Case study – extinguishing SparkOnSoft malware

Avi Lamay

26/10/2025

Intro

In the past week we’ve seen a surge with new variants of a malware which our Active Ransomware Prevention platform prevented for multiple customers worldwide.
The common thread between all the attacks is the source, all are installations of a supposed PDF application called PDF SparkOnSoft.

Entry Point

In all cases the files were download from online, suggesting the scammers placed malicious ads and/or poisoned chat-based AIs to appear legitimate.

Basic Information

The file is a small installer written with InnoSetup as contains details related to a PDF app.
The first payload our solution prevented was signed with an Extended Validation certificate by Mainstay Crypto LLC and issued by Sectigo.
The second and third payloads were signed by the same vendor, however, this time the certificate was issued by Microsoft.

The file’s properties indicate that it’s a PDF software and the publisher as Mainstay Crypto.
The version remains 1.0.0.0 between samples as the attackers likely didn’t modify the InnoSetup installer used for building the malicious payload.

Execution

When executed, all the samples first checks if they’re running under WINE, a Windows compatibility-layer that allows Windows PE executables to run under Linux, macOS and other non-Windows operating systems, they does so by checking if the function wine_get_version exists in ntdll.dll, Windows’ Native API dynamic library, as this function only exists in WINE environments
(Microsoft’s ntdll file never had this exported function).

Prevention

Since the above execution is a clear indication of a malicious activity as attackers check for WINE to identify being investigated by security services utilizing WINE for malware analysis, the Deceptive Bytes platform immediately stopped the attack and all the malware samples failed to infect our customers’ machines.