AppSuite, OneStart & ManualFinder: The Nexus of Deception

Sept. 16, 2025, 5:14 p.m.

Description

This analysis reveals connections between three seemingly distinct malicious programs: AppSuite, OneStart, and ManualFinder. The investigation uncovers shared server infrastructure and similar installation patterns, indicating that these programs are likely created by the same threat actor. OneStart, initially a browser based on Chromium, evolved from earlier versions that used node.exe to run malicious JavaScript. The actors behind these programs have been active for years, distributing malware disguised as various utilities such as games, recipe finders, and manual finders. The report highlights the adaptability of these threat actors, who easily morph their software to take new forms and evade detection.

External References

https://www.gdatasoftware.com/blog/2025/09/38262-appsuite-onestart-deception
https://otx.alienvault.com/pulse/68c97741ac9d67d0e0c4c44b
Tags
powershell
node.js
infrastructure
appsuite
manualfinder
2025-09-16
browser-extension
cloudfront
onestart
desktopbar
browserassistant

Date

  • Created: Sept. 16, 2025, 2:42 p.m.
  • Published: Sept. 16, 2025, 2:42 p.m.
  • Modified: Sept. 16, 2025, 5:14 p.m.

Attack Patterns

  • BrowserAssistant
  • DesktopBar
  • ManualFinder
  • OneStart
  • AppSuite