Reoccurring Use of Highly Suspicious PDF Editors to Infiltrate Environments

Description

Since November 19, 2025, a surge in alerts involving a file named 'ConvertMate' has been observed. Despite its initial harmless appearance, deeper analysis reveals highly suspicious behavior. The file, downloaded from specific domains, initiates external connections, performs host queries, and creates various artifacts. A PowerShell script is executed, adding a scheduled task that repeats the suspicious behavior every 24 hours. This activity mirrors the tactics of the 'PDFEditor' campaign from two months prior, with both files signed by the same entity. The similarities strongly suggest that 'ConvertMate' is likely an initial vector for malicious activity rather than a legitimate PDF converter. Immediate isolation and removal of the software and related artifacts is recommended, along with internal training for end users to recognize and avoid malicious ads and suspicious files.