WatchGuard has recently received reports of a cyber crime campaign underway where a weaponized version of a free PDF editor software “AppSuite PDF Editor” has been distributed to multiple sites for users to unknowingly download and run on their systems. It has been made aware of that the threat actor used Google advertising to promote this software for users to download. 

It was recently observed that the following URL was used to host the malicious file: hxxps[:]//pdfadmin[.]com/productivity/download/90153768[?]cid[=]G4FTU85NWQ9Kc6z3zN where the user would then launch a .msi file named “appsuite-pdf.msi”, or a variation of this filename such as “AppSuite” or “Appsuite”. 

During the installation, the setup will write the below registry key to establish persistence and allows the program to run on start-up:

Computer\HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\PDFEditorUpdater

This is done via arguments passed with a --cm switch (PDF Editor.exe --cm=--fullupdate) to instruct the program on how to behave and actions to take, which have been added by the threat actors as part of the weaponized campaign. These callback of actions receive instructions and activate an information stealer referred to as “Tamperedchef” which will begin to collect information on the local system and query web browsers for the purposes of stealing sensitive information. An additional obfuscated .js file is then downloaded to /resources/app/w-electron/bun/releases/ (pdfeditor.js). 

Additional supported arguments for “PDF Editor.exe” include:
--install 
--enableupdate
--disableupdate
--fullupdate
--partialupdate
--backupupdate
--check
--ping
--reboot

It has also been known that the binary elevate.exe will come installed as a bundle, which is a legitimate open source program to assign higher privileges to a program, but which has been customized by the threat actor for the purposes of the campaign to include additional arguments. 

if you are a WatchGuard EPDR customer, you are already protected against this threat thanks to the contextual engine. Either way, be wary of applications from untrusted or official sources like this one.

IOCs:
AppSuite-PDF.msi: 213ECA72F00563FA2ED788A1212C67E0, 0617D54E576E4C124B5F219A79BEE64F

Phishing domain: hxxps[:]//pdfadmin[.]com/productivity/download/90153768[?]cid=G4FTU85NWQ9Kc6z3zN

Let’s stop pretending this is new.

It is 2025. We have had years, decades of advice, warnings, and horror stories about password security. And still, people are reusing passwords like it is 2005. We are not talking about random Internet users, either. We are talking about businesses, infrastructure, leadership teams, and real people making real decisions that affect livelihoods.

The collapse of KNP, a 158-year-old UK transport firm, should be the final wake-up call.
One reused password. One guessed login.
Ransomware hit.
Seven hundred people out of work.
Finished.

You can read it for yourself. It is all there in the BBC’s coverage.

This was not a sophisticated hack, not cutting-edge malware or state-sponsored espionage. It was a company with weak internal practices, someone using a password that attackers had probably seen before in another breach, and it cost them everything.

Why are we still doing this

Let’s break it down:

• People think they are not a target.
• Businesses still do not enforce strong password policies.
• Most teams do not use password managers.
• MFA is optional when it should be mandatory.
• Cybersecurity gets brought up after something breaks, not before.

Worst of all, we are still not communicating the risk in a way that people actually hear. Too many security messages are wrapped in jargon or delivered in boring one-off training sessions that nobody remembers.

We say use MFA, rotate passwords regularly, and assume the message landed. It did not.

This is not about compliance. It is about consequences.

KNP was not just attacked. They left the door open, and the attackers did not even have to kick it down.

This is the reality:
One reused password can end your business.
One guessed login can cost real people their jobs.
One missed backup can turn a ransomware hit into a total collapse.

And yet, in meeting rooms and inboxes across the country, password policies still get brushed off as overkill.

We also need to train staff. Properly.

If companies are serious about avoiding the next KNP, they need to stop assuming employees already know how to stay safe online. They do not.

Every employee should be trained on basic cyber protection ‒ not just for the office but also for their home life. Compromised personal accounts often lead to compromised work systems, and work from home blurred that line years ago.

Teach people how to spot phishing. How to use password managers. Why they should never reuse passwords. Why their home router settings matter just as much as their work login.

Cybersecurity is no longer just an IT problem. It is a life skill. And if your company is not actively building that skillset in your team, you are leaving the door open.

So are we failing to get the message out? Yes.

And maybe we have been going about it the wrong way.

Instead of shouting technical advice, maybe we should just start showing what happens when you ignore it. KNP is now a case study in what not to do. A 158-year-old company, gone. Not because of innovation. Not because of disruption. But because of basic, avoidable mistakes.

It is not enough to keep repeating the same old advice. We need to be blunt, loud, and clear.

Final word: stop reusing passwords.

Use a password manager, turn on multi-factor authentication, train your team, and take cybersecurity home with you. It does not have to be complicated; it just has to be taken seriously.

Because KNP is not the only one. And if this is still happening in 2025, the next collapse could be closer than you think.

Sometimes supposedly small things make a huge difference. This can also be true in cyber security configurations. In recent weeks, multiple partners described very similar cyber attacks their customers faced, and in some cases, the criminals were unfortunately even successful in compromising customer networks. Specifically speaking, cyber criminals first exfiltrated and then encrypted data with Akira ransomware. Akira ransomware is already out in the wild since march 2023 and many companies fell victim (Cisa has published a very detailled description and also many helpful recommendations in this advisory: https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-109a )

Let me share a real example of a WatchGuard customer with Firebox, AuthPoint and EPDR in place that was hit by this type of attack. From a technology perspective, this seems to be the combination of solutions that makes it really tough for cyber criminals. Nevertheless, they became a victim, data was stolen, and Akira ransomware was used to encrypt data.

So what did happen?

Criminals gained access to their network using stolen or brute-forced credentials for a single user to log in via VPN. Wait a second…don’t they use WatchGuard AuthPoint? They do, but unfortunately, a legacy configuration on their Firebox was in place that allowed logins with the local Firebox-DB users as well. Even though AuthPoint was configured and used since a while already, the option to use Firebox-DB users was still enabled in Firebox configuration. Attackers used stolen or compromised credentials and logged in using Firebox-DB, bypassing MFA that would have protected the WatchGuard AuthPoint users. 

As soon as the criminals had VPN access, they started scanning the network and initiated brute-force attempts, trying to remotely log in to servers and clients discovered in the scans. After about 4 days, they were successful and logged in on 2 different server systems reachable from the VPN.  On these servers, they could steal credentials for a few AD Domain accounts (some even with administrative privileges) and use these accounts to carry on living off the land attacks. Tools like Advanced Port Scanner and netstat were used to scan the network for possible additional target servers and clients. By using these legitimate tools to learn more about the network they tried to hide their activities to remain undetected. 

Most of the endpoints were well protected by WatchGuard EPDR. Even though the attackers could access and log in on some of them they could not install or run ransomware and steal data immediately. Unfortunately one of the systems the criminals compromised was not protected by WatchGuard EPDR so that they could easily use this server to start harmful actions.

•  They collected files remotely from other systems via Windows network file sharing over SMB.
• They compressed the files with the legitimate tool WinRAR
• They uploaded the archives to fastupload.io, a free and legitimate file-sharing service that can be used without account creation.
• They ran the ransomware akira.exe on the unprotected system and encrypt files remotely via windows file sharing. As one of the stolen accounts in first phase of the attack was an administrator this was an easy task. 

The customer discovered the attack when the encryption was already finished and the ransom payment demanded. So it was already too late to stop the attack. Fortunately the customer had a clean and consistent backup of all critical files and data. So they decided to start with a clean implementation and to restore backups. For sure they validated by forensic analysis and deeper investigation that the backup is actually clean. 

What lessons can we learn from this example? 

Even a single parameter in a perimeter firewall solution that is not configured idealy can open an attack vector for cyber criminals. In the specific example the option Firebox-DB was not disabled even though AuthPoint was configured and used already. This allowed attackers to bypass MFA with stolen or compromised credentials. I highly recommend to enable MFA (e.g. with WatchGuard AuthPoint) wherever possible and to double check that no legacy options to log in (especially remotely) without MFA are still enabled. 

As brute-forcing was supposedly used in the attack of my example as well, I also recommend enabling features for brute-force prevention as well. Such features can stop brute-force attempts and disable a user account before the password is known or even block the source ip of an attacker. A good overview about WatchGuard’s features for this and configuration tipps and tricks is documented here: https://techsearch.watchguard.com/KB?type=Article&SFDCID=kA16S000000BcPmSAK&lang=en_US

Another lesson learned is that strong Endpoint Security solutions like WatchGuard EPDR should be in place on all clients and servers to avoid blind spots that could lead to compromise and lateral movement. Akira.exe was blocked and quarantined on EPDR protected systems during the attack in the example, but a single unprotected server could be used to remotely steal and encrypt data from other systems. Akira has even compromised IoT cameras with network access to critical systems to launch their ransomware before.

It is also important to keep operating systems and applications up to date. Having a patch management solution in place is very important to do this in an efficient way.

Secure network segmentation, limiting access between systems and enabling security services to scan internal traffic, can also help to stop attacks or limit the scope of attacks. The Intrusion Prevention System of Firebox, for example, is capable of detecting and blocking network scanning, usage of vulnerabilities, and other harmful activities. I read an article about an Akira infection that used a compromised webcam as servers and clients could not be compromised (https://www.s-rminform.com/latest-thinking/camera-off-akira-deploys-ransomware-via-webcam ) - this underlines the importance of network segmentation, especially for IoT devices.

You should also consider limiting outbound communication by limiting ports and protocols as much as possible and by using Webblocker and other technologies. The site fastupload.io that was used to upload stolen data is categorized as “personal network storage and backup” by Webblocker service. Is it really required to allow such websites for all users and all devices? 

I also recommend to be serious about HTTPS Content Inspection to make sure malicious or unwanted content can be identified in encrypted Web traffic.

What else is important?

But it is not only about strong protective measures. It becomes more and more important nowadays to continuously monitor network and endpoint activities to uncover hidden threats and risks. Cyber criminals use sophisticated tools to prepare and launch their attacks making it more challenging to detect and stop them. Network Detection and Response solutions (e.g. WatchGuard ThreatSync+ NDR) can be of huge help to discover anomalies and react before it is too late. In the example shared network scanning activities and file extractions were identfied in the post-breach investigation – a NDR solution could have discovered this while the cyber criminals were still extending their attack and planning the next steps. With alerting and even reaction or remediation capabilities as part of the NDR solution or based on an integration into XDR solution attacks can often be stopped before exfiltration and encryption of data is happening. WatchGuard ThreatSync+ NDR forwards alarms to ThreatSync Core so that remediation can easily happen – e.g. by isolating a host or blocking network communication.

In many cases an investigation of all suspicious activities will be needed to reveal the full scope of a cyber attack. To make sure this happens immediately on first indication of an attack and in a proactive way Managed Detection and Response services should be considered as well. In the example described our team and other specialists where involved after the breach and encryption happened – too late to protect the customer. With MDR services trained cyber security experts get involved before it is too late and investigate and remmediate threats proactively. WatchGuard recently launched Total MDR as a service that covers WatchGuard Endpoint, Fireboxes, AuthPoint and also ThreatSync+ NDR to identify and stop harmful activities regardless of the attack vector – I am very confident that this service (in case protective measures did not catch the attack earlier) would have caught the attacker before any serious impact.

The combination of well configured protections for networks, endpoints and identities with 24/7 monitoring for anomalies and threats is the level of protection needed today to stay ahead. This is real Security for the real World!