Microsoft said today that hackers compromised a font package installed by a PDF editor app and used it to deploy a cryptocurrency miner on users’ computers.

The OS maker discovered the incident after its staff received alerts via the Windows Defender ATP, the commercial version of the Windows Defender antivirus.

Microsoft employees say they investigated the alerts and determined that hackers breached the cloud server infrastructure of a software company providing font packages as MSI files. These MSI files were offered to other software companies.

One of these downstream companies was using these font packages for its PDF editor app, which would download the MSI files from the original company’s cloud servers during the editor’s installation routine.

Hackers created a copy of the company’s cloud servers

“Attackers recreated the [first company’s] infrastructure on a replica server that the attackers owned and controlled. They copied and hosted all MSI files, including font packages, all clean and digitally signed, in the replica server,” Microsoft’s security researchers said.

“The attackers decompiled and modified one MSI file, an Asian fonts pack, to add the malicious payload with the coin mining code,” they added.

“Using an unspecified weakness (which does not appear to be MITM or DNS hijack), the attackers were able to influence the download parameters used by the [PDF editor] app. The parameters included a new download link that pointed to the attacker server,” Microsoft said.

Users who downloaded and ran the PDF editor app would unknowingly install the font packages, including the malicious one,…