Reoccurring Use of Highly Suspicious PDF Editors to Infiltrate Environments

The activities observed are the following:

— File is downloaded from conmateapp[.]com or
trm[.]conmateapp[.]com (OSINT suggests that these are downloaded through ads but this has not been confirmed)
— Upon execution, the file initiates connections to external IP addresses.
— The file performs host queries.
— It creates several artifacts: updating_files.zip, native.zip, UpdateRetreiver.exe and conmate_update.ps1
— The PowerShell script (conmate_update.ps1) is executed immediately upon creation, adding UpdateRetreiver.exe to scheduled tasks set to run every 24 hours.
— When triggered by the scheduled task, UpdateRetreiver.exe repeats the external connection and host query behavior, then connects to one of the following domains (currently known):
confetly[.]com
climatcon[.]com
conmateapp[.]com
chrialletworton[.]com
banifuri[.]com
dcownil[.]com
vo[.]takelecon[.]com

❗UPDATE Nov 24, 2025❗
During the weekend, Truesec SOC observed another suspicious file which seemingly works the same way as it’s code looks very similar to ConvertMate mentioned above.
The IOC list under “Detection” has been updated with this new information.

❗UPDATE Nov 25, 2025❗
Added a newly observed UpdateRetreiver.exe SHA256 hash.

❗UPDATE Dec 3, 2025❗
Added a file which recently has been observed in the SOC, the behaviors are similar to Updateretreiver.exe. IOC list under “Detection” has been updated.

❗UPDATE Dec 8, 2025❗
Updated immediate actions under “Recommended Actions”.
UpdateRetreiver.exe has recently been observed connecting to a new C2 address, this has been added to the lists of IOCs.

❗UPDATE Dec 11, 2025❗
New file hash and C2 domain has been added has been added for “PDFClickUpdater.exe”.

❗UPDATE Dec 15, 2025❗
New file hashes and C2 domains has been added for “PDFClickUpdater.exe”.

❗UPDATE Dec 16, 2025❗
New file hash has been added for “PDFSkills_Updater.exe.”

—–

This activity closely resembles the tactics observed in the “PDFEditor” campaign detailed in this article two months ago. Notably, both files are signed by the same entity, AMARYLLIS SIGNAL LTD[1], which further strengthens the link between these campaigns.

The combination of suspicious activities and the reuse of a known certificate strongly suggests that “ConvertMate” is not a legitimate PDF converter. Instead, it likely serves as an initial vector for malicious activity, similar to the previously documented “PDFEditor” campaign.

IOCs has been added for continuous threat hunting for Truesec SOC customers.
A custom detection rule designed to identify malicious signers is currently being tested.

Recommended Actions

Truesec recommends immediate isolation, re-installation of the host and that you reset credentials of all users involved with these suspicious binaries.

Truesec also recommends blacklisting the C2 domains listed in the summary due to them being hardcoded in the software code.

Alerted hosts handled by Truesec SOC has and will continuously be isolated and customers will be notified via Incident Reports and/or in accordance with the stated communication channels between Truesec and the customer.

Truesec also recommends conducting internal training and awareness sessions for end users, so they can learn to recognize malicious ads and suspicious files and avoid downloading them. This proactive approach helps reduce the risk of similar incidents in the future.

Detection

Observed files and sha256 hashes:
conmate_update.ps1: 372d89d7dd45b2120f45705a4aa331dfff813a4be642971422e470eb725c4646
ConvertMate.exe: 08b9f93000512b45f8c2e8d3d6624536b366e67c40fd4b958db58e3a1d129c3d
Convert Mate.exe: d9f9584f4f071be9c5cf418cae91423c51d53ecf9924ed39b42028d1314a2edc
UpdateRetreiver.exe: 09c2af472ab86b62a702e94a39df2bef09205f4249ed871cbeece751c1e7ef4f
6bf2cc4e9d9901541214d7efc8bb8bb24ef5bddc238598333c843e421c042c6b

Observed download URLs:
conmateapp[.]com
trm[.]conmateapp[.]com

Observed outbound connection URLs:
confetly[.]com
climatcon[.]com
conmateapp[.]com
chrialletworton[.]com
banifuri[.]com
dcownil[.]com
vo[.]takelecon[.]com
rani[.]climatcon[.]com (❗UPDATE Dec 8, 2025❗)

Created registry key:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\ConvertMateTask\

❗UPDATE Nov 24, 2025❗
Observed files and sha256 hashes:
pdfclick.exe 09474277051fc387a9b43f7f08a9bf4f6817c24768719b21f9f7163d9c5c8f74

PDFClickUpdater.exe 50651ed57b60d48da11117a170241da8669bf0e6e7ea76d7f2d364db80e16d6f

bd06d788b4384dd0d8640129746aa4c0826e63f409743f65000929702a417519 (❗Added Dec 11, 2025❗)

7c79c2ec34e0f70cc65cb0641e7b47e68bd7412428da8f1e594d208bfe2efae9 (❗Added Dec 11, 2025❗)

770084c445caba3a570689148004600f8675bf6d7f0deaa45f50b258f346c1bb (❗Added Dec 15, 2025❗)
749e69881eeb60720baf21178af7391cf71445fdeae0b5ca5bba53ca5ac0f787 (❗Added Dec 15, 2025❗)

Observed download URLs:

hxxps://runeton[.]com/clic?fofk=e772a4d1-a5e1-4703-b7d6-69cee02d9ff9&brota=download&_gcl_aw=gcl[.]1763454211[.]eaiaiqobchmi7cui5ql7kamvacg7ah2oaghneaeyasaaegk7ypd_bwe&_gcl_gs=2[.]1[.]k5%24i1763454209%24u103698497&_gcl_au=1[.]1[.]1014831620[.]1763454211&_ga=ga1[.]1[.]1438533753[.]1763454211&lastvisitreport=2025-11-18t08%3a23%3a32[.]005z&_ga_jt8097f7ec=gs2[.]1[.]s1763454211%24o1%24g0%24t1763454212%24j59%24l0%24h1687758781&aid=3146&campaign_id=23248524195&adgroup_id=189550522018&utm_source=google_b2c&placement_id=toppng[.]com&tid=373800&creative_id=783550044942&bg=9213&gad_source=5&gad_campaignid=23248524195&gclid=eaiaiqobchmi7cui5ql7kamvacg7ah2oaghneaeyasaaegk7ypd_bwe

Observed outbound connection URLs:
hamarit[.]com
netarlio[.]com
oblifagi[.]com
pdfclickapp[.]com
orliksin[.]com (❗UPDATE Dec 11, 2025❗)
balgonik[.]com (❗Added Dec 15, 2025❗)
ledirno[.]com (❗Added Dec 15, 2025❗)

Created registry keys:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\PDC_Update\
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks{379F7B04-767D-42A0-AF54-CB527DAA2BBE}

❗UPDATE Dec 3, 2025❗
Observed files and sha256 hashes:
PDFSkillsApp.exe 9c9cdb1a91444dc9c99df071f2dac4791d20112e0df786da40069a1e76594803
Update.dll 5ad036c7f0f52bc70187b00bf92c0eb8a2fbbc34a69d4f06e313ac451387b513
Update.exe c30d514b84fc5966ac118e9ecd0b2ab302c8a839b84e5cb385e88ec8226e958e
update_task_ad.ps1 c7cbc315f533f124fd6ed468f7e333a276a1891cd4c6a5b720058d54e053ec32

PDFSkills_Updater.exe 186aa2c281ca7bb699ce0b48240b7559a9ac5b0ba260fb78b81ec53249548f62 (❗Added Dec 16, 2025❗)

Observed outbound connection URLs:
pwrtail[.]com
cbn[.]skillcli[.]com

Created registry keys:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\PDC_Update\
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks{379F7B04-767D-42A0-AF54-CB527DAA2BBE}

References

[1] https://raw.githubusercontent.com/LindenSec/IoC/refs/heads/main/PDFEditorManualFinder/signers.txt