Field Effect’s Managed Detection and Response team identified two seemingly legitimate utilities, ImageLooker.exe and Calendaromatic.exe, on September 22, 2025.
Both binaries were digitally signed by CROWN SKY LLC and disguised as self-extracting 7-Zip archives to bypass Windows Mark of the Web protections.
Delivered via search engine manipulation and deceptive advertising promising free utilities, the executables exploited CVE-2025-0411 to evade SmartScreen reputation filters.
Built on NeutralinoJS, they loaded arbitrary JavaScript payloads capable of interacting with native system APIs, enabling covert data collection and command execution once the archives were unpacked.
Self-Extracting Archives Exploit Code Signing to Evade Defenses
The malicious payloads were packaged as self-extracting 7-Zip executables, exploiting Windows’ trust in digitally signed code, by abusing CVE-2025-0411, the archives executed without triggering reputation-based controls.
Upon launch, both binaries created scheduled tasks and modified registry keys using flags such as –install, –enableupdate, and –fullupdate to maintain persistence.
ImageLooker.exe contacted movementxview[.]com while Calendaromatic.exe communicated with calendaromatic[.]com, establishing resilient command-and-control channels.
The legitimate appearance of trusted certificates significantly reduced endpoint alerts and user suspicion, providing the adversary with ample time to execute reconnaissance and data exfiltration routines before detection.
NeutralinoJS and Unicode Homoglyphs Enable Covert Payload Execution
Leveraging the NeutralinoJS framework, the malware executed JavaScript modules with broad system privileges. Payload scripts were obfuscated using Unicode homoglyphs to encode hidden modules within seemingly benign API responses, thwarting string-based detection engines.
This covert encoding methodology enabled the delivery of additional payloads directly in memory, bypassing file-based scanners.
Network traffic analysis revealed that harvested browser data, including stored credentials, session cookies, and autofill information, was quietly exfiltrated over encrypted channels.
Further research linked these samples to the TamperedChef campaign first reported on September 17, 2025, by GuidePoint Security, revealing a pattern of trojanized productivity tools used for credential harvesting and reconnaissance.
SEO Poisoning and PUA Abuse Drive Malware Campaign Success
The threat actors manipulated search engine results through SEO poisoning, ranking malicious landing pages for queries such as “free PDF editor” and “image viewer download,” complete with fake trust badges and download counters.
Victims were redirected to archives housing these signed binaries, often unaware of the risk. A network of suspicious code-signing publishers, OneStart Technologies LLC, Sunstream Labs (Capital Intellect Inc.), and Echo Infini Sdn.
Bhd., GLINT SOFTWARE SDN. BHD., SPARROW TIDE LTD, TECHNODENIS LTD, INCREDIBLE MEDIA INC, Global Tech Allies Ltd, and LIMITED LIABILITY COMPANY APPSOLUTE provided certificates that facilitated widespread distribution.
The integration of potentially unwanted applications, such as OneSearch and browser hijackers, further expanded the infection vector, repurposing adware infrastructure for initial access and installation.
Field Effect recommends blocking self-extracting archives from untrusted sources, updating 7-Zip to version 24.09 or later, and enforcing application allow-listing.
Organizations should enable PUA detection in endpoint platforms, audit scheduled tasks and registry entries for anomalous flags, and monitor outbound connections to calendaromatic[.]com and movementxview[.]com.
Resetting credentials and restoring systems from clean backups will ensure complete remediation. At the same time, continuous certificate reputation scoring and behavioral analytics can detect and block future signed threats before they compromise sensitive data.
Indicators of compromise (IOCs)
Malware: calendaromatic.exe
Domains:
- calendaromatic[.]com
- iolenaightdecipien[.]org
Hashes:
- calendaromatic-win_x64.exe
- SHA256: 69934DC1D4FDB552037774EE7A75C20608C09680128C9840B508551DBCF463AD
- Path: <USER_DIR>\AppData\Local\Temp\7ZipSfx.000\calendaromatic-win_x64.exe
- Calendaromatic.exe
- SHA256: E32D6B2B38B11DB56AE5BCE0D5E5413578A62960AA3FAB48553F048C4D5F91F0
- Path: <USER_DIR>\Downloads\Calendaromatic.exe
Find this Story Interesting! Follow us on Google News , LinkedIn and X to Get More Instant Updates
