Cybersecurity experts have identified a sophisticated cybercrime operation leveraging deceptive advertising techniques to distribute a new information-stealing malware named TamperedChef. This campaign entices users to download and install a compromised PDF editor, leading to the unauthorized collection of sensitive data, including login credentials and web cookies.
Deceptive Distribution Tactics
The attackers have established multiple counterfeit websites promoting a free PDF editing software called AppSuite PDF Editor. Upon installation, the software presents users with standard prompts to agree to terms of service and privacy policies, creating an illusion of legitimacy. Unbeknownst to the user, the installer covertly communicates with an external server to download the actual PDF editor while simultaneously modifying the Windows Registry. These registry changes ensure the malicious executable launches automatically upon system reboot, embedding the malware deeply within the system.
Technical Analysis of the Malware
Security researchers from G DATA have conducted an in-depth analysis of the TamperedChef malware, revealing its multifaceted capabilities:
– Installation and Persistence: The malware creates scheduled tasks named `PDFEditorScheduledTask` and `PDFEditorUScheduledTask`. These tasks run the application with specific command-line arguments (`–cm=–partialupdate` and `–cm=–backupupdate`), triggering routines that establish communication with the command-and-control (C2) server.
– Cleanup Mechanism: An uninstaller component is designed to remove backdoor files, unregister the infected machine from the C2 server, and delete the scheduled tasks, potentially to evade detection during forensic analysis.
– C2 Communication: The malware initiates contact with the C2 server to receive instructions, which may include downloading additional malicious payloads, exfiltrating data, or modifying system configurations.
– Data Exfiltration: TamperedChef is programmed to query and extract data from browsers such as Chromium, OneLaunch, and Wave. This includes credentials, browsing history, cookies, and the ability to alter browser settings, such as changing the default search engine.
– System Manipulation: The malware can terminate specific processes and execute arbitrary commands, granting attackers significant control over the compromised system.
Campaign Timeline and Strategy
The malicious campaign is believed to have commenced on June 26, 2025, coinciding with the registration of several fraudulent websites and the initiation of at least five distinct Google advertising campaigns promoting the fake PDF editor. Initially, the software appeared benign, but it was designed to periodically check for updates from a JavaScript file containing specific command-line arguments. On August 21, 2025, these updates activated the malware’s information-stealing functionalities, marking the transition from a dormant state to active data exfiltration.
Broader Implications and Similar Threats
This incident is part of a broader trend where cybercriminals use deceptive software installers to distribute malware. For instance, the Fruity trojan campaign involved fake installers for utilities like CPU tuning tools and hardware monitoring applications, which secretly deployed the Remcos RAT. Similarly, the PNGPlug loader was used to deliver the ValleyRAT malware through counterfeit software installers targeting Chinese-speaking regions. These campaigns underscore the increasing sophistication of threat actors in crafting convincing lures to deceive users into compromising their systems.
Preventive Measures and Recommendations
To mitigate the risk of such malware infections, users are advised to:
– Download Software from Official Sources: Always obtain software directly from the official websites of the developers or trusted platforms to ensure authenticity.
– Verify Website Authenticity: Be cautious of websites that closely mimic legitimate ones. Check the URL carefully for any discrepancies or unusual domain names.
– Maintain Updated Security Software: Ensure that antivirus and anti-malware programs are up to date to detect and prevent the installation of malicious software.
– Exercise Caution with Advertisements: Be wary of clicking on ads, especially those offering free software downloads, as they may lead to malicious sites.
– Regularly Monitor System Behavior: Stay alert to any unusual system behavior, such as unexpected prompts or applications requesting elevated privileges, which may indicate malware activity.
By adopting these practices, users can significantly reduce the likelihood of falling victim to such deceptive malware campaigns.
