TamperedChef malware activity via trojanized PDF editor installers
Malware Activity
Summary
Hide ▲
Show ▼
The TamperedChef malware is being delivered through malvertising and fake AppSuite PDF Editor installers, putting Windows users at risk of credential theft, browser-data theft, and remote command execution. The operation began on June 26, 2025 and stayed mostly benign until August 21, 2025, when the malicious capabilities were activated. Once active, the malware can steal browser cookies and history, exfiltrate data, and download additional payloads.
Related Happenings
Venom Stealer MaaS continuous credential theft and exfiltration
Malware Activity
First: 01.04.2026 16:30
Last: 01.04.2026 16:30
Sources 1
About this happening:
The **Venom Stealer** **malware-as-a-service** platform has been identified as a **credential-theft** threat that keeps exfiltrating data after infection, extending the window for...
Venom Stealer MaaS continuous credential theft and exfiltration
Malware ActivityAbout this happening: The **Venom Stealer** **malware-as-a-service** platform has been identified as a **credential-theft** threat that keeps exfiltrating data after infection, extending the window for...
GlassWorm malware abuses compromised OpenVSX extensions to steal credentials from macOS systems
Malware Activity
First: 03.02.2026 00:04
Last: 03.02.2026 00:04
Sources 1
About this happening:
**GlassWorm** is a malware campaign that now also fuels **ForceMemo**, a **supply-chain attack** that steals **GitHub tokens** and force-pushes malicious code into **Python reposi...
GlassWorm malware abuses compromised OpenVSX extensions to steal credentials from macOS systems
Malware ActivityAbout this happening: **GlassWorm** is a malware campaign that now also fuels **ForceMemo**, a **supply-chain attack** that steals **GitHub tokens** and force-pushes malicious code into **Python reposi...
TamperedChef malvertising campaign distributing backdoor malware through trojanized PDFs
Campaign
First: 16.01.2026 14:05
Last: 16.01.2026 14:05
Sources 1
How related:
"The objective is to lure victims into downloading and installing a trojanized PDF editor, which includes an information-stealing malware dubbed TamperedChef,"
About this happening:
The **TamperedChef** campaign is a **malvertising** operation that used **Google ads** and **more than 50 domains** to push a fake **AppSuite PDF Editor** and deliver the **Tamper...
TamperedChef malvertising campaign distributing backdoor malware through trojanized PDFs
CampaignHow related: "The objective is to lure victims into downloading and installing a trojanized PDF editor, which includes an information-stealing malware dubbed TamperedChef,"
About this happening: The **TamperedChef** campaign is a **malvertising** operation that used **Google ads** and **more than 50 domains** to push a fake **AppSuite PDF Editor** and deliver the **Tamper...
ManualFinderApp.exe infostealer and backdoor activity
Malware Activity
First: 16.01.2026 14:05
Last: 16.01.2026 14:05
Sources 1
About this happening:
The **ManualFinderApp.exe** payload is being used as an **infostealer/backdoor** that harvests browser-stored data and opens **C2** exfiltration paths, increasing credential-theft...
ManualFinderApp.exe infostealer and backdoor activity
Malware ActivityAbout this happening: The **ManualFinderApp.exe** payload is being used as an **infostealer/backdoor** that harvests browser-stored data and opens **C2** exfiltration paths, increasing credential-theft...
TamperedChef global malvertising campaign
Campaign
First: 20.11.2025 06:06
Last: 20.11.2025 06:06
Sources 1
About this happening:
The **TamperedChef** campaign is actively using **bogus installers** and **malvertising** to deliver malware, putting users searching for software downloads or product manuals at...
TamperedChef global malvertising campaign
CampaignAbout this happening: The **TamperedChef** campaign is actively using **bogus installers** and **malvertising** to deliver malware, putting users searching for software downloads or product manuals at...
Timeline
-
29.08.2025 07:17 1 articles · 9mo ago
Bogus sites push AppSuite PDF Editor through Google ad campaigns
Campaign Scope UpdateCounterfeit sites begin advertising a free PDF editor called AppSuite PDF Editor through at least five Google advertising campaigns, using malvertising to funnel users toward a trojanized installer that later retrieves the editor and sets Windows Registry autoruns for persistence.
Show sources
- TamperedChef Malware Disguised as Fake PDF Editors Steals Credentials and Cookies — thehackernews.com — 29.08.2025 07:17
-
29.08.2025 07:17 1 articles · 9mo ago
TamperedChef activates on callback and starts stealing browser data
Exploitation ObservedMachines that called back on August 21, 2025 received instructions that activated TamperedChef, turning the staged PDF editor into an information stealer that targets credentials and web cookies, gathers installed security products, and terminates browsers to reach sensitive data.
Show sources
- TamperedChef Malware Disguised as Fake PDF Editors Steals Credentials and Cookies — thehackernews.com — 29.08.2025 07:17
-
29.08.2025 07:17 2 articles · 9mo ago
Researchers disclose TamperedChef hidden in trojanized PDF editor installers
Initial DisclosureResearchers disclosed a malvertising campaign that used bogus sites and trojanized AppSuite PDF Editor installers to deliver TamperedChef, an information stealer that harvests credentials and web cookies and can also function as a backdoor for data exfiltration, browser manipulation, and additional malware downloads.
Show sources
- TamperedChef Malware Disguised as Fake PDF Editors Steals Credentials and Cookies — thehackernews.com — 29.08.2025 07:17
- TamperedChef Malware Disguised as Fake PDF Editors Steals Credentials and Cookies — thehackernews.com — 29.08.2025 07:17