TamperedChef global malvertising campaign
Campaign
Summary
Hide ▲
Show ▼
The TamperedChef campaign is actively using bogus installers and malvertising to deliver malware, putting users searching for software downloads or product manuals at risk. It also leans on SEO poisoning and abused code-signing certificates to make the fake software appear trustworthy and to evade detection. The operation is ongoing and has already produced infections across the U.S., Israel, Spain, Germany, India, and Ireland.
Related Happenings
Storm-2561 SEO-poisoning VPN credential-theft campaign
Campaign
First: 13.03.2026 15:38
Last: 13.03.2026 15:38
Sources 1
About this happening:
The **Storm-2561** group is running a **credential-theft campaign** that uses **SEO poisoning** and fake **VPN clients** to steal **VPN credentials** from people searching for ent...
Storm-2561 SEO-poisoning VPN credential-theft campaign
CampaignAbout this happening: The **Storm-2561** group is running a **credential-theft campaign** that uses **SEO poisoning** and fake **VPN clients** to steal **VPN credentials** from people searching for ent...
TamperedChef malvertising campaign distributing backdoor malware through trojanized PDFs
Campaign
First: 16.01.2026 14:05
Last: 16.01.2026 14:05
Sources 1
About this happening:
The **TamperedChef** campaign is a **malvertising** operation that used **Google ads** and **more than 50 domains** to push a fake **AppSuite PDF Editor** and deliver the **Tamper...
TamperedChef malvertising campaign distributing backdoor malware through trojanized PDFs
CampaignAbout this happening: The **TamperedChef** campaign is a **malvertising** operation that used **Google ads** and **more than 50 domains** to push a fake **AppSuite PDF Editor** and deliver the **Tamper...
SideWinder South Asia diplomatic spear-phishing campaign using PDF and ClickOnce
Campaign
First: 28.10.2025 06:01
Last: 28.10.2025 06:01
Sources 1
About this happening:
A **SideWinder** campaign used **four waves** of spear-phishing from **March through September 2025**, reaching a **European embassy in New Delhi** and organizations in **Sri Lank...
SideWinder South Asia diplomatic spear-phishing campaign using PDF and ClickOnce
CampaignAbout this happening: A **SideWinder** campaign used **four waves** of spear-phishing from **March through September 2025**, reaching a **European embassy in New Delhi** and organizations in **Sri Lank...
EvilAI global AI/productivity-tool malware campaign
Campaign
First: 29.09.2025 19:36
Last: 29.09.2025 19:36
Sources 1
About this happening:
The **EvilAI** campaign is using **legitimate-looking AI and productivity tools** to distribute malware across **Europe, the Americas, and AMEA**, creating broad risk of **initial...
EvilAI global AI/productivity-tool malware campaign
CampaignAbout this happening: The **EvilAI** campaign is using **legitimate-looking AI and productivity tools** to distribute malware across **Europe, the Americas, and AMEA**, creating broad risk of **initial...
EvilAI malware activity spreading through fake AI apps
Malware Activity
First: 11.09.2025 21:37
Last: 11.09.2025 21:37
Sources 1
How related:
It's assessed to be part of a broader set of attacks codenamed EvilAI that uses lures related to artificial intelligence (AI) tools and software for malware propagation.
About this happening:
**EvilAI** is a **global malware activity** that uses **fake AI and productivity apps** to infect organizations across **Europe, the Americas, and AMEA**. The campaign has been as...
EvilAI malware activity spreading through fake AI apps
Malware ActivityHow related: It's assessed to be part of a broader set of attacks codenamed EvilAI that uses lures related to artificial intelligence (AI) tools and software for malware propagation.
About this happening: **EvilAI** is a **global malware activity** that uses **fake AI and productivity apps** to infect organizations across **Europe, the Americas, and AMEA**. The campaign has been as...
Timeline
-
20.11.2025 06:06 2 articles · 6mo ago
TamperedChef global malvertising campaign disclosed
Initial DisclosureTamperedChef is an ongoing global malvertising campaign that uses bogus installers masquerading as popular software, malicious ads, poisoned URLs, and booby-trapped NameCheap domains to trick users searching for PDF editors or product manuals into installing malware. The installers prompt users to accept licensing terms, then drop an XML file that creates a scheduled task to launch an obfuscated JavaScript backdoor for persistence and remote access; associated infrastructure remains active, with infections concentrated in the U.S. and additional activity in Israel, Spain, Germany, India, and Ireland, especially across healthcare, construction, and manufacturing.
Show sources
- TamperedChef Malware Spreads via Fake Software Installers in Ongoing Global Campaign — thehackernews.com — 20.11.2025 06:06
- TamperedChef Malware Spreads via Fake Software Installers in Ongoing Global Campaign — thehackernews.com — 20.11.2025 06:06