TamperedChef Malware Disguised as Fake PDF Editors Steals Data
“Nowadays, malware files disguising themselves as official applications are getting used to steal confidential data.”
In order to distribute a new information stealer known as TamperedChef, cybersecurity experts have uncovered a cybercrime campaign that uses malvertising techniques to send victims to phony websites.
Report, Wednesday
| “The objective is to lure victims into downloading and installing a trojanized PDF editor, which includes an information-stealing malware dubbed TamperedChef,” Truesec researchers Mattias Wåhlén, Nicklas Keijser, and Oscar Lejerbäck Wolf said in a report published Wednesday.
“The malware is designed to harvest sensitive data, including credentials and web cookies.” |
The campaign’s main tactic is the use of multiple fraudulent websites to advertise an installer for AppSuite PDF Editor, a free PDF editor that, when started and installed, prompts the user to accept the terms of service and privacy statement of the program.
However, the setup program secretly asks an external server to terminate the PDF editor program in the background. It also configures persistence on the host by altering the Windows Registry to make sure the downloaded executable is launched immediately upon reboot.
A –cm arguments parameter in the registry key is used to supply the binary with instructions. The different websites selling these PDF editors download the same setup installer, which subsequently downloads the PDF editor program from the server when the user agrees to the licensing agreement, according to German cybersecurity firm G DATA, which also examined the activity.
Karsten Hahn & Louis Sorita, Security Researchers
| “It then executes the main application with no arguments, which is equivalent to starting
the –install routine,” security researchers Karsten Hahn and Louis Sorita said.
“It also creates an autorun entry that supplies the command line argument –cm=–fullupdate for the next run of the malicious application.”
“At first, the PDF appears to have behaved mostly harmlessly, but the code included instructions to regularly check back for potential updates in a .js file that includes the –cm arguments,” the researchers explained.
“From August 21, 2025, machines that called back received instructions that activated the malicious capabilities, an information stealer, referred to as ‘Tamperedchef.’
“Once initialised, the stealer gathers a list of installed security products and attempts to terminate web browsers to access sensitive data, such as credentials and cookies. |
The effort is thought to have started on June 26, 2025, when a large number of fake websites were either established or started using at least five distinct Google advertising campaigns to promote the PDF editing program.
G DATA’s additional examination of the malware-infected program has shown that it functions as a backdoor and supports several features:
- DFEditorScheduledTask and PDFEditorUScheduledTask are scheduled tasks that are created using –install. They execute the program with the options –cm=–partialupdate and -cm=–backupupdate, respectively, to initiate the -check and -ping procedures.
- The uninstaller uses –cleanup to eliminate the two scheduled jobs, unregister the computer from the server, and remove the backdoor files.
- –ping, to start a conversation with a command-and-control (C2) to carry out activities on the machine, including enabling more malware downloads, data exfiltration, and registry modifications.
- To query, exfiltrate, and manipulate data related to Chromium, OneLaunch, and Wave browsers, such as credentials, browser history, cookies, or custom search engines, use –check to get in touch with the C2 server for configuration, read browser keys, change browser settings, and run arbitrary commands.
- Similar to –check, –reboot offers the ability to terminate particular processes.
Truesec
| “The length from the start of the [ad] campaign until the malicious update was also 56 days, which is close to the 60-day length of a typical Google advertising campaign, suggesting the threat actor let the ad campaign run its course, maximizing downloads, before activating the malicious features.” |
The disclosures follow Expel’s examination of a massive ad campaign promoting PDF editors, which directed viewers to websites where they could download programs like AppSuite, PDF OneStart, and PDF Editor.
These PDF programs have occasionally been observed to convert the hosts into residential proxies or download further trojanized apps without the customers’ knowledge.
G DATA
| “AppSuite PDF Editor is malicious,” G DATA said. “It is a classic Trojan horse with a
backdoor that is currently massively downloaded.” |
About The Author
Suraj Koli is a content specialist in technical writing about cybersecurity & information security. He has written many amazing articles related to cybersecurity concepts, with the latest trends in cyber awareness and ethical hacking. Find out more about “Him.”
Read More:
Qualys Cyber Risk Conference, Mumbai
About Author
English