system-level operations. Quote: ‘…obtains it via the UtilityAddon.node[3] DLL function get_sid()…’
  • [T1027 ] Obfuscated Files or Information – Main JavaScript code is obfuscated with Obfuscator.io and custom string obfuscation. Quote: ‘…contains JavaScript code that is obfuscated with Obfuscator.io and additionally features custom string obfuscation routines.’”
  • [T1486 ] Data Encrypted for Impact (communication confidentiality) – Uses AES-128-CBC / AES-256-CBC to encrypt ActionRequest and event/log data derived from iid and e-key. Quote: ‘…encrypts this ActionRequest object with AES-128-CBC… The bootstrap function uses a hardcoded, XOR obfuscated ‘e-key’ value … to derive an AES-256-CBC encryption key.’”
  • [T1005 ] Data from Local System – Handlers read browser profiles, prefs, os_crypt.encrypted_key and application data (OneLaunch/Wave/Shift) to extract keys and settings. Quote: ‘…read settings files of the applications OneLaunch, Wave Browser and Shift Browser and extract keys from them.’”
  • [T1102 ] Web Service – Uses web-based command templates and configurations served by C2 (options/config endpoints) to perform arbitrary actions through system utilities (cmd.exe, reg.exe). Quote: ‘…server supplies flags and strings … command templates are used … to be executed with, e.g., cmd.exe or reg.exe.’”
  • [T1078 ] Valid Accounts (implicit) – Backdoor stores and uses extracted browser and application keys (c-key, wv-key, ol-key, pas-key) that enable access to account data. Quote: ‘…extract keys from them. Those keys are saved as ol-key, sf-key and wv-key in the LOG1 file.’”

Indicators of Compromise

  • [File hash ] MSI installer and payload – fde67ba523b2c1e517d679ad4eaf87925c6bbf2f171b9212462dc9a855faa34b (MSI), da3c6ec20a006ec4b289a90488f824f0f72098a2f5c2d3f37d7a2d4a83b344a0 (PDFEditorSetup.exe)
  • [File hash ] Core backdoor files – b3ef2e11c855f4812e64230632f125db5e7da1df3e9e34fdb2f088ebe5e16603 (pdfeditor.js), 6022fd372dca7d6d366d9df894e8313b7f0bd821035dd9fa7c860b14e8c414f2 (UtilityAddon.node)
  • [File paths ] Install locations and persistence – %LOCALAPPDATA%ProgramsPDF Editor, %USERPROFILE%PDF Editor; RUN key PDFEditorUpdater and scheduled tasks like PDFEditorScheduledTask
  • [Domains/URLs ] C2 and download endpoints – vault.appsuites.ai (download), appsuites.ai, sdk.appsuites.ai, on.appsuites.ai, log.appsuites.ai
  • [Filenames ] Key program files – pdfeditor.js (main backdoor), UtilityAddon.node (native helper), PDF Editor.exe (launcher), Uninstall PDF Editor.exe (uninstaller)

Read more: https://www.gdatasoftware.com/blog/2025/08/38257-appsuite-pdf-editor-backdoor-analysis

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint