GrayZone Platform

BlueVoyant analyzed a sophisticated and extensive campaign that leverages corporate shell companies, professional infrastructure, and code-signing certificates to distribute potentially unwanted applications (PUAs). This operation has established a persistent, platform-like foothold on user systems through software that presents a façade of corporate legitimacy. It combines continuous system access with ongoing data collection. The campaign's organized, business-like model operates in a legal and digital gray area, creating a flexible foundation whose ultimate purpose remains obscured. By dissecting the interconnected entities, infrastructure, and technical behaviors of this operation, this analysis highlights a growing threat model in which actors build footholds by blurring the line between utility and abuse. The campaign underscores the need for the security community to broaden its focus beyond traditional malware definitions to address the significant privacy, security, and systemic risks posed by such gray-zone operations. 

It all began when the BlueVoyant Security Operations Center (SOC) investigated an incident in late January 2026 concerning the attempted loading of an application named EmailProtector.exe. Our Threat Fusion Cell (TFC) team quickly uncovered a widespread, connected operation focused on distributing PUAs. PUAs are software that, while not definitively classified as malware, exhibit behaviors that undermine user privacy, security, or system performance, often through deceptive marketing and excessive data collection. These applications are offered for free, requiring only a download to install, which lowers the barrier for user adoption. Pivoting from the initial sample (c7f32d1f0279c6ba97c8739355df08e2274e3173552348dd1de98be87d254d6b), the team identified a network of utility software titles sharing characteristics indicative of PUAs, focused on establishing persistence, routine network check-ins, and extensive system/user data collection. 

The EmailProtector application is written in the .NET Framework and contains the core functionality of the software. The EmailProtector installer, also implemented in .NET Framework, is responsible for downloading the application components, which are packaged in a ZIP archive hosted at hxxps[:]//cdn[.]emailprotector[.]ai/main/2.0.0.34/EmailProtector.zip. 

During installation, the EmailProtector installer identifies the device’s geolocation, which is later used when transmitting device information. 

While the application does not appear to be inherently malicious, its persistent communication behavior raises concerns. The application beacons to its backend infrastructure approximately every three minutes and transmits a variety of system and environmental details, including: 

• Geolocation data
• Operating system type
• Virtual machine detection status
• Host information, such as:
  • Windows edition (Enterprise, Professional, Home, etc.)
  • Operating system version
  • System language
  • Architecture (32-bit or 64-bit)
  • Installed .NET Framework version
  • Processor details 

This persistent beaconing provides operators with continuous visibility into deployed installations and enables profiling of key system characteristics. The volume and frequency of this data transmission exceed what is typical for basic software functionality. In addition to its primary infrastructure, the application also communicates with the domain api[.]configtower[.]com, which is a common network indicator associated with other software utilities developed by the same organization. 

EmailProtector also includes an update mechanism, named EmailProtectorUpdater.exe, that appears capable of contacting a remote server to download and execute additional binaries. Initial analysis of the binary shows that it is also written using the .NET Framework; however, the developers guarded the code using an unknown protector, hindering analysis of its functionality. 

Finally, EmailProtector provides a feature that allows users to submit passwords to determine whether they have appeared in known data breaches. 

This functionality uses an API request that transmits the submitted password in clear text to the server. The server then responds with information indicating whether the password has appeared in prior breach datasets. 

A central element of this operation is the use of digital certificates to confer a false sense of legitimacy. The EmailProtector application was signed with a certificate that was also observed on over 2,300 samples and was still valid as of 18 February 2026. Activity related to these applications had been observed since August 2025 and many were digitally signed by a company named Secure PC Software LLC. This company, a Delaware-registered LLC using a virtual office address in Florida, appears to be subordinate to another Delaware-based LLC operating out of Florida, SoftLabs.AI Inc. 

Among the various application titles found were PCHelperAI, WinAI, OnBrowser, OneBrowser, BuyBricksAI, BrowserFixer, CookieSheriff, and NotesInstaller. Notably, several of these titles incorporate "AI" branding, a common marketing tactic to suggest advanced functionality and modernity, despite the applications offering minimal or non-existent artificial intelligence capabilities. 

Analysis of the websites associated with these entities (securepc[.]ai, softlabs[.]ai) found them to contain limited verifiable business detail. The securepc[.]ai site was registered in April 2025 and contains some basic descriptions as a company building trusted apps with some brief details of a few of the tools (BrowserFixer, PCHelperAI, CamMic Project, and BuyBricksAI). SoftLabs.AI Inc’s domain was registered in August 2021 and presents generic marketing content, but it lacks any specific product information. Neither site provides a physical/mailing address or details about employees or leadership, instead offering only a contact form. The SoftLabs.AI Inc site even provides a quote from an unnamed CEO. 

Many recent application samples are detected by antivirus engines as suspicious/malicious, early versions often went undetected. All the applications appeared to reach out to a common set of network indicators such as ipcountrylookup[.]com, configtower[.]com, and rolloutsystem[.]com, with the last two likely part of the campaign infrastructure. Notably, some samples also connected to a separate domain, securebrowsing[.]tech. Pulling this thread revealed another approximately 100 samples under the application titles: PCOptimizer, WebShield, SecureWebShield, Notes, and CamMicSentinel. Some of those were digitally signed with a certificate from the entity, Secure Browsing Technologies LLC, which turned out to be another Delaware-registered shell company. 

The operation's distribution infrastructure exhibits a high degree of organization, leveraging professional cloud services by being exclusively hosted on Cloudflare. Applications are served from dedicated subdomains (e.g., cdn[.]pchelper[.]ai), while some files and variants were found in Cloudflare R2 buckets (*.r2.dev). Analysis of related URL paths reveals a structure that mirrors a formal software development lifecycle, complete with references to feature branches (/feature-), release versions (/release-), and hotfixes (/hotfix-). 

Digging deeper, the TFC identified a potential link to a third-party software development firm, BlobStation. Multiple samples contained artifacts referencing 'blobstation'. BlobStation is a company that bills itself as a rapidly growing software development firm based in India and operating in the U.S. and Canada. The nature of this connection—whether direct development support or the reuse of its public resources—remains unclear. 

Cursory analysis of samples for PCHelperAI and BuyBricksAI confirms a similar structure described from BlueVoyant’s research of EmailProtector. Sandbox analysis revealed significant behavioral overlaps, pointing to a common underlying architecture. Each sample contained an application-equivalent updater executable as described for EmailProtector above. Further, the samples exhibited sandbox evasion techniques and engaged in similar data collection, gathering user, system and browser information. Also, they each communicated with domain-specific telemetry endpoints (e.g., events[.]buybricks[.]ai/api/v1/events, events.pchelper.ai/api/v1/events). Interestingly, BuyBricksAI.exe contained embedded strings related to cryptocurrency mining-related domains (e.g., jsecoin[.]com, coinhive[.]com). Persistence mechanisms did differ somewhat, with BuyBricksAI.exe setting file extension default programs and PCHelperAI.exe installing a Task Scheduler Managed Wrapper.  

Regarding the applications themselves, PCHelperAI presented a basic user interface providing ways to kill running processes and adjust computer volume via a chat text window; however, attempted usage of the BuyBricksAI application in the sandbox resulted in a blank window, showing a failure to even perform its advertised function. 

Collectively, these technical behaviors, combined with the opaque corporate structure, indicate an operation with some level of focus on establishing a persistent foothold and harvesting information while providing some basic utility. More critically, the infrastructure, code-signing capability, and established user foothold this campaign creates represent a mature platform operating in a legal and digital gray area, a platform that could potentially be leveraged or co-opted for more disruptive or destructive security threats in the future. 

This analysis shares significant overlap with other recent investigations that concerned gray-zone software that later turned into a backdoor access campaign, collectively tracked as TamperedChef or EvilAI. As described in November by Acronis, the TamperedChef campaign consisted of a highly organized, business-like model, relying on networks of shell companies and abused digital certificates to confer false legitimacy and evade detection. Further, the strategic patience observed in the TamperedChef/EvilAI activity is notable; a January 2026 Sophos report on TamperedChef detailed a dormant deployment period of ~56 days that aligned with paid advertising campaign durations to maximize infections before triggering malicious behavior. 

The overlap does not mean this PUA operation is a ticking time bomb like the TamperedChef/EvilAI campaign. The high-volume data collection, coupled with the professionalized infrastructure and marketing facades—which rely on offering software for free to maximize installations—is consistent with a business model oriented towards monetization. While the exact method is unconfirmed, potential avenues include the direct sale or licensing of aggregated user and system data, the abuse of affiliate marketing or pay-per-install networks by artificially inflating install counts, or potential future sale of access to an established, persistently linked user base. 

Nevertheless, these patterns highlight a systemic challenge that extends beyond any single vendor's detection capabilities and into the domains of corporate law, digital trust, and platform governance. Effectively countering this evolving gray-zone threat demands a collaborative, cross-disciplinary focus on its underlying enablers. Key questions for policymakers, certificate authorities, and the defense community include: How can digital trust mechanisms (like code-signing certificates) be reformed to prevent abuse by shell companies? What legal or regulatory frameworks could increase transparency for corporate entities registering as software publishers? And how can the cybersecurity community better map and disrupt the intertwined infrastructure, financial, and development ecosystems that sustain these operations? The rise of AI-assisted development and content generation tools further lowers the barrier to creating and marketing these sorts of applications, making this systemic challenge both more prevalent and more difficult to distinguish from legitimate innovation. Addressing these questions is critical to dismantling the business models that allow such pseudo-legitimate platforms to flourish. 

Conclusion 

This campaign highlights a sophisticated and growing threat model, where entities are constructing multi-layered facades of legitimacy—complete with registered corporate entities, code-signed certificates, and professional cloud infrastructure—to distribute potentially unwanted applications (PUAs). By operating in the gray area between utility and abuse, these applications often evade traditional security filters by establishing persistent access and engaging in data collection, thereby compromising user privacy and system integrity and creating a resilient platform for potential future escalation. 

For defenders, this underscores the need to: 1) expand threat detection beyond binary malware classification; 2) scrutinize software supply chains and certificate legitimacy; and 3) increase user awareness of the risks posed by broadly marketed "grayware" and system utilities. The line between legitimate software and a malicious payload is increasingly blurred, demanding a more nuanced and vigilant security posture.

MITRE ATT&CK Techniques 

T1553.002 (Code Signing) 

T1053.005 (Scheduled Task) 

T1082 (System Information Discovery) 

T1071.001 (Web Protocols) 

T1588.004 (Digital Certificates) 

T1583.001 (Domains) 

T1497.001 (System Checks) 

T1217 (Browser Information Discovery) 

T1614.001 (System Language Discovery) 

T1590.005 (IP Addresses) 

T1074.001 (Local Data Staging) 

Indicators 

1a18be6654b1647b4d01e421e95c01257fc318d68b3e3ac331f0ab9aa3dccb77 – Secure PC Software LLC Digital Certificate Fingerprint 

e0fe1af3b55f3f448eddaa6a9460f64e0f013da766094b172f0fd686a119553a – Secure Browsing Technologies LLC Digital Certificate Fingerprint 

c7f32d1f0279c6ba97c8739355df08e2274e3173552348dd1de98be87d254d6b – EmailProtector.exe 

hxxps[:]//cdn[.]emailprotector[.]ai/main/2.0.0.34/EmailProtector.zip 

securepc[.]ai 

softlabs[.]ai 

ipcountrylookup[.]com 

configtower[.]com 

rolloutsystem[.]com 

securebrowsing[.]tech 

pchelper[.]ai 

buybricks[.]ai