Malicious Appsuite PDF Editor Spreads Tamperedchef Malware

SUMMARY :

A large cybercrime campaign has been observed involving multiple fraudulent websites promoted through Google advertising. The campaign aims to trick users into downloading and installing a trojanized PDF editor containing the TamperedChef information-stealing malware. The malware harvests sensitive data, including credentials and web cookies. The campaign began on June 26, 2025, with the PDF editor initially appearing harmless but later activating malicious capabilities. The threat actor used Google advertising to promote the PDF editor, with at least 5 different campaign IDs observed. The malware's activation occurred 56 days after the campaign's start, coinciding with a typical Google ad campaign duration. The threat actor has a history of distributing malicious code disguised as free utility tools, and this campaign has successfully affected several European organizations.

OPENCTI LABELS :

information stealer,credential theft,obfuscation,trojanized software,tamperedchef,google advertising,appsuite pdf editor


AI COMMENTARY :

1. The report Malicious Appsuite PDF Editor Spreads Tamperedchef Malware highlights a deceptive cybercrime campaign that leverages Google advertising to distribute a trojanized PDF editor. Enticed by promises of a free and fully functional Appsuite PDF Editor, unsuspecting users are directed to fraudulent websites designed to facilitate the download of a manipulated installer.

2. The campaign was first observed on June 26, 2025, when threat actors launched at least five distinct advertisement IDs through Google’s advertising network. These ads appeared legitimate, featuring polished promotional material and well-crafted landing pages that mimicked official software vendors. The early stages of the operation cast the PDF editor as harmless utility software, building user trust before the malware lay hidden within.

3. Once installed, the trojanized software activates the TamperedChef information-stealing malware after a dormancy period of 56 days. This delay aligns with typical Google ad campaign durations, enabling the threat actors to avoid early detection by security researchers. When triggered, TamperedChef systematically harvests sensitive data, including user credentials, web cookies, and other personal information that can be leveraged for further attacks or sold on underground forums.

4. TamperedChef’s sophisticated obfuscation techniques make it difficult for signature-based antivirus solutions to detect its presence. The malware injects itself into legitimate processes, hides its files behind seemingly benign names, and employs dynamic code updates to evade reverse engineering efforts. As an information stealer with a focus on credential theft, it can exfiltrate login data for email accounts, banking portals, and corporate networks.

5. The threat actor behind this campaign has a documented history of distributing malicious code under the guise of free utility tools. Previous operations involved trojanized software for system optimization and media playback. In this latest wave, the Appsuite PDF Editor serves as the vehicle for TamperedChef, demonstrating the actor’s continued innovation in social engineering and malware deployment methods.

6. Several European organizations have already fallen victim to this campaign, experiencing unauthorized access and data breaches. The stolen credentials and session cookies have enabled attackers to infiltrate internal systems, escalate privileges, and exfiltrate confidential files. The impact extends beyond individual users, posing a significant risk to corporate networks and critical infrastructure.

7. To mitigate the threat posed by trojanized software and information stealers like TamperedChef, organizations should implement robust endpoint detection and response solutions, enforce multi-factor authentication, and conduct regular software integrity checks. Security teams must monitor advertising channels for malicious campaigns and collaborate with Google to take down fraudulent ads. Finally, educating users about the risks of downloading software from unverified sources will help reduce the success of such credential theft operations.


OPEN NETMANAGEIT OPENCTI REPORT LINK!


Use public read only username and password on login page.

NOTE : Use Public READ only user credentials on login page banner.


Malicious Appsuite PDF Editor Spreads Tamperedchef Malware