Cybersecurity researchers have discovered a cybercrime campaign that uses tricks to direct victims to fraudulent sites to provide a new information steeler called TamperedChef.
“The goal is to invite victims to download and install the Trojanized PDF editor, including information-stolen malware called TamperedChef.” “Malware is designed to harvest sensitive data such as credentials and web cookies.”
At the heart of the campaign is using several fake sites to promote a free PDF editor installer called AppSuite PDF Editor.
However, in the background, the setup program makes a secret request to an external server, drops the PDF editor program, and at the same time makes changes to the Windows registry to set up host persistence by verifying that the downloaded executable file will automatically start after a reboot. The registry key contains the -CM argument parameters to pass instructions to the binary.
Also, German cybersecurity company G Data, which analyzed the activity, said that various websites that provide these PDF editors download the same setup installer and download the PDF editor program from the server once the user accepts the license agreement.
“Next, we’ll run the main applications without discussion. This is equivalent to starting the -install routine,” said security researchers Karsten Hahn and Louis Solita. “We’ll also create an Autorun entry that provides command line arguments – CM = -FullUpDate running the following malicious application.”
The campaign is rated as being launched on June 26, 2025, when many of the counterfeit sites began registering or promoting their PDF editing software through at least five different Google Ads campaigns.
“In the beginning, the PDF appears to be working almost harmlessly, but the code includes steps to periodically check for potential updates to .JS files containing the -CM argument,” the researchers explained. “From August 21, 2025, the machine that recalled received instructions to enable a malicious feature called “TamperedChef” that is information stealing. ”
Once initialized, the Steeler will collect a list of installed security products and attempt to close the web browser to access sensitive data such as credentials and cookies.
Further analysis of malware-covered applications with G Data revealed that it acts as a backdoor and supports many features –
– Install, create a scheduled task named PDFEDITORSCHEDULEDTASK, and create a pdfeditoruscheduledtask that runs the application using the -cm=-partialUpdate and -cm=-backupupdate arguments. Delete two scheduled tasks – ping, communicating with command and control (C2) of actions to be performed on the system. This allows for malware downloads, data removal, and registry changes, among other things – checks, contacting C2 server configuration, read browser keys, set browsers, and run any commands and run any commands. Check with Chrome, OneLaunch, and Wave browsers, credentials, browser history, cookies, or settings custom search engines (reboot, same) and the ability to kill certain processes
“Length since the start [ad] The malicious update is also 56 days, a campaign that is close to the 60-day length of a typical Google Ads campaign, suggesting that threat actors run ad campaigns, maximize downloads, and activate malicious features,” Truesec said.
This disclosure coincides with an analysis from Expel that details ads to ads ads that serve users ads that provide downloads of tools such as AppSuite, PDF Onestart, and PDF Editor. In some cases, these PDF programs are known to download other Trojanized apps or turn hosts into residential proxy without the consent of the user.
“The AppSuite PDF Editor is malicious,” says G Data. “This is a classic Trojan horse with a backdoor that is currently being downloaded at a large scale.”
Source link
