A malware distribution campaign called TamperedChef has been quietly placing infostealers, remote access trojans, proxy tools, and browser hijackers inside digitally signed productivity applications since 2024 — exploiting one of the most trusted mechanisms in enterprise security to slip past defenses that most organizations assume are reliable.
TamperedChef: 4,000 Samples Across Signed PDF Editors and Productivity Apps
Palo Alto Networks’ Unit 42 threat intelligence team disclosed the campaign after tracking it across more than 4,000 malware samples spanning over 100 variants. The researchers estimated 12,000 infection instances globally, with a disproportionate concentration of victims in the United States and Israel. Distribution relied on more than 20,000 malicious advertisements placed across advertising networks, each directing users toward convincing fake software download sites designed to impersonate legitimate vendors.
The applications used as carriers include AppSuite PDF, Calendaromatic, JustAskJacky, and CrystalPDF — tools that appear functional and legitimate on the surface. Each was signed with a valid code-signing certificate, granting them the same trust status that enterprise security policies typically extend to verified software. That trust, once granted, persists even after installation.
Delayed Activation Defeats Post-Installation Scanning
The campaign’s most technically significant characteristic is what Unit 42 described as delayed activation. After a user installs one of the trojanized applications, the embedded malware does not execute immediately. Instead, it can remain dormant for weeks or even months before triggering its payload. This delay is deliberate: security tools that scan newly installed software for malicious behavior would observe nothing unusual in the window immediately following installation, clearing the application as safe before the threat activates.
This design reflects a sophisticated understanding of how enterprise detection pipelines operate. Most post-installation scanning occurs in a narrow window after software lands on a system. Once that window closes, re-scanning is typically event-driven rather than continuous. A dormant implant that waits long enough sidesteps both automated and human review cycles.
Three Activity Clusters and CL-CRI-1089
Unit 42 identified three distinct activity clusters within TamperedChef: CL-CRI-1089, CL-UNK-1090, and CL-UNK-1110. The clustering suggests either multiple threat actors sharing the same toolkit or a single operator running highly segmented infrastructure to compartmentalize exposure. Neither interpretation is more reassuring than the other — the former implies a toolkit available across criminal communities, while the latter implies an operator disciplined enough to structure operations against takedown efforts.
The use of legitimate code-signing certificates across all three clusters points to a consistent capability: the actor or actors behind TamperedChef have either obtained certificate infrastructure outright or compromised existing certificate holders. Code-signing certificates are not freely available and typically require identity verification from certificate authorities, meaning that acquiring them involves either fraud, theft of existing credentials, or access to a company whose certificates can be abused.
How TamperedChef Abuses Legitimate Code-Signing to Defeat Enterprise Allowlisting
Enterprise environments commonly enforce application allowlisting policies that permit software to run only if it carries a valid digital signature from a trusted certificate authority. This control is widely regarded as a strong baseline defense against unsigned or unknown executables. TamperedChef directly inverts that assumption. Because the malicious applications carry legitimate signatures, allowlisting policies approve their execution rather than blocking it.
The implications extend beyond any single campaign. Certificate-based trust is a foundational assumption in many security architectures. When that assumption breaks — whether through compromised certificate infrastructure or through certificate authorities that fail to adequately vet applicants — the controls downstream of it lose their value. Security teams relying solely on signature verification to distinguish safe software from dangerous software are exposed to exactly this class of attack.
The 100-plus variants documented by Unit 42 indicate that TamperedChef operators have been iterating steadily, adapting delivery mechanisms and payloads while maintaining the core signed-application technique. With 12,000 estimated infections and an advertising network spanning tens of thousands of placements, the campaign represents a sustained and scaled operation rather than an opportunistic experiment.
Unit 42’s disclosure includes indicators of compromise for the identified application names and certificate signatures.
