BigTech CompaniesCybersecurityNewswireTechnology

TamperedChef Infostealer Spreads via Fake PDF Editor

▼ Summary

– Threat actors use Google ads to distribute a fake PDF editing app that delivers the TamperedChef info-stealing malware.
– The malware activates after an update, collecting sensitive data like credentials and web cookies from infected systems.
– Over 50 domains host these deceptive apps, which are signed with fraudulent certificates from at least four companies.
– Some apps trick users into enrolling their devices into residential proxy networks in exchange for free tool usage.
Researchers warn that the campaign is widespread and includes multiple interconnected apps capable of distributing malware or executing malicious commands.

A sophisticated malware campaign is distributing the TamperedChef infostealer through fraudulent PDF editing software promoted via Google advertisements. Security researchers have identified over 50 domains hosting these deceptive applications, which use counterfeit code-signing certificates to appear legitimate. The operation is both widespread and carefully timed, with malicious features activating only after ads have maximized their reach.

The malicious software, disguised as a free tool named AppSuite PDF Editor, initially functioned as a normal application. However, on August 21st, an update triggered its hidden data-stealing capabilities. This update, delivered using the “-fullupdate” argument, enabled the malware to harvest sensitive information such as login credentials and browser cookies. It also scans for the presence of security tools and uses Windows DPAPI to access encrypted browser data.

Investigations reveal that the threat actors behind this campaign relied heavily on Google Ads to drive traffic to their fraudulent sites. At least five distinct Google campaign IDs have been linked to the operation, indicating a broad and coordinated effort. The malicious update was deliberately deployed just before the typical 60-day expiration of the ad campaigns, suggesting a strategy to maximize infections before detection.

The fake applications were signed using certificates from at least four different companies, including ECHO Infini SDN BHD and SUMMIT NEXUS Holdings LLC. Although these certificates have since been revoked, existing installations remain vulnerable.

Beyond data theft, some versions of the malicious software also attempt to enroll infected devices into a residential proxy network. Users are presented with a message requesting permission to use their device as a proxy in exchange for “free” use of the tool. While the proxy service itself may be legitimate, its abuse by malware operators poses significant risks to affected users.

This campaign is part of a larger ecosystem of malicious and unwanted programs, including OneStart and Epibrowser, which can download each other and execute unauthorized commands. Although sometimes classified as Potentially Unwanted Programs (PUPs), their behavior aligns closely with traditional malware.

Security firms Truesec and Expel have published detailed indicators of compromise to help organizations detect and block this threat. The operation remains active, and additional malicious applications may still be undetected. Users are advised to exercise caution when downloading software from unfamiliar sources, especially when prompted by online advertisements.

(Source: Bleeping Computer)

Topics

malware distribution 95% tamperedchef infostealer 90% appsuite pdf 88% google ads 85% fraudulent certificates 80% security evasion 78% multi-app operation 77% residential proxies 75% Global Impact 73% onestart browser 72%

The Wiz

Wiz Consults, home of the Internet is led by "the twins", Wajdi & Karim, experienced professionals who are passionate about helping businesses succeed in the digital world. With over 20 years of experience in the industry, they specialize in digital publishing and marketing, and have a proven track record of delivering results for their clients.