The TamperedChef infostealer has emerged as a serious threat, hiding inside a fraudulent PDF editor promoted through Google Ads. This deceptive campaign tricked users into downloading an app that appeared legitimate, only to later activate malicious features. With delayed activation and credential theft, the campaign shows how cybercriminals continue to evolve their tactics.
Malvertising and the Fake PDF Tool
Attackers distributed TamperedChef using AppSuite PDF Editor, a fraudulent application pushed through malicious ads. The app seemed functional at first, offering basic PDF editing features. This design lulled victims into trusting it while the malware quietly prepared to strike.
Researchers traced the campaign to over 50 domains and several Google Ads campaigns. The widespread reach increased the chances of unsuspecting users downloading the infected program.
Delayed Activation Tactics
One of TamperedChef’s most dangerous traits is its delayed activation. Although VirusTotal flagged the app as suspicious months earlier, the infostealer remained dormant until August 21, 2025.
This approach ensured the malware bypassed early detection and avoided immediate takedowns. By waiting until near the end of ad campaigns, the attackers maximized infections before security researchers reacted.
How TamperedChef Works
Once active, TamperedChef targeted browser data and credentials. It decrypted sensitive information using Windows’ Data Protection API (DPAPI) and checked systems for security tools. This careful design allowed the malware to gather data while avoiding detection.
The malware was deployed using the program’s -fullupdate argument, which secretly installed the infostealer payload. Signed certificates from several companies gave the tool additional credibility before revocation.
Linked Tools and Broader Campaign
Investigators connected TamperedChef’s operators to other suspicious software, including OneStart and EpiBrowser. These applications often appeared legitimate but were flagged as potentially unwanted programs. Some may have been used to turn infected systems into residential proxies, further aiding cybercriminal operations.
Defensive Measures
Although code-signing certificates used in the campaign have been revoked, previously downloaded versions remain dangerous. Security teams should review the indicators of compromise (IoCs) released by Truesec and Expel.
Organizations should also monitor ad-based downloads and enforce stricter software vetting processes. Preventing malvertising-based infections requires vigilance across both user behavior and enterprise defenses.
Final Thoughts
The TamperedChef infostealer demonstrates how cybercriminals exploit trust through fake applications and clever timing. By blending functionality with hidden threats, attackers gained access to sensitive browser data while evading detection. The campaign is a reminder that even familiar tools, like PDF editors, can conceal major risks. Staying alert, applying IoCs, and verifying downloads remain critical in defending against evolving malware threats.
