In recent weeks, cybersecurity teams have uncovered a clever and dangerous malware campaign hiding behind what looks like a harmless “free PDF editor.” The application, once downloaded, silently installs extra software components and creates a secret backdoor that allows attackers to steal data and maintain remote access. Let’s break down how this attack works, what happens behind the scenes, and how to remove it safely.

🚨 The Trap: A Fake Utility That Looks Real

The infection begins when a user searches online for a free PDF editor and clicks on what appears to be a legitimate download link. Instead of a real editor, they get a trojanized installer — a malicious version of the software disguised with a normal interface and even a license agreement to look genuine.

When the app runs, it installs like any regular program, creating folders in the user’s system and placing icons that make it seem trustworthy. But in the background, it begins building persistence and downloading extra components.

⚙️ Behind the Scenes: What It Installs

Once launched, the malware sets itself up to start automatically every time the computer boots. It does this by adding entries to the Windows “Run” registry keys or creating hidden scheduled tasks.

Then it installs additional folders and libraries that look like legitimate software — often named Java, NodeJS, or Firefox — inside system directories such as:

• C:\Users\<User>\AppData\Local\

• C:\Users\<User>\AppData\Roaming\

• C:\ProgramData\
  

These folders contain the files needed for the malicious backdoor to operate. The fake PDF editor actually runs on Node.js and Electron, technologies often used for desktop apps — which makes it easier for attackers to hide malicious scripts inside harmless-looking code.

🧠 What the Malware Actually Does

After installation, the fake PDF editor waits quietly, pretending to be normal. Weeks later, it activates its true purpose — stealing information and opening a communication channel with its operator.

It can:

• Collect saved browser passwords, cookies, and tokens.

• Read sensitive files or cached data from browsers.

• Terminate running browsers to unlock encrypted databases.

• Act as a proxy for remote commands, turning the infected machine into a stepping stone for more attacks.
  

Because it doesn’t require admin rights, even a normal user can get infected — making it very effective in bypassing corporate restrictions.

🧹 How to Remove the Malware

If you’ve installed a suspicious “PDF editor” recently or noticed strange folders appearing, follow these cleanup steps carefully:

1. Disconnect from the Internet

Unplug the network cable or turn off Wi-Fi to stop data from being sent out.

2. Stop the Process

Open Task Manager and end any process named PDF Editor.exe or similar that’s running from unusual locations like AppData or ProgramData.

3. Delete Persistence Entries, Scheduled Tasks

Open Registry Editor (regedit) and check:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunRemove any entry that points to suspicious executables or Node.js scripts.

4. Delete Malicious Files and Folders

Manually delete the following (if they exist):

• %AppData%\Local\PDFEditor

• %AppData%\Roaming\PDFEditor

• %ProgramData%\PDFEditor

• Any folders named Java, Nodejs, or Firefox that appeared recently without your knowledge.Also, delete the installer file from your Downloads folder.
  

5. Uninstall Extra Runtimes

Check “Programs and Features” in Control Panel for unexpected installs of Node.js, Java, or Firefox Portable — and remove them.

6. Clear Browser Data and Change Passwords

Since the malware targets browser credentials:

• Clear saved passwords, cookies, and sessions.

• Change passwords for all accounts you’ve logged into.

• Re-enable two-factor authentication wherever possible.
  

7. Run a Full Security Scan

Use a trusted antivirus or endpoint protection tool to scan the system and remove any leftover threats. If infection signs remain, a full OS reinstall is the safest option.

🛡️ How to Stay Safe in the Future

1. Avoid software from ads or unknown websites. Always download tools from verified official sources.

2. Use an ad blocker to reduce the risk of clicking on fake ads.

3. Limit software installation rights. Only administrators should install new applications.

4. Enable application control or whitelisting. Allow only approved programs to run.

5. Keep browsers and antivirus tools updated. Many threats exploit outdated versions.

6. Educate users — especially those who often install free software — about the dangers of fake downloads.

7. Monitor your system for new folders or startup entries you didn’t create.
   

💡 Final Thoughts

This malware campaign is a reminder that not every app with a friendly interface is safe. Attackers are becoming more creative — mixing real software frameworks with hidden malicious code. A single careless download can silently turn your computer into a spy tool or a proxy for cybercriminals.

Be cautious, double-check before you click, and keep your defenses strong.