PDFast Freeware Compromise Used to Distribute Malware
Summary:
Threat actors are actively exploiting a free PDF utility, PDFast, to distribute malware via a malicious executable embedded in the installation process. This activity has been independently detected and analyzed by both Todyl’s MXDR team and Lumifi Cyber, with indicators of compromise observed in multiple environments since at least April 9, 2025. Upon installation, PDFast silently drops a malicious file into the AppData\Roaming\PDFast directory. This executable launches via legitimate Windows processes to execute obfuscated PowerShell scripts. These scripts beacon to two China-hosted domains in order to download a secondary payload, pdf.bin, into the system’s Temp folder. If the download fails, an error is relayed back to the command-and-control server, suggesting dynamic attacker control over infrastructure.
Todyl MXDR's investigation found that the PowerShell was triggered through a service linked to PDFast, raising concerns over possible supply chain compromise or intentional inclusion of malicious code in the application. Todyl rapidly pushed global blocks across its EDR and SASE platforms and began reverse engineering the payload, which is likely a loader or dropper. In Prevent mode, Todyl’s EDR automatically blocked the PowerShell execution. Meanwhile, Lumifi observed related detections across multiple security platforms, including SentinelOne, Microsoft Defender for Endpoint, Exabeam, ExtraHop, Windows Defender, and Elastic Defend. Their SOC team has engaged in proactive threat hunting to identify further cases in customer environments.
Security Officer Comments:
Indicators suggest the malware may establish persistence through autorun registry keys or scheduled tasks, and could be used to stage additional payloads, steal credentials, or deploy ransomware depending on attacker objectives.
Key Timeline Updates:
Suggested Corrections:
Lumifi has published the following mitigations:
Link(s):
https://www.lumificyber.com/threat-library/pdfast-freeware-compromise-used-to-distribute-malware/
Threat actors are actively exploiting a free PDF utility, PDFast, to distribute malware via a malicious executable embedded in the installation process. This activity has been independently detected and analyzed by both Todyl’s MXDR team and Lumifi Cyber, with indicators of compromise observed in multiple environments since at least April 9, 2025. Upon installation, PDFast silently drops a malicious file into the AppData\Roaming\PDFast directory. This executable launches via legitimate Windows processes to execute obfuscated PowerShell scripts. These scripts beacon to two China-hosted domains in order to download a secondary payload, pdf.bin, into the system’s Temp folder. If the download fails, an error is relayed back to the command-and-control server, suggesting dynamic attacker control over infrastructure.
Todyl MXDR's investigation found that the PowerShell was triggered through a service linked to PDFast, raising concerns over possible supply chain compromise or intentional inclusion of malicious code in the application. Todyl rapidly pushed global blocks across its EDR and SASE platforms and began reverse engineering the payload, which is likely a loader or dropper. In Prevent mode, Todyl’s EDR automatically blocked the PowerShell execution. Meanwhile, Lumifi observed related detections across multiple security platforms, including SentinelOne, Microsoft Defender for Endpoint, Exabeam, ExtraHop, Windows Defender, and Elastic Defend. Their SOC team has engaged in proactive threat hunting to identify further cases in customer environments.
Security Officer Comments:
Indicators suggest the malware may establish persistence through autorun registry keys or scheduled tasks, and could be used to stage additional payloads, steal credentials, or deploy ransomware depending on attacker objectives.
Key Timeline Updates:
- April 17, 2025 (10:48 AM MT): Windows Defender began blocking PDFast, though attackers continue modifying code to evade detection.
- April 21, 2025 (12:06 PM MT): Certificates used to sign malicious versions of PDFast were revoked.
Suggested Corrections:
Lumifi has published the following mitigations:
- Remove any instances of PDFast from your environment.
- Isolate any endpoints where PDFast.exe or upd.exe have been allowed to execute.
- Search for presence of:
- C:\Users\<username>\AppData\Roaming\PDFast\upd.exe
- Registry key entries for PDFast or upd.exe under ‘HKCU\Software\Microsoft\Windows\CurrentVersion\Run’, indicating autorun persistence.
- Add the listed file hashes to your EDR solution’s hash blocklist.
- Reset user credentials if compromise is suspected.
- Lumifi will continue to monitor for indicators of compromise associated with the exploit.
Link(s):
https://www.lumificyber.com/threat-library/pdfast-freeware-compromise-used-to-distribute-malware/