From PDF Software to Malicious Code: Fake Adobe Acrobat Reader Setups Spread Byakugan Malware

Cybercriminals are distributing a new multi-functional malware named Byakugan through fake Adobe Acrobat Reader installers. The attack begins with a PDF file in Portuguese that displays a blurry image and prompts users to download a fake Reader application to see the content more clearly. Fortinet FortiGuard Labs reported that clicking on the provided link downloads an installer (“Reader_Install_Setup.exe”) that starts the malware infection process. AhnLab Security Intelligence Center (ASEC) first uncovered this campaign last month.

The attackers employ techniques such as DLL hijacking and bypassing Windows User Access Control (UAC) to execute a malicious dynamic-link library (DLL) file called “BluetoothDiagnosticUtil.dll.” This file then releases the main malware payload and simultaneously installs a legitimate PDF reader, like Wondershare PDFelement, as a cover. The malware collects and sends system metadata to a command-and-control (C2) server and downloads its primary module (“chrome.exe”) from another server, which also serves as a C2 hub for commands and file reception.

Security researcher Pei Han Liao noted that Byakugan is built on node.js and bundled into its executable with pkg. It incorporates various libraries for functionalities such as persistence, monitoring the victim’s desktop with OBS Studio, screenshot capture, downloading cryptocurrency miners, keystroke logging, file enumeration and uploading, and data theft from web browsers.

Fortinet highlighted a trend where malware combines both benign and malicious components, complicating analysis and detection efforts. Meanwhile, ASEC discovered a campaign spreading the Rhadamanthys information stealer disguised as a groupware installer. The threat actors crafted a counterfeit website mimicking the official site and promoted it through search engine ads. This malware employs the indirect syscall technique to evade detection by security solutions.

Byakugan highlights how malware creators are increasingly mixing clean and malicious elements to obstruct the analysis by security software. This deceptive method generates more noise, complicating the task for automated tools and human analysts to identify the threat accurately.

About Purple Shield Security

Purple Shield Security stands out from the crowd of cyber security firms. Picture us as the guardians of your digital space, always on the lookout to protect your business from the newest cyber dangers. We’ve got a variety of services to help keep you safe, including Managed Cyber SecurityCyber Security Consulting, Risk Analysis, Defense Services, Incident Response, and even a virtual Chief Information Security Officer (vCISO).

Don’t put off making your business safer. Contact us now to see how Purple Shield Security can upgrade your cyber defenses.