Malicious Crystal PDF Converter Detected on SLTT Networks

In late October 2025, the Center for Internet Security^® (CIS^®) Cyber Threat Intelligence (CTI) team observed an increase in CIS Managed Detection and Response™ (CIS MDR™) alerts associated with a malicious fake PDF converter called Crystal PDF on U.S. State, Local, Tribal, and Territorial (SLTT) government entity endpoints. The CIS CTI team’s analysis confirmed that Crystal PDF is a managed .NET (F#) staged loader, but the second-stage payload was unavailable for analysis.

 

As reported by CyberProof, malicious PDF converters and editors became more prevalent in 2025, and Crystal PDF shares tactics, techniques, and procedures (TTPs) observed in earlier examples, such as OneStart PDF editor (February 2025) and AppSuite PDF Editor (May 2025). In March 2025, the FBI Denver Field office reported an increase in scams utilizing online document converter tools to infect victims with malware, leading to further infections such as ransomware. The trend is likely driven by threat actors’ awareness of users’ willingness to seek out free third-party tools over paid options as well as user frustration with Microsoft Office-related PDF formatting issues and creation errors.

For these reasons, the CIS CTI team assesses with moderate confidence that threat actors will continue to use fake PDF tools in opportunistic campaigns. This blog post includes tailored Indicators of Compromise (IOCs) and recommendations for U.S. SLTTs to better defend against malicious PDF converters.

Crystal PDF Overview

Crystal PDF is a managed .NET staged loader written in F#. It was first observed in November 2024 based on the executable’s earliest known upload to VirusTotal. At the time of analysis, Crystal PDF was using digitally signed certificates by Long Sound LTD and VAST LAKE LTD, which have since been revoked. The malware masquerades as a PDF converter, but analysis showed that it does not contain PDF processing libraries and likely has no real PDF conversion functionality.

Crystal PDF has multiple capabilities, including an obfuscated payload that executes in memory, process injection and spawning, along with sandbox and virtual machine (VM) detection. It can also download additional payloads. Based on the CIS CTI team’s analysis and reporting on similar fake PDF converters, Crystal PDF is spread through malvertising, which often uses search engine optimization (SEO) poisoning to promote malicious resources in search queries.

^{Figure 1: Crystal PDF (Sandbox Analysis)}

Once executed, the payload runs in memory as well as performs sandbox and VM checks. If it is not in a sandbox or VM, Crystal PDF attempts to establish initial outbound network communications, likely over HTTPS, to its command and control (C2) domains to check in before awaiting further instructions. To evade defenses, the payload will stall if the contacted C2 domain does not respond.

For the second stage, it is likely that Crystal PDF either downloads an additional payload or contains an embedded payload that must be decrypted and executed in memory.

^{Figure 2: Crystal PDF (Sandbox Analysis)}

Technical Analysis

On October 22, 2025, the 24x7x365 CIS Security Operations Center (SOC) alerted the CIS CTI team of an influx of CIS MDR detections across multiple organizations associated with Crystal PDF. The detections identified that Crystal PDF, located in the temporary directory, was attempting to run its “update” command. (See Figure 3.)

^{Figure 3: CIS MDR Detection of Crystal PDF in Command Line}

CIS MDR blocked this activity, and the alerts prompted CIS CTI to perform further investigation. The team analyzed the contents and behavior of three signed executables. The certificates have since been revoked due to the signing authority detecting abuse or compromise of the legitimate signing infrastructure. The binaries of all three samples contained different future common object file format (COFF) timestamps in their PE file header (such as 2085-09-21), empty import tables, and multiple PE headers, which points to obfuscation. The obfuscation specifically masks whether Crystal PDF is used as a first-stage payload that downloads an additional payload or contains an embedded payload that must be decrypted and executed in memory to function.

Execution and Process Behavior Observed

Based on the CIS CTI team’s analysis, Crystal PDF typically launches from the user’s temporary directory or the Downloads folder, and it performs a series of environmental and sandbox checks upon execution. If the host environment is not virtualized, Crystal PDF executes an obfuscated payload in memory, which confirms that the malware is primarily fileless in operation. Although CIS CTI was able to analyze the initial payload, the secondary payload was unavailable for analysis.

CIS CTI analysts observed Crystal PDF spawning unexpected child processes, including WerFault.exe, which was often triggered immediately after execution. It was unclear whether this was a benign crash event or a hijacked process used for code injection. Additionally, CIS CTI saw rundll32.exe started with a class identifier linked to SHCreateLocalServerRunDll. This is consistent with common object model (COM) object abuse and is not expected behavior for rundll32.exe, suggesting the malware is evading defenses and establishing persistence by loading or executing code through COM objects to blend in with normal system processes. Lastly, DLLHost.exe, OpenWith.exe, and FlashPLA.exe all spawned shortly after Crystal PDF execution with registry activity under Explorer\SessionInfo and Internet Settings\Cache. This activity is not typical behavior for benign or legitimate process launches, which suggests that Crystal PDF is likely conducting this activity for staging or ensuring the persistence mechanisms work. Furthermore, Crystal PDF was also observed with read/write/execute memory allocation and CreateRemoteThreadEx calls, which indicates the malware uses process injection.

Network Behavior Observed

CIS CTI analysts observed Crystal PDF performing DNS queries for three domains likely used for C2: negmari[.]com, ramiort[.]com, and strongdwn[.]com. Additionally, based on analysis of the .NET payload, CIS CTI found the malware makes use of standard .NET networking functions, specifically AsyncDownloadFile, AsyncDownloadString, HTTPClient, and WebClient. These functions are commonly used by legitimate .NET applications to send HTTP(S) requests and retrieve remote content.

However, malware often utilizes these functions to download additional payloads or retrieve instructions from C2 infrastructure, per MITRE ATT&CK and Justin Verhaeghe. Due to the aforementioned C2 domains being inactive or sinkholed, CIS CTI was unable to confirm whether Crystal PDF downloads a secondary payload or contains an embedded payload that must be decrypted and executed in memory to function.

Defense Evasion Techniques Observed

The CIS CTI team observed Crystal PDF employing multiple defense evasion techniques:

• The COFF timestamps in the PE headers were all dated in the future, which is a technique malware authors use for obfuscation to mislead cybersecurity analysts during investigations.
• Crystal PDF’s import tables were effectively empty, containing no traditional Windows API imports. Instead, the threat relied on dynamic API resolution. This technique is commonly used in malware development to evade static analysis by loading required APIs dynamically only at runtime.
• The threat utilizes timing delays and looped environment checks to detect virtualization as well as digitally signed binaries to evade signature-based detection.
• Lastly, CIS CTI’s analysis identified Crystal PDF using additional obfuscation techniques including encryption and/or compression to hide the embedded payloads. The team was unable to directly analyze the embedded payloads due to only a partial common language runtime memory capture.

“Productivity Tool” Trojans

Crystal PDF is one of many malicious fake productivity tools that are advertised as PDF converters or editors. Other fake PDF applications include AppSuite PDF Editor, ConvertMate, ManualReaderPro, and OneStart PDF Editor. Like Crystal PDF, these malware are commonly distributed through malvertising and SEO-poisoning campaigns, and they often leverage valid, though later revoked, digital signatures to appear credible.

Across campaigns, many of these fake PDF tools rely on in-memory execution and function as staged loaders that ultimately deliver a secondary payload, most often an infostealer. For example, Acronis detected an ongoing global campaign known as TamperedChef where threat actors spread legitimate-looking installers to spread an infostealer malware. Additional similarities include the use of dynamic API resolution, process creation and injection, and abusing standard .NET networking functionality while communicating over HTTPS for C2 activity.

The growing wave of fake PDF utility applications reflects a broader shift in the threat landscape. Threat actors are increasingly weaponizing seemingly benign productivity tools as well as using malvertising and SEO poisoning rather than relying purely on phishing or exploit kits. Offering fake productivity tools that evade detection, combined with users’ willingness to seek out and install free third-party tools, enables threat actors to more easily gain initial access, execution, and persistence. This trend exploits users’ trust in advertised productivity tools, specifically third-party PDF converters and editors, making it harder for cybersecurity defenders and antivirus tools to detect the underlying malicious activity and protect end users.

Defend against Crystal PDF as an MS-ISAC Member

U.S. SLTTs can bolster their defenses against fake PDF tools like Crystal PDF by joining the Multi-State Information Sharing and Analysis Center^® (MS-ISAC^®). MS-ISAC membership equips your organization with a robust cyber defense ecosystem to stay protected in a way that can't be replicated by commercial vendors or other government programs. By becoming a member, you'll receive early reporting on threats such as Crystal PDF in the MS-ISAC's Quarterly Threat Report and on the Monthly Membership Call. You'll also receive more detailed reports tailored for U.S. SLTT network defense operators and decision-makers, including specific incident response findings and IOCs. This information is intended to provide actionable threat intelligence that directly supports proactive defense and informed decision-making.

Ready to see the difference of collective cyber defense?