TamperedChef Stealer
Cybersecurity researchers have uncovered a malicious campaign that leverages deceptive online ads to distribute a new information stealer known as TamperedChef. The operation relies on malvertising to funnel users to fraudulent sites where they are persuaded to download a trojanized PDF editor.
Table of Contents
Trojanized PDF Editor as the Lure
The fake software, promoted as AppSuite PDF Editor, tricks users into installing what appears to be a legitimate tool. During installation, victims are presented with a terms of service agreement, giving the illusion of legitimacy. Behind the scenes, however, the installer covertly connects to a remote server to drop the editor application while simultaneously altering the Windows Registry to establish persistence.
The installer ensures that the program launches automatically after a reboot by embedding command-line arguments (--cm) into the Registry. These arguments enable the malware to receive instructions for executing different malicious routines.
Timeline of the Attack
Investigations suggest the campaign began on June 26, 2025, coinciding with the registration of several counterfeit sites and the launch of at least five Google ad campaigns promoting the PDF editor. Initially, the program appeared non-threatening, but it was designed to repeatedly check for updates from a remote server.
On August 21, 2025, nearly two months later, infected machines began receiving instructions that activated TamperedChef’s malicious payload. This staged approach allowed attackers to maximize the number of victims before enabling the malware.
TamperedChef’s Malicious Capabilities
Once activated, TamperedChef performs reconnaissance by identifying installed security tools and forcibly shutting down web browsers. This grants it access to sensitive data such as stored credentials and cookies.
Further analysis revealed that the malware-laced editor also functions as a backdoor with multiple command-line options. These enable persistence, cleanup, communication with command-and-control (C2) servers, and manipulation of browser data.
Key Functions Identified:
--install: Creates scheduled tasks (PDFEditorScheduledTask, PDFEditorUScheduledTask) that run with update and backup arguments to trigger check and ping operations.
--cleanup: Executed by the uninstaller to erase backdoor components, unregister the host, and remove scheduled tasks.
--ping: Establishes C2 communication to receive instructions for downloading more malware, altering the Registry, and exfiltrating data.
--check: Contacts the C2 for configuration updates, steals credentials, reads browser keys, and modifies Chromium, OneLaunch, and Wave browsers.
--reboot: Similar to --check but also capable of terminating specific processes.
Strategic Abuse of Ad Campaigns
The attackers’ choice of timing is notable. The 56-day delay between campaign launch and malicious activation closely matches the typical 60-day lifespan of Google ad campaigns. This suggests the threat actors deliberately allowed the ads to run their full course, maximizing exposure and downloads before unleashing TamperedChef’s full capabilities.
