Potentially Unwanted Applications (PUAs) weaponized for covert delivery

SUMMARY :

A malware distribution campaign leveraging digitally signed binaries, deceptive packaging, and browser hijackers has been uncovered. The campaign centers around two malicious applications, ImageLooker.exe and Calendaromatic.exe, delivered via self-extracting 7-Zip archives. These artifacts align with the TamperedChef malware campaign, which uses trojanized productivity tools for initial access and data exfiltration. The malware employs NeutralinoJS framework, Unicode homoglyphs, and multiple digital signers to bypass detection. The campaign exploits user behavior through SEO poisoning and malvertising, masquerading as legitimate software. This sophisticated approach highlights the evolving tactics of threat actors in weaponizing PUAs and abusing digital code signing to evade security measures.

OPENCTI LABELS :

malvertising,seo-poisoning,pua,cve-2025-0411,7-zip,neutralinojs,imagelooker,digital-signing,trojanized-productivity-tools,code-signing-abuse,calendaromatic,browser-hijacker


AI COMMENTARY :

1. In recent weeks, security researchers have uncovered a sophisticated campaign in which Potentially Unwanted Applications (PUAs) have been weaponized for covert delivery, shedding light on the ever-evolving threat landscape. The operation centers on two malicious Windows applications, ImageLooker.exe and Calendaromatic.exe, that masquerade as legitimate productivity tools. Behind the scenes, these programs align with the TamperedChef malware campaign, leveraging techniques that highlight the ingenuity of modern threat actors and their relentless focus on code-signing abuse.

2. The initial vector for infection exploits user behavior through malvertising and SEO poisoning, guiding unsuspecting victims to download self-extracting 7-Zip archives. These archives contain trojanized-productivity-tools, a key hallmark of the campaign, and rely on the trusted 7-Zip format to appear innocuous. Once executed, the binaries unpack seamlessly and launch the malware without raising suspicion, demonstrating how attackers combine simple compression methods with social engineering to bypass perimeter defenses.

3. To evade detection and maintain persistence, the adversaries employ multiple layers of stealth. The malware is built on the NeutralinoJS framework, enabling cross–platform code while maintaining a lightweight footprint. Unicode homoglyphs are used within filenames and registry entries to prevent easy identification, and multiple digital-signing certificates are applied in sequence. This code-signing abuse with genuine certificates dramatically reduces the likelihood of triggering alerts in enterprise security solutions and underscores the challenge of trusting signed executables.

4. Once the trojanized tools are deployed, they unleash browser-hijacker components designed to redirect web traffic and harvest credentials from popular sites. The Calendaromatic executable, in particular, injects itself into default calendar applications and live tiles, ensuring it remains active even after system reboots. ImageLooker, on the other hand, monitors image directories for file exfiltration, sending snapshots to remote command-and-control servers. Through these dual vectors, the campaign secures initial access and facilitates ongoing data theft.

5. Behind the scenes, the attackers exploit a known vulnerability, CVE-2025-0411, to escalate privileges where possible and disable certain security features. By chaining this exploit with malvertising-driven installs, they achieve widespread distribution and maintain a low detection rate. The use of SEO poisoning ensures new victims continually discover counterfeit download sites, feeding the infection cycle and demonstrating how threat actors adapt traditional PUA techniques for advanced intrusion operations.

6. Mitigating this threat requires a layered defense approach. Organizations should enforce strict controls over code execution policies, verify digital-signing certificates against trusted root authorities, and monitor for anomalous use of NeutralinoJS processes. User education programs must highlight the risks of malvertising, while security teams should apply patches for CVE-2025-0411 without delay. By combining robust endpoint detection, web filtering, and proactive threat hunting, defenders can disrupt the covert delivery mechanisms employed in this PUA-centric campaign and stay ahead of evolving threats.


OPEN NETMANAGEIT OPENCTI REPORT LINK!


Use public read only username and password on login page.

NOTE : Use Public READ only user credentials on login page banner.


Potentially Unwanted Applications (PUAs) weaponized for covert delivery