An attacker with a RAT and infostealer installed on employee endpoints can harvest credentials for corporate systems, VPNs, email, and cloud services — creating a pathway to broader network compromise, data theft, or ransomware deployment. With 12,000 confirmed global installations and a deliberate dormancy strategy, affected organizations may have active footholds they have not detected. Regulatory exposure is real: credential theft from endpoints handling financial, health, or personal data triggers breach notification obligations under GDPR, HIPAA, and similar frameworks depending on jurisdiction and data handled.
You Are Affected If
Employees have installed any of the ten named trojanized applications: AppSuite PDF, DocuFlex, Calendaromatic, CrystalPDF, Easy2Convert, PDF-Ezy, JustAskJacky, GoCookMate, RocketPDFPro, or ManualReaderPro
Your organization lacks software allowlisting or application control policies that block unauthorized productivity tools (CIS 2.3 gap)
Your endpoint detection relies primarily on hash-based signature matching — the campaign explicitly defeats this through frequent binary rebuilds
Your environment includes software developers or engineers with npm ecosystem access, creating compound exposure with the overlapping Shai-Hulud supply chain attack surface
Endpoints do not ingest into Cortex XDR, Cortex XSIAM, or equivalent behavioral EDR capable of detecting dormant payload activation
Board Talking Points
Attackers have compromised at least 12,000 systems globally by disguising malware as everyday PDF and productivity tools, and the malware deliberately waits weeks before activating to avoid detection.
Security teams should immediately audit all endpoints for these ten named applications, isolate any matches, and rotate credentials on affected systems — this work should begin within 24 hours.
Organizations that take no action risk undetected credential theft enabling broader network compromise, data exfiltration, and potential regulatory breach notification obligations.
GDPR — infostealer and keylogger payloads on employee endpoints may constitute a personal data breach if EU resident data is accessible from compromised systems, triggering 72-hour notification obligations
HIPAA — credential theft from endpoints with access to protected health information creates breach notification exposure under the HIPAA Security Rule (45 CFR § 164.308)
PCI-DSS — keylogging and credential-dumping capabilities on endpoints with access to cardholder data environments directly implicate PCI-DSS Requirement 12.10 incident response and Requirement 8 access control obligations
