TamperedChef is an information‑stealing malware distributed through a trojanized PDF editing tool called AppSuite PDF Editor. The application is promoted using malicious websites and Google Ads, enticing users to download what appears to be a legitimate installer. Review this Cybersecurity Threat Advisory to learn more and protect your systems.
What is the threat?
Attackers are distributing a malicious PDF editor that installs the TamperedChef infostealer. The campaign uses Google Ads, SEO‑optimized sites, and fraudulently signed installers to present the application as legitimate (e.g., AppSuites PDF Editor or PDF Editor).
Initially, the tool behaves normally. Later, a remote update activates its malicious functions, which include:
- Credential and cookie theft
- Browser data extraction via DPAPI
- Execution of arbitrary commands
Investigators have linked more than 50 domains and multiple fake code‑signing certificates to this operation, indicating a coordinated and large‑scale effort.
Why is it noteworthy?
This campaign is notable for its:
- Scale and distribution tactics: Google Ads and SEO boost reach and credibility.
- Delayed activation: Malicious components were enabled weeks after installation, aligning with the typical 60‑day Google Ads campaign duration to avoid early detection.
- Use of legitimate‑looking signatures: At least four companies’ certificates were abused to sign the malware.
- Expanded ecosystem: Related applications have reportedly enrolled infected systems into residential proxy networks, showing a broader monetization strategy.
Though some apps appear to be potentially unwanted programs (PUPs), their behavior aligns with full‑scale malware.
What is the exposure or risk?
Organizations face several risks, including:
- Theft of credentials, cookies, and browser data
- Unauthorized command execution
- Enrollment of devices into proxy networks
- Persistent compromise through scheduled tasks and Run‑key entries
Any device that installed AppSuites PDF Editor, PDF Editor, OneStart, or ManualFinder may have already received malicious updates. Once active, TamperedChef terminates browser processes to access protected files, communicates externally for updates and commands, and can execute attacker‑controlled actions.
What are the recommendations?
Barracuda recommends the following actions to reduce exposure and prevent compromise:
- Avoid downloading software from ads, pop‑ups, or untrusted sites.
- Restrict installation of unverified or unsigned applications.
- Filter malicious domains and inspect suspicious outbound traffic.
- Enforce DNS filtering and safe browsing protections.
- Apply least‑privilege access across all user accounts.
- Require MFA for critical systems and remote access.
- Audit and limit local administrator permissions.
- Maintain offline, immutable backups of critical data.
- Educate users on malvertising and deceptive installers.
- Reinforce cautious behavior around “free” utilities.
References
For more in-depth information about the recommendations, please visit the following links:
- TamperedChef infostealer delivered through fraudulent PDF Editor
- Malicious Appsuite PDF Editor Spreads Tamperedchef Malware
If you have any questions about this Cybersecurity Threat Advisory, don’t hesitate to get in touch with Barracuda Managed XDR’s Security Operations Center.
