Counterfeit PDF editing software downloads TamperedChef malware

Cybersecurity researchers have uncovered a sophisticated cybercrime campaign that employs malvertising techniques to redirect victims to fraudulent websites, ultimately delivering a new information stealer known as TamperedChef. The primary aim of this campaign is to entice users into downloading and installing a trojanised PDF editor, specifically the AppSuite PDF Editor, which is embedded with the TamperedChef malware. According to Truesec researchers Mattias Wåhlén, Nicklas Keijser, and Oscar Lejerbäck Wolf, the malware is engineered to extract sensitive information, including user credentials and web cookies. The campaign utilises multiple counterfeit sites to promote the PDF editor installer, which, upon installation, prompts users to agree to the software’s terms of service and privacy policy. In the background, the setup program covertly communicates with an external server to download the PDF editor while modifying the Windows Registry to ensure the executable runs automatically after a reboot.

The campaign is believed to have commenced on June 26, 2025, coinciding with the registration of numerous counterfeit sites and the launch of at least five Google advertising campaigns promoting the PDF editing software. Initially, the PDF editor appeared benign; however, it contained code that regularly checked for updates via a JavaScript file. From August 21, 2025, systems that connected back to the server received instructions that activated the malicious functionalities of the TamperedChef information stealer. Once operational, the malware identifies installed security products and attempts to terminate web browsers to access sensitive data. Further analysis by German cybersecurity firm G DATA revealed that the malware functions as a backdoor, enabling various features such as creating scheduled tasks and executing commands that trigger its malicious routines.