CyberHappenings logo
Home Browse Watchlists Experimental About

Track cybersecurity events as they unfold. Sourced timelines. Filter, sort, and browse. Fast, privacy‑respecting. No invasive ads, no tracking.

TamperedChef Malware Campaign Exploits Fake PDF Editors to Steal Credentials and Cookies

First reported
Last updated
3 unique sources, 4 articles

Summary

Hide ▲

A cybercrime campaign has deployed TamperedChef, an information-stealing malware, through fake PDF editor installers. The malware steals credentials and cookies from infected systems. The campaign began on June 26, 2025, and activated malicious features on August 21, 2025. The malware is distributed via malvertising, directing users to fraudulent sites offering a trojanized PDF editor. The malware achieves persistence through Windows Registry changes and communicates with a command-and-control server to execute various malicious actions. The campaign is assessed to have been active for 56 days before activating malicious features. The malware, TamperedChef, is designed to harvest sensitive data, including credentials and web cookies. It also acts as a backdoor, supporting features such as scheduled tasks, data exfiltration, and arbitrary command execution. The campaign is part of a broader trend of malicious ad campaigns promoting trojanized PDF editors. The campaign involves more than 50 domains hosting deceiving apps signed with fraudulent certificates from at least four different companies. The campaign has been active since at least August 2024 and promoted other tools, including OneStart and Epibrowser browsers. TamperedChef is part of a broader set of attacks codenamed EvilAI that uses lures related to artificial intelligence (AI) tools and software for malware propagation. The malware uses code-signing certificates issued for shell companies registered in the U.S., Panama, and Malaysia to sign the fake applications. The campaign involves malicious ads or poisoned URLs that direct users to booby-trapped domains registered on NameCheap. The malware drops an XML file to create a scheduled task that launches an obfuscated JavaScript backdoor, which connects to an external server and sends basic information such as session ID, machine ID, and other metadata in the form of a JSON string that's encrypted and Base64-encoded over HTTPS. The campaign's end goals remain nebulous, with some iterations facilitating advertising fraud. A significant concentration of infections has been identified in the U.S., and to a lesser extent in Israel, Spain, Germany, India, and Ireland. Healthcare, construction, and manufacturing are the most affected sectors. The TamperedChef campaign has targeted organizations in Germany, the UK, and France, with a focus on those relying on specialized technical equipment. The campaign exploits users searching for appliance manuals or PDF editing software through malicious adverts. The malware establishes a connection to a command-and-control (C2) server for data exfiltration and retrieves an additional payload named ManualFinderApp.exe. The malicious behavior begins 56 days after the download to avoid detection and user suspicion.

Timeline

  1. 20.11.2025 06:06 2 articles · 1mo ago

    TamperedChef Malware Drops Scheduled Task for Backdoor

    The malware drops an XML file to create a scheduled task that launches an obfuscated JavaScript backdoor. The backdoor connects to an external server and sends basic information such as session ID, machine ID, and other metadata in the form of a JSON string that's encrypted and Base64-encoded over HTTPS. The campaign's end goals remain nebulous, with some iterations facilitating advertising fraud. A significant concentration of infections has been identified in the U.S., and to a lesser extent in Israel, Spain, Germany, India, and Ireland. Healthcare, construction, and manufacturing are the most affected sectors. The malware establishes a connection to a command-and-control (C2) server for data exfiltration and retrieves an additional payload named ManualFinderApp.exe. The malicious behavior begins 56 days after the download to avoid detection and user suspicion.

    Show sources
    Open in new tab
  2. 29.08.2025 07:17 4 articles · 4mo ago

    TamperedChef Malware Campaign Begins with Fake PDF Editors

    The campaign involves more than 50 domains hosting deceiving apps signed with fraudulent certificates from at least four different companies. The campaign has been active since at least August 2024 and promoted other tools, including OneStart and Epibrowser browsers. The malware checks for various security agents on the host and queries the databases of installed web browsers using the DPAPI. The campaign operators waited for the ads to run their course before activating the malicious components in the applications. TamperedChef is part of a broader set of attacks codenamed EvilAI that uses lures related to artificial intelligence (AI) tools and software for malware propagation. The malware uses code-signing certificates issued for shell companies registered in the U.S., Panama, and Malaysia to sign the fake applications. The campaign involves malicious ads or poisoned URLs that direct users to booby-trapped domains registered on NameCheap. The TamperedChef campaign has targeted organizations in Germany, the UK, and France, with a focus on those relying on specialized technical equipment. The campaign exploits users searching for appliance manuals or PDF editing software through malicious adverts.

    Show sources
    Open in new tab

Information Snippets

Similar Happenings

Magecart Campaign Targets Six Major Card Networks Since 2022

A global Magecart campaign has been active since 2022, targeting six major payment networks: American Express, Diners Club, Discover, JCB, Mastercard, and UnionPay. The campaign uses malicious JavaScript injected into e-commerce websites and payment portals to intercept payment details during checkout. The client-side nature of the attacks makes them difficult to detect, allowing threat actors to steal sensitive information for fraud or dark web sales. Silent Push discovered the campaign by analyzing a suspicious domain linked to PQ.Hosting/Stark Industries, revealing a long-term web-skimming operation with ongoing infections dating back to 2022. The skimmer employs advanced techniques to evade detection, including checking for administrative interfaces and creating fake payment forms to trick victims into entering their credit card details.

Open in new tab

GhostPoster Campaign Uses Steganography in Firefox Addon Logos

A campaign named GhostPoster has been discovered, which hides malicious JavaScript code in the PNG logos of Firefox extensions. These extensions, with over 50,000 downloads, monitor browser activity and plant a backdoor. The hidden script acts as a loader that fetches the main payload from a remote server, retrieving it only 10% of the time to evade detection. The campaign involves 17 compromised extensions, primarily from popular categories like VPNs, weather, and translation tools. The payload can hijack affiliate links, inject tracking code, and commit click and ad fraud. Users are advised to remove these extensions and reset passwords for critical accounts.

Open in new tab

Client-Side JavaScript Security Gaps Exploited During Holiday Shopping Seasons

Unmonitored JavaScript in client-side environments poses a significant security risk, especially during the holiday shopping season. Attackers exploit these gaps to steal payment data, bypassing traditional security measures like WAFs and intrusion detection systems. The 2024 holiday season saw major attacks, including the Polyfill.io breach affecting over 500,000 websites and the Cisco Magecart attack targeting holiday shoppers. These incidents highlight the need for enhanced client-side security measures to protect against data theft and unauthorized script execution. The holiday season amplifies risks due to increased attack motivation, code freeze periods, third-party dependencies, and resource constraints. Effective client-side security involves deploying Content Security Policy (CSP), implementing Subresource Integrity (SRI), conducting regular script audits, and using client-side monitoring tools. Organizations must adapt their security strategies to include comprehensive monitoring and protection of the client environment to safeguard against these evolving threats.

Open in new tab

Rhadamanthys Stealer Adds Device Fingerprinting, PNG Steganography Payloads

Rhadamanthys Stealer, a popular information stealer, has been updated to include device and web browser fingerprinting capabilities. The malware now uses PNG steganography to conceal its payloads. The threat actor behind Rhadamanthys has also advertised two additional tools, Elysium Proxy Bot and Crypt Service, on their website. The stealer's current version is 0.9.2, and it is available under a malware-as-a-service (MaaS) model with tiered pricing packages. The threat actor has rebranded themselves as "RHAD security" and "Mythical Origin Labs," indicating a long-term business venture. The stealer's capabilities have evolved significantly, posing a comprehensive threat to personal and corporate security. The latest updates include enhanced obfuscation techniques, environment checks, and a Lua runner for additional plugins. The Rhadamanthys infostealer operation has been disrupted, with numerous customers reporting that they no longer have access to their servers. Cybercriminals claim that law enforcement gained access to their web panels, requiring certificate-based logins instead of root passwords. The disruption is suspected to be related to Operation Endgame, an ongoing law enforcement action targeting malware-as-a-service operations.

Open in new tab

Oyster Malware Distributed via Fake Microsoft Teams Installers

A new malvertising campaign uses SEO poisoning to distribute fake Microsoft Teams installers that deploy the Oyster backdoor on Windows devices. The malware provides attackers with remote access to corporate networks, enabling command execution, payload deployment, and file transfers. The campaign targets users searching for 'Teams download,' leading them to a fake site that mimics Microsoft's official download page. The malicious installer, signed with legitimate certificates, drops a DLL into the %APPDATA%\Roaming folder and creates a scheduled task for persistence. Microsoft revoked over 200 certificates used to sign malicious Teams installers in a wave of Rhysida ransomware attacks in October 2025. The threat group Vanilla Tempest, also tracked as VICE SPIDER and Vice Society, is a financially motivated actor that focuses on deploying ransomware and exfiltrating data for extortion. The Oyster malware, also known as Broomstick and CleanUpLoader, has been linked to multiple campaigns and ransomware operations, such as Rhysida. The campaign was first disclosed by Blackpoint Cyber in September 2025, highlighting how users searching for Teams online were redirected to bogus download pages, where they were offered a malicious MSTeamsSetup.exe instead of the legitimate client. The threat actor used Trusted Signing, SSL.com, DigiCert, and GlobalSign code signing services to sign the malicious installers and other post-compromise tools.

Open in new tab