Malicious Crystal PDF Converter Detected on SLTT Networks

CIS CTI reports increased detections of Crystal PDF, a managed .NET (F#) staged loader posing as a PDF converter and distributed via malvertising/SEO poisoning against U.S. SLTT entities. The malware executes obfuscated, primarily fileless payloads, performs sandbox/VM checks, abuses COM objects and process injection (e.g., rundll32, CreateRemoteThreadEx), and uses dynamic API resolution, timestomping, and revoked but previously valid code-signing certs (Long Sound LTD, VAST LAKE LTD). Analysts observed DNS queries to likely C2 domains (negmari.com, ramiort.com, strongdwn.com) and .NET networking APIs for potential payload retrieval over HTTPS; the second stage was unavailable due to inactive/sinkholed C2. The report links Crystal PDF to a broader trend of fake PDF tools delivering secondary malware and provides defensive guidance and IOCs for SLTT defenders.