CyberHappenings logo
Home Browse About

Track cybersecurity events as they unfold. Sourced timelines. Filter, sort, and browse. Fast, privacy‑respecting. No invasive ads, no tracking.

TamperedChef Malware Campaign Exploits Fake PDF Editors to Steal Credentials and Cookies

First reported
Last updated
2 unique sources, 3 articles

Summary

Hide ▲

A cybercrime campaign has deployed TamperedChef, an information-stealing malware, through fake PDF editor installers. The malware steals credentials and cookies from infected systems. The campaign began on June 26, 2025, and activated malicious features on August 21, 2025. The malware is distributed via malvertising, directing users to fraudulent sites offering a trojanized PDF editor. The malware achieves persistence through Windows Registry changes and communicates with a command-and-control server to execute various malicious actions. The campaign is assessed to have been active for 56 days before activating malicious features. The malware, TamperedChef, is designed to harvest sensitive data, including credentials and web cookies. It also acts as a backdoor, supporting features such as scheduled tasks, data exfiltration, and arbitrary command execution. The campaign is part of a broader trend of malicious ad campaigns promoting trojanized PDF editors. The campaign involves more than 50 domains hosting deceiving apps signed with fraudulent certificates from at least four different companies. The campaign has been active since at least August 2024 and promoted other tools, including OneStart and Epibrowser browsers. TamperedChef is part of a broader set of attacks codenamed EvilAI that uses lures related to artificial intelligence (AI) tools and software for malware propagation. The malware uses code-signing certificates issued for shell companies registered in the U.S., Panama, and Malaysia to sign the fake applications. The campaign involves malicious ads or poisoned URLs that direct users to booby-trapped domains registered on NameCheap. The malware drops an XML file to create a scheduled task that launches an obfuscated JavaScript backdoor, which connects to an external server and sends basic information such as session ID, machine ID, and other metadata in the form of a JSON string that's encrypted and Base64-encoded over HTTPS. The campaign's end goals remain nebulous, with some iterations facilitating advertising fraud. A significant concentration of infections has been identified in the U.S., and to a lesser extent in Israel, Spain, Germany, India, and Ireland. Healthcare, construction, and manufacturing are the most affected sectors.

Timeline

  1. 20.11.2025 06:06 1 articles · 23h ago

    TamperedChef Malware Drops Scheduled Task for Backdoor

    The malware drops an XML file to create a scheduled task that launches an obfuscated JavaScript backdoor. The backdoor connects to an external server and sends basic information such as session ID, machine ID, and other metadata in the form of a JSON string that's encrypted and Base64-encoded over HTTPS. The campaign's end goals remain nebulous, with some iterations facilitating advertising fraud. A significant concentration of infections has been identified in the U.S., and to a lesser extent in Israel, Spain, Germany, India, and Ireland. Healthcare, construction, and manufacturing are the most affected sectors.

    Show sources
    Open in new tab
  2. 29.08.2025 07:17 3 articles · 2mo ago

    TamperedChef Malware Campaign Begins with Fake PDF Editors

    The campaign involves more than 50 domains hosting deceiving apps signed with fraudulent certificates from at least four different companies. The campaign has been active since at least August 2024 and promoted other tools, including OneStart and Epibrowser browsers. The malware checks for various security agents on the host and queries the databases of installed web browsers using the DPAPI. The campaign operators waited for the ads to run their course before activating the malicious components in the applications. TamperedChef is part of a broader set of attacks codenamed EvilAI that uses lures related to artificial intelligence (AI) tools and software for malware propagation. The malware uses code-signing certificates issued for shell companies registered in the U.S., Panama, and Malaysia to sign the fake applications. The campaign involves malicious ads or poisoned URLs that direct users to booby-trapped domains registered on NameCheap.

    Show sources
    Open in new tab

Information Snippets

Similar Happenings

Client-Side JavaScript Security Gaps Exploited During Holiday Shopping Seasons

Unmonitored JavaScript in client-side environments poses a significant security risk, especially during the holiday shopping season. Attackers exploit these gaps to steal payment data, bypassing traditional security measures like WAFs and intrusion detection systems. The 2024 holiday season saw major attacks, including the Polyfill.io breach affecting over 500,000 websites and the Cisco Magecart attack targeting holiday shoppers. These incidents highlight the need for enhanced client-side security measures to protect against data theft and unauthorized script execution. The holiday season amplifies risks due to increased attack motivation, code freeze periods, third-party dependencies, and resource constraints. Effective client-side security involves deploying Content Security Policy (CSP), implementing Subresource Integrity (SRI), conducting regular script audits, and using client-side monitoring tools. Organizations must adapt their security strategies to include comprehensive monitoring and protection of the client environment to safeguard against these evolving threats.

Open in new tab

Oyster Malware Distributed via Fake Microsoft Teams Installers

A new malvertising campaign uses SEO poisoning to distribute fake Microsoft Teams installers that deploy the Oyster backdoor on Windows devices. The malware provides attackers with remote access to corporate networks, enabling command execution, payload deployment, and file transfers. The campaign targets users searching for 'Teams download,' leading them to a fake site that mimics Microsoft's official download page. The malicious installer, signed with legitimate certificates, drops a DLL into the %APPDATA%\Roaming folder and creates a scheduled task for persistence. Microsoft revoked over 200 certificates used to sign malicious Teams installers in a wave of Rhysida ransomware attacks in October 2025. The threat group Vanilla Tempest, also tracked as VICE SPIDER and Vice Society, is a financially motivated actor that focuses on deploying ransomware and exfiltrating data for extortion. The Oyster malware, also known as Broomstick and CleanUpLoader, has been linked to multiple campaigns and ransomware operations, such as Rhysida. The campaign was first disclosed by Blackpoint Cyber in September 2025, highlighting how users searching for Teams online were redirected to bogus download pages, where they were offered a malicious MSTeamsSetup.exe instead of the legitimate client. The threat actor used Trusted Signing, SSL.com, DigiCert, and GlobalSign code signing services to sign the malicious installers and other post-compromise tools.

Open in new tab

XCSSET macOS Malware Targets Xcode Developers with Enhanced Features

A new variant of the XCSSET macOS malware has been detected, targeting Xcode developers with enhanced features. This variant includes improved browser targeting, clipboard hijacking, and persistence mechanisms. The malware spreads by infecting Xcode projects, stealing cryptocurrency, and browser data from infected devices. The malware uses run-only compiled AppleScripts for stealthy execution and employs sophisticated encryption and obfuscation techniques. It incorporates new modules for data exfiltration, persistence, and clipboard monitoring. The malware has been observed in limited attacks, with Microsoft sharing findings with Apple and GitHub to mitigate the threat. Developers are advised to keep macOS and apps up to date and inspect Xcode projects before building them.

Open in new tab

ForcedLeak Vulnerability in Salesforce Agentforce Exploited via AI Prompt Injection

A critical vulnerability in Salesforce Agentforce, named ForcedLeak, allowed attackers to exfiltrate sensitive CRM data through indirect prompt injection. The flaw affected organizations using Salesforce Agentforce with Web-to-Lead functionality enabled. The vulnerability was discovered and reported by Noma Security on July 28, 2025. Salesforce has since patched the issue and implemented additional security measures, including regaining control of an expired domain and preventing AI agent output from being sent to untrusted domains. The exploit involved manipulating the Description field in Web-to-Lead forms to execute malicious instructions, leading to data leakage. Salesforce has enforced a Trusted URL allowlist to mitigate the risk of similar attacks in the future. The ForcedLeak vulnerability is a critical vulnerability chain with a CVSS score of 9.4, described as a cross-site scripting (XSS) play for the AI era. The exploit involves embedding a malicious prompt in a Web-to-Lead form, which the AI agent processes, leading to data leakage. The attack could potentially lead to the exfiltration of internal communications, business strategy insights, and detailed customer information. Salesforce is addressing the root cause of the vulnerability by implementing more robust layers of defense for their models and agents.

Open in new tab

CISA Emergency Directive 25-03: Mitigation of Cisco ASA Zero-Day Vulnerabilities

The Cybersecurity and Infrastructure Security Agency (CISA) has **reiterated urgent warnings** to U.S. federal agencies after discovering that some organizations incorrectly applied updates for **CVE-2025-20333** and **CVE-2025-20362**, leaving devices marked as 'patched' but still vulnerable to active exploitation. CISA confirmed it is tracking ongoing attacks targeting unpatched Cisco ASA and Firepower devices within Federal Civilian Executive Branch (FCEB) agencies, with over **30,000 devices** remaining exposed globally, down from 45,000 in early October. The vulnerabilities enable unauthenticated remote code execution, unauthorized access to restricted endpoints, and denial-of-service (DoS) attacks. They have been linked to the **ArcaneDoor campaign**, a state-sponsored group active since at least July 2023, which has deployed malware like **RayInitiator** and **LINE VIPER**, manipulated ROM for persistence, and forced devices into reboot loops. CISA’s **Emergency Directive 25-03**, issued in September 2025, mandates federal agencies to account for all affected devices, disconnect end-of-support systems, and apply minimum software versions. The directive also introduced the **RayDetect scanner** to detect compromise evidence in ASA core dumps. Recent findings reveal the same threat actor also exploited **CVE-2025-5777 (Citrix Bleed 2)** and **CVE-2025-20337 (Cisco ISE)** as zero-days, deploying a custom web shell ('IdentityAuditAction') with advanced evasion techniques. The campaign’s indiscriminate targeting and multi-platform exploitation underscore the adversary’s broad capabilities and access to sophisticated tools.

Open in new tab