Find notable cyber news and cases, enriched with sources, timelines, and signals.
Home Browse News Feed Stats Watchlists Beta About Contact

TamperedChef malvertising campaign distributing backdoor malware through trojanized PDFs

Campaign
First reported
Last updated
Happening score
H score 40
2 unique sources, 2 articles

Summary

Hide ▲

The TamperedChef campaign is a malvertising operation that used Google ads and more than 50 domains to push a fake AppSuite PDF Editor and deliver the TamperedChef info-stealing malware. The campaign began around June 26, the malicious app was observed in VirusTotal on May 15, and the payload stayed benign until August 21, when an update activated credential and web cookie theft. Related code-signing certificates from at least four companies were used and later revoked.

Related Happenings

Tycoon2FA device-code phishing campaign targeting Microsoft 365

Campaign
First: 17.05.2026 17:43 Last: 17.05.2026 17:43 Sources 1

About this happening: The **Tycoon2FA** phishing operation added **device-code phishing** to hijack **Microsoft 365** accounts, expanding its ability to steal access tokens and reach email, calendar, a...

Open Happening

Fake Claude PlugX phishing campaign

Campaign
First: 13.04.2026 12:52 Last: 13.04.2026 12:52 Sources 1

About this happening: A **February** phishing campaign used a **fake Claude website** and **fake meeting invitations** to deliver **PlugX** malware to recipients, turning a popular AI brand into a malw...

Latest development: 07.05.2026 13:02

A fake Claude AI site at claude-pro[.]com distributed Claude-Pro-windows-x64.zip, which drops NOVupdate.exe, NOVupdate.exe.dat, and avk.dll to sideload DonutLoader and load the Beagle backdoor on Windows. The backdoor uses license[.]claude-pro[.]com for command-and-control over TCP 443 and/or UDP 8080, and related Beagle samples were submitted to VirusTotal between February and April this year.

Open Happening

VENOM closed-access PhaaS operating model limits researcher visibility

Threat Actor Meta
First: 10.04.2026 00:37 Last: 10.04.2026 00:37 Sources 1

About this happening: **VENOM** is operating as a **closed-access phishing-as-a-service** platform, reducing researcher visibility while supporting **underground credential theft**. The service targets...

Open Happening

UNC6783 BPO compromise campaign targeting downstream companies

Campaign
First: 09.04.2026 00:46 Last: 09.04.2026 00:46 Sources 1

About this happening: **UNC6783** is an active **BPO compromise campaign** targeting **business process outsourcers** and large enterprises to reach downstream environments for **extortion**. The opera...

Open Happening

DPRK-linked cryptoasset theft campaign continuing into 2026

Campaign
First: 03.04.2026 11:35 Last: 03.04.2026 11:35 Sources 1

About this happening: The **DPRK-linked cryptoasset theft campaign** is continuing into **2026**, keeping **crypto and Web3** targets at risk of repeated theft and laundering activity. The operation us...

Open Happening

Timeline

  1. 16.01.2026 14:05 3 articles · 4mo ago

    Sophos details TamperedChef malvertising chain

    Technical Analysis Update

    Sophos details TamperedChef, a long-running malvertising campaign that uses trojanized PDF documents and fake ads for appliance manuals or PDF editing software to deliver infostealer and backdoor malware, with the heaviest targeting in Germany, the UK, and France. The delivery chain uses malicious search-result advertising, decoy software, staged payload delivery, abuse of code-signing certificates, and delayed activation to evade endpoint protection mechanisms, and the malware can wait 56 days after download before beginning malicious behavior. Sophos recommends using official download sources, restricting software to approved and trusted sources, and enabling multi-factor authentication to reduce credential theft and unauthorized access risk.

    Show sources
    Open in new tab