Analysis Summary

Cybersecurity researchers have uncovered a malvertising campaign distributing a new information-stealing malware dubbed TamperedChef through trojanized PDF editors. The operation, first observed on June 26, 2025, exploits fraudulent Google ads and bogus websites promoting a fake tool called AppSuite PDF Editor.

Victims who download and install the editor are shown a normal license agreement, but in the background the setup program contacts an external server, downloads the editor, and establishes persistence by altering Windows Registry entries. These registry modifications ensure the malicious executable automatically launches with special --cm arguments, which control hidden routines.

Initially, the PDF editor appeared harmless. However, from August 21, 2025, the software began receiving malicious update instructions via remote JavaScript files. Once activated, TamperedChef enumerates installed security tools, forcibly terminates browsers, and exfiltrates sensitive data such as credentials, cookies, and browsing history.

Analysis by another security firm revealed the malware functions as both an information stealer and backdoor, supporting several commands:

• --install: creates scheduled tasks to maintain persistence.
• --cleanup: removes files and unregisters the host.
• --ping: communicates with its command-and-control (C2) server, enabling additional malware downloads, registry manipulation, and data theft.
• --check: retrieves configuration, harvests browser data, and executes arbitrary commands.
• --reboot: similar to --check, with added process-killing capabilities.

The campaign ran for about 56 days, aligning with the typical lifespan of Google ad campaigns, suggesting attackers maximized downloads before activating malicious functions.

Parallel research by other researchers noted broader malvertising efforts using similar fake PDF editors such as PDF OneStart and PDF Editor, some of which delivered other trojanized apps or converted hosts into residential proxies.

Researchers warn that AppSuite PDF Editor is a classic trojan horse, widely distributed and capable of granting attackers long-term system access.

Impact

• Data Exfiltration
• Unauthorized Access
• Sensitive Information Theft
• Arbitrary Command Execution

Indicators of Compromise

SHA1

• 21df00ac8bf8baa1111f3fc564d27a9eabf0f097
• 60a16247cfb83a88dbc08665a18d6dfdc128673e
• 664b0cb27490df5d414129be47f2ae2c5419e0cf
• bfe0c2523303158f0b684e96f93cf6609a529428
• a8b04aa4cbfbb5ce94529b12270ec2759e505bde
• 44e227599d4f549e1526aa630093427ea95bbf6a
• 2ecd25269173890e04fe00ea23a585e4f0a206ad
• 1eb5be9e5662811fa1412287fa8e5a2d88d0a4d2
• bb7aac2e7ca33a7290be05c39d0b9842dbaa4cd5
• e3f0b979c50c1e2e4a72b31b541268ce04c8ff20

Remediation

• Remove AppSuite PDF Editor and any trojanized PDF tools, eliminates the initial infection source.
• Run a full endpoint scan with updated security solutions, detects and removes TamperedChef and related payloads.
• Reset browsers and clear saved credentials/cookies, prevents stolen session data from being reused.
• Change all account passwords and enable MFA, mitigates risk from compromised credentials.
• Check and clean Windows Registry for malicious autoruns, removes persistence mechanisms.
• Review and delete suspicious scheduled tasks, disables malware re-execution.
• Block related domains, IPs, and C2 communication, cuts off attacker access.
• Monitor network traffic for unusual callbacks, identifies ongoing compromise attempts.
• Apply application allowlisting and restrict software installs, reduces exposure to trojanized apps.
• Educate users about malvertising and fake installers, lowers risk of reinfection.