The history of AppSuite: the certs of the BaoLoader developer

This report details Expel and CertGraveyard's analysis of the BaoLoader ecosystem: a multi‑year campaign in which an actor group repeatedly registers companies and obtains legitimate code‑signing certificates (notably from Panama, Malaysia, and the US) to sign and distribute PUPs and backdoors (AppSuite‑PDF, PDF Editor, OneStart, etc.). The writeup maps certificate issuers, signer names, representative signed binaries and SHA256 hashes, observed behaviors (silent installers, Web Companion installs, scheduled tasks, cloudfront-first-stage, DGA-style C2), and notes overlaps and distinctions with other families (Chromeloader, TamperedChef), emphasizing certificate abuse as a key detection/hunting vector and listing actionable IoCs.