TamperedChef Infostealer Spreads via Fake PDF Editor

▼ Summary
– Threat actors use Google ads to distribute a fake PDF editing app that delivers the TamperedChef info-stealing malware.
– The malware activates after an update, collecting sensitive data like credentials and web cookies from infected systems.
– Over 50 domains host these deceptive apps, which are signed with fraudulent certificates from at least four companies.
– Some apps trick users into enrolling their devices into residential proxy networks in exchange for free tool usage.
– Researchers warn that the campaign is widespread and includes multiple interconnected apps capable of distributing malware or executing malicious commands.
A sophisticated malware campaign is distributing the TamperedChef infostealer through fraudulent PDF editing software promoted via Google advertisements. Security researchers have identified over 50 domains hosting these deceptive applications, which use counterfeit code-signing certificates to appear legitimate. The operation is both widespread and carefully timed, with malicious features activating only after ads have maximized their reach.
The malicious software, disguised as a free tool named AppSuite PDF Editor, initially functioned as a normal application. However, on August 21st, an update triggered its hidden data-stealing capabilities. This update, delivered using the “-fullupdate” argument, enabled the malware to harvest sensitive information such as login credentials and browser cookies. It also scans for the presence of security tools and uses Windows DPAPI to access encrypted browser data.
Investigations reveal that the threat actors behind this campaign relied heavily on Google Ads to drive traffic to their fraudulent sites. At least five distinct Google campaign IDs have been linked to the operation, indicating a broad and coordinated effort. The malicious update was deliberately deployed just before the typical 60-day expiration of the ad campaigns, suggesting a strategy to maximize infections before detection.
The fake applications were signed using certificates from at least four different companies, including ECHO Infini SDN BHD and SUMMIT NEXUS Holdings LLC. Although these certificates have since been revoked, existing installations remain vulnerable.
Beyond data theft, some versions of the malicious software also attempt to enroll infected devices into a residential proxy network. Users are presented with a message requesting permission to use their device as a proxy in exchange for “free” use of the tool. While the proxy service itself may be legitimate, its abuse by malware operators poses significant risks to affected users.
This campaign is part of a larger ecosystem of malicious and unwanted programs, including OneStart and Epibrowser, which can download each other and execute unauthorized commands. Although sometimes classified as Potentially Unwanted Programs (PUPs), their behavior aligns closely with traditional malware.
Security firms Truesec and Expel have published detailed indicators of compromise to help organizations detect and block this threat. The operation remains active, and additional malicious applications may still be undetected. Users are advised to exercise caution when downloading software from unfamiliar sources, especially when prompted by online advertisements.
(Source: Bleeping Computer)