The Dutch National Cyber Security Centre (NCSC) has issued a warning about a global campaign where criminals are disguising malware as everyday tools – things like PDF editors, manual finders, or similar free software.
Attackers are buying ads online to promote these tools, tricking users into downloading them. Once installed, the software secretly infects the system. One of the main tactics is turning the victim’s machine into what’s known as a residential proxy.
In simple terms, this means cybercriminals can route their traffic through an infected computer, making it look like malicious actions are being carried out by the victim. This not only hides their real identity but also makes it far harder for security teams and law enforcement to trace the activity.
Once the malware is installed, it runs a JavaScript file that talks to multiple command-and-control (C2) servers. This allows attackers to control the compromised system remotely.
Researchers have also spotted the malware interacting with data in the browser, although the full extent of this is still being investigated.
The NCSC has also highlighted a possible link to the OneStart Browser – a piece of software that often comes bundled with other downloads. Many antivirus tools flag it as a Potentially Unwanted Application (PUA) because of its association with spyware and adware.
It’s not clear how many devices have been infected so far, but because the malware was distributed through ads and easy installs, the NCSC suspects there could be a large number of victims.
Although the malicious ad campaign seems to have slowed down, the threat isn’t over. Infected devices remain vulnerable until cleaned.
The NCSC recommends:
Blocking domains used by attackers
Checking corporate networks for indicators of compromise (IoCs)
Being cautious when downloading software – especially free PDF tools, manual finders, or browsers that don’t come from trusted sources
We hope you’ve liked this blog. Stay tuned for more blogs like this. Stay safe!
