TamperedChef Infostealer Distributed via Deceptive PDF Editor: A Comprehensive Overview

Threat actors have been leveraging multiple websites promoted through Google Ads to distribute a convincing PDF editing application that delivers an info-stealing malware known as TamperedChef. This campaign is part of a broader operation involving various applications that can download one another, with some deceiving users into enrolling their systems into residential proxies. Over 50 domains have been identified as hosting these deceptive applications, which are signed with fraudulent certificates from at least four different companies. The campaign appears to be extensive and well-coordinated, as the operators strategically waited for the ads to run their course before activating the malicious components within the applications, according to researchers.

A technical analysis conducted by the cybersecurity services company Truesec outlines the delivery process of the TamperedChef infostealer to users’ systems. Researchers discovered that the malware was disseminated through multiple websites promoting a free tool called AppSuite PDF Editor. Based on internet records, the investigation revealed that the campaign commenced on June 26, when many of the involved websites were either registered or began advertising AppSuite PDF Editor. However, the researchers noted that the malicious application had been verified through VirusTotal malware scanning services as early as May 15. The program functioned normally until August 21, when it received an update that activated its malicious capabilities, designed to collect sensitive data such as credentials and web cookies. 

Categories: Malware Distribution, Cybersecurity Threats, Online Advertising Exploitation 

Tags: TamperedChef, Info-stealing, Malware, PDF Editor, Google Ads, Residential Proxies, Fraudulent Certificates, Cybersecurity, Data Protection, Campaign