Threat actors are actively distributing the TamperedChef infostealer malware through deceptive applications disguised as legitimate PDF editors. According to researchers, the malicious apps were promoted using Google Ads malvertising, giving them broad reach and credibility among unsuspecting users.
Investigations revealed that more than 50 domains were set up to host fraudulent apps. Each of these applications was signed with fraudulent code-signing certificates issued by at least four different companies, giving them a legitimate appearance and bypassing many security filters.
Researchers noted that the operators waited strategically before enabling the malicious features, allowing the fraudulent ads to run their course and maximize installations before the malware was activated.
Technical Breakdown of the TamperedChef Infostealer Delivery
Cybersecurity company Truesec provided a detailed technical analysis of how TamperedChef was delivered. The malware was hidden inside a tool promoted as AppSuite PDF Editor.
- Records show the campaign began on June 26, when multiple domains were either registered or began advertising the app.
- However, the first sample of the app appeared on May 15 in VirusTotal submissions, long before it was weaponized.
- Malicious activity was triggered on August 21, when the application received a “full update” command that activated its data-stealing capabilities.
Once activated, TamperedChef targeted sensitive information such as user credentials, browser cookies, and encrypted databases. It leveraged Microsoft’s Data Protection Application Programming Interface (DPAPI) to extract secured data from local browsers.
The malware also checked for the presence of security agents and antivirus tools, suggesting an attempt to evade detection before executing its core functions.
Malicious Advertising Strategy Behind AppSuite PDF Editor
Researchers discovered that the distribution relied heavily on Google Ads, a tactic increasingly used in malvertising campaigns.
“Truesec has observed at least five different Google campaign IDs which suggests a widespread campaign,” researchers explained.
The timing of the campaign showed strategic planning. By delivering the infostealer just days before the 60-day expiration window for Google Ads, the operators ensured maximum downloads before the advertisements expired.
The campaign also made use of multiple code-signing certificates, including those issued to:
- ECHO Infini SDN BHD
- GLINT By J SDN. BHD
- SUMMIT NEXUS Holdings LLC
The use of authentic certificates gave the apps credibility, enabling them to bypass trust checks until the certificates were later revoked.
Links to Residential Proxy Enrollments
Beyond malware delivery, the operation also involved turning compromised hosts into residential proxies.
Security firm Expel investigated related incidents involving AppSuite PDF Editor, ManualFinder, and OneStart, finding that these applications:
- Dropped suspicious files
- Executed unexpected commands
- Enrolled devices into residential proxy networks
In some cases, the applications even displayed messages requesting user permission to share network resources in exchange for continued use of the tool for free.
While some of these tools were initially flagged as potentially unwanted programs (PUPs), the capabilities observed—such as executing commands and downloading additional malware—are consistent with full-fledged malware behavior.
Indicators of Long-Term Threat Actor Activity
Evidence indicates that the operators behind this campaign have been active since at least August 2024, promoting additional applications beyond PDF tools. These included OneStart and Epibrowser, both of which were linked to suspicious activities.
Notably:
- OneStart was flagged as a PUP but also served as a downloader for AppSuite PDF Editor.
- Expel observed cross-distribution between the applications, where one app could fetch another in a chain-like delivery method.
- This strategy increased persistence and ensured that even if one app was removed, another could continue the malicious activity.
Researchers warned that other applications linked to the same campaign remain dormant for now but could be weaponized in future waves.
Persistent Risks and Enterprise Impact
Although the code-signing certificates used in this operation have now been revoked, the risks remain significant for users who already installed the applications. Active infections can still exfiltrate credentials and enroll devices into malicious proxy networks.
For enterprises, the campaign demonstrates the evolving use of:
- Malvertising via trusted platforms
- Code-signing abuse for legitimacy
- Residential proxy enrollment for monetization
- Staggered activation to bypass early detection
Researchers at Truesec and Expel emphasized that while the tools may appear to be free utilities, their behavior aligns closely with infostealer malware and should be treated accordingly.
Both firms released extensive indicators of compromise (IoCs) to help defenders identify infections, block related domains, and prevent further spread across enterprise networks.
