Key Findings
- Kroll has seen widespread installation of application, "Calendaromatic", which is classifying as a Potentially Unwanted Program (PUP) – Adware.
- Calendaromatic displays some functionality that gives it the potential to be used for conducting more malicious activity through a homoglyph parsing function.
- Observations have been seen across all sectors but have affected the education sector the most.
- The activity serves as a reminder of PUP applications downloaded through untrusted sources that could, in future, be used maliciously.
Kroll has recently seen a widespread installation of an application called Calendaromatic, that Kroll Threat Intelligence (TI) is currently classifying as a potentially unwanted program (adware) but displays some functionality that gives it the potential to conduct more malicious behaviors.
Observations began in early September 2025 and continue to this day. Despite this being observed across a wider variety of sectors, organizations in the education sector were notably affected. The application appears to provide calendar functionality to users. Further, their website calendaromatic[.]com, shows what looks like a macOS screenshot of the tool, conflicting with the description of it being a Windows application. There also appears to be no direct way to download the tool from the website, just displaying a "request a demo" button.
Figure 1: Calendaromatic Domain
The domain appears to have been created recently, on August 14, 2025, according to WHOIS registration data. This aligns closely to the signature date of the application binary, which was August 27, 2025.
It is likely that victims downloaded and installed the application through malicious advertising (malvertising), which would likely have appeared at the top of search engine results for calendar applications. A self-extracting and executing archive file is first downloaded to the victim, which contains an executable and an additional file that appears to contain the majority of the logic for the application, including reaching out to the initial domain for calendar updates. The application is built using the NeutralinoJS framework, which allows desktop apps to be developed with web technologies, and is digitally signed by "CROWN SKY LLC."
In the majority of cases, anti-virus (AV) or endpoint detection and response (EDR) quickly detected and eradicated the threat but in few instances a command was identified that opened a Google Chrome window, displaying advertisements from one of the following domains:
ovementxview[.]com
lovetravellinga[.]com
theworldwhoisquite[.]com
These domains appear to be a simple webpage with search engine functionality, containing adverts for well-known brands. Using the search or clicking on each link appears to correctly redirect users to the legitimate website or search results that are expected, therefore displaying simple adware behavior. Kroll observed this exact adware behavior in July 2025, whereby a different application, RecipeLister, was loading identical web pages on different domains, alongside highly suspicious external connections and attempts to gather browser credentials.
Figure 2: Advertising Domains Launched by Application
The Calendaromatic application appears to connect out to the original domain that was used for download, hitting several API endpoints, gathering JSON data. The supporting JavaScript file appears to facilitate this activity. Guidepoint highlights a function in this JavaScript file that scans every character in the API response, looking for Unicode homoglyphs. These are characters that look similar when read in ascii, but the Unicode values differ, therefore interpreted differently during processing. Guidepoint proceed to demonstrate a proof of concept using the theory that the actor controlling the JSON could hide homoglyph hyphens and dash characters in the text, which would then be scanned and collated by the aforementioned function. They demonstrate this by spawning calc.exe via the application's routine “GET” request. Across the wide range of Kroll case observations, no inherently malicious activity was observed. The activity observed is currently being classed as PUP Adware. The additional research discussed serves as a reminder that applications downloaded through untrusted sources, even if initially not malicious, could potentially contain code that, in future, could be used for malicious purposes based on threat actor intent.
