TamperedChef Malware

Threat actors are exploiting bogus installers masquerading as widely used applications in a global malvertising campaign known as TamperedChef. Users who download these counterfeit programs inadvertently install malware designed to establish persistence on their systems and deploy a JavaScript backdoor for remote access and control. At the time of reporting, the campaign remained active, with new malicious artifacts detected and associated infrastructure still operational.

Social Engineering and Trust Exploitation

The operators behind TamperedChef leverage social engineering techniques to maximize user trust and evade detection. Their methods include:

• Using familiar application names to entice downloads
• Deploying malvertising campaigns to reach users via online ads
• Employing Search Engine Optimization (SEO) tactics to appear in search results
• Signing malware with abused digital certificates, which lend an air of legitimacy

Certificates are often issued to shell companies registered in the U.S., Panama, and Malaysia. As older certificates are revoked, the attackers continuously acquire new ones under different company names, maintaining the appearance of legitimacy. Infosec experts have described this infrastructure as highly organized, enabling the steady production of trusted-looking installers.

Malware Family and Campaign Context

TamperedChef is part of a larger campaign codenamed EvilAI, which uses lures tied to artificial intelligence (AI) tools and software for malware distribution. While TamperedChef itself has become the widely adopted name for the malware family, it is also tracked as BaoLoader in some reports. The name TamperedChef helps maintain consistency across cybersecurity publications and vendor detections, even though it differs from the original TamperedChef malware embedded in a malicious recipe application.

How the Attack Unfolds

A typical attack scenario includes:

• Users searching for PDF editors or product manuals on search engines are served poisoned URLs or malicious ads.
• Clicking these links redirects users to booby-trapped domains, often registered via NameCheap, prompting them to download a fake installer.
• The installer asks users to agree to standard licensing terms, then opens a thank-you page in a new browser tab to maintain the ruse.
• In the background, an XML file is dropped, creating a scheduled task that launches an obfuscated JavaScript backdoor.
• The backdoor communicates with external servers, transmitting system metadata, such as session ID and machine ID, encoded in encrypted Base64 JSON over HTTPS.

The end goals of the campaign remain unclear. Some malware variants facilitate advertising fraud, while others could be monetized through access sold to cybercriminals or by harvesting sensitive data for underground forums.

Geographic and Sector Impact

Telemetry indicates that U.S. users are the most affected, with additional infections reported in Israel, Spain, Germany, India, and Ireland. The sectors most impacted include healthcare, construction, and manufacturing, likely due to their frequent reliance on specialized equipment and online searches for product manuals, which the attackers exploit.