TamperedChef serves bad ads with infostealers as the main course
The TamperedChef malvertising campaign appeared to evolve from early experimentation to widespread credential theft, before detection by defenders:
August 2024 — Early activity by the threat actors
According to Truesec, the operators behind TamperedChef first appeared using suspicious potentially unwanted applications (PUAs) such as OneStart and Epibrowser — seemingly benign ‘utility tools’ promoted through ads. These served as early tests for their delivery networks and code-signing abuse strategy.
June 26, 2025 — Campaign launch
The full TamperedChef operation began with the registration of multiple look-alike PDF utility websites. Google Ads and SEO poisoning were used to lure users into downloading the trojanized AppSuite PDF Editor installer.
June-August 2025 — Dormant deployment period
Once installed, the malware remained inactive for ~56 days. This strategic delay aligned with the typical duration of paid advertising campaigns, maximizing the number of infected systems before malicious behaviors were triggered.
August 21, 2025 — Remote activation of the payload
Attackers issued commands to the installed software, activating hidden infostealer capabilities. The malware collected browser credentials, cookies, and sensitive data — while establishing persistence through scheduled tasks and registry changes.
September 3, 2025 — Sophos MDR detection and response
Sophos investigators discovered more than 300 impacted hosts across over 100 customer environments, prompting an active threat hunt and coordinated takedown action against malicious domains and infrastructure.
September 11–16, 2025 — Completion of hunt operations
A multi-day remediation effort successfully removed the threat from monitored systems. However, ongoing discovery of related domains and new certificates indicates that the adversaries behind TamperedChef continue to evolve and remain active in the ecosystem.
Attack chain
As with many malvertising campaigns, the attack chain typically begins with a victim typing a query into a search engine – in this case, a query relating to appliance manuals or PDF editing software. Alternative vectors include malicious links on deceptive forums (or deceptive threads in legitimate forums), or in phishing emails.
Malicious adverts, created by the threat actor, are subsequently shown to the victim, either through search engine optimization (SEO) to promote adverts up the list of search results, or via paid promotion (e.g., through Google Ads), or both. After clicking these adverts or links, users are taken to deceptive websites (such as hxxps://fullpdf[.]com or hxxps://pdftraining[.]com) and prompted to download a malicious installer named Appsuite-PDF.msi.
This installer drops an executable called PDFEditorSetup.exe, which establishes persistence through registry modifications and scheduled tasks, before installing a binary named PDF Editor.exe – an infostealer.
Upon execution, the infostealer harvests browser-stored data, establishes a connection to a command-and-control (C2) server for data exfiltration, and retrieves an additional payload named ManualFinderApp.exe. This file is a trojanized application that functions as an infostealer and a backdoor.
This appears to be a fairly widespread campaign; in its analysis of TamperedChef, TrueSec observed at least five different Google campaign IDs. The duration from the campaign’s onset until the end of the malware’s dormancy period (when the seemingly benign AppSuite PDF Editor switched to active infostealer behavior) was 56 days, closely aligning with the typical 30-60-day cycle of paid advertising campaigns. This suggests that the threat actor likely allowed the ad campaign to run its course, to maximize potential infections, before activating the malicious features.
About Author
