You don’t find ManualFinder, ManualFinder finds you

Expel investigated a campaign distributing seemingly benign apps (ManualFinder, PDF Editor, AppSuite-PDF, OneStart) that act as decoys while installing malicious components: scheduled tasks launch temporary JavaScript via node.exe which downloads signed MSI/EXE installers (code-signed by suspicious companies) and can turn hosts into residential proxies; the report includes execution logs, IOCs (file hashes and domains), evidence of persistence and active network connections, and recommended remediation steps including blocking domains, removing scheduled tasks, and revoking certificates.