TamperedChef Serves Bad Ads, with Infostealers as the Main Course
Summary:
Sophos X-Ops has detailed their research on "TamperedChef," a recent and still active malvertising campaign likely associated with the broader "EvilAI" activity cluster, which utilizes SEO poisoning and paid advertisements (Google and Bing Ads) to distribute trojanized utilities. This research confirms some of the findings from earlier research into TamperedChef, published by TrueSec, WithSecure, and G Data. The threat actors target users searching for technical appliance manuals or PDF editing software, redirecting them to deceptive domains such as fullpdf[.]com and pdftraining[.]com to download a malicious installer (AppSuite-PDF.msi). A critical evasion tactic employed is an approximate 56-day dormancy period between initial infection and payload activation, designed to bypass sandbox analysis and align with the duration of legitimate ad campaigns. Upon remote activation, the malware, which includes the potentially AI-obfuscated pdfeditor.js and ManualFinderApp.exe, executes infostealer capabilities to harvest browser credentials, cookies, and system data while establishing persistence via scheduled tasks and registry keys. The campaign has demonstrated global reach, compromising over 300 hosts across 100+ customer environments in 19 countries, with notably high infection rates in Germany, the UK, and France, specifically impacting sectors that rely on specialized technical documentation. However, Sophos surmises this is more opportunistic than deliberate targeting of any specific regions.
Security Officer Comments:
The TamperedChef campaign represents a notable evolution in tactics, specifically in its implementation of extreme patience for defense evasion. While SEO poisoning and the abuse of Google/Bing Ads are established vectors, the introduction of an approximate 56-day dormancy period between infection and payload activation marks a significant shift in phishing tactics designed to defeat standard automated analysis environments and short-term behavioral monitoring, allowing the threat actors to establish a persistent foothold that appears benign for nearly two months before pivoting to malicious activity.
The targeting of specialized technical appliance manuals and PDF utilities suggests a strategic focus on corporate environments where employees frequently seek external documentation for operational tasks. Unlike broad campaigns targeting popular consumer software, this approach increases the likelihood of compromising endpoints within engineering, IT, or administrative sectors; users who often possess elevated privileges or access to sensitive proprietary data. The suspected use of AI-generated or obfuscated code within pdfeditor.js aligns with the growing trend of threat actors leveraging generative AI to lower the barrier for sophisticated tool development.
Suggested Corrections:
IOCs: https://github.com/sophoslabs/IoCs/blob/master/TamperedChef_IOCs.csv
Sophos Proactive Recommended Actions
https://www.sophos.com/en-us/blog/tamperedchef-serves-bad-ads-with-infostealers-as-the-main-course
Sophos X-Ops has detailed their research on "TamperedChef," a recent and still active malvertising campaign likely associated with the broader "EvilAI" activity cluster, which utilizes SEO poisoning and paid advertisements (Google and Bing Ads) to distribute trojanized utilities. This research confirms some of the findings from earlier research into TamperedChef, published by TrueSec, WithSecure, and G Data. The threat actors target users searching for technical appliance manuals or PDF editing software, redirecting them to deceptive domains such as fullpdf[.]com and pdftraining[.]com to download a malicious installer (AppSuite-PDF.msi). A critical evasion tactic employed is an approximate 56-day dormancy period between initial infection and payload activation, designed to bypass sandbox analysis and align with the duration of legitimate ad campaigns. Upon remote activation, the malware, which includes the potentially AI-obfuscated pdfeditor.js and ManualFinderApp.exe, executes infostealer capabilities to harvest browser credentials, cookies, and system data while establishing persistence via scheduled tasks and registry keys. The campaign has demonstrated global reach, compromising over 300 hosts across 100+ customer environments in 19 countries, with notably high infection rates in Germany, the UK, and France, specifically impacting sectors that rely on specialized technical documentation. However, Sophos surmises this is more opportunistic than deliberate targeting of any specific regions.
Security Officer Comments:
The TamperedChef campaign represents a notable evolution in tactics, specifically in its implementation of extreme patience for defense evasion. While SEO poisoning and the abuse of Google/Bing Ads are established vectors, the introduction of an approximate 56-day dormancy period between infection and payload activation marks a significant shift in phishing tactics designed to defeat standard automated analysis environments and short-term behavioral monitoring, allowing the threat actors to establish a persistent foothold that appears benign for nearly two months before pivoting to malicious activity.
The targeting of specialized technical appliance manuals and PDF utilities suggests a strategic focus on corporate environments where employees frequently seek external documentation for operational tasks. Unlike broad campaigns targeting popular consumer software, this approach increases the likelihood of compromising endpoints within engineering, IT, or administrative sectors; users who often possess elevated privileges or access to sensitive proprietary data. The suspected use of AI-generated or obfuscated code within pdfeditor.js aligns with the growing trend of threat actors leveraging generative AI to lower the barrier for sophisticated tool development.
Suggested Corrections:
IOCs: https://github.com/sophoslabs/IoCs/blob/master/TamperedChef_IOCs.csv
Sophos Proactive Recommended Actions
- Avoid installing software from ads: Avoid clicking installation links or pop-ups in online ads — even if they appear to come from familiar or well-known brands. Instead, obtain software only from official vendor sites
- Implement strict application controls: In corporate settings, restrict installations to approved software only where appropriate
- Harden credential management: Disable browser-based password storage where possible and enforce the use of secure, organization-approved password managers; require MFA or passkeys for all accounts to reduce the risk of credential theft and unauthorized access.
- Educate end users on safe software acquisition: Conduct awareness training focused on recognizing malvertising, deceptive download pages, and fraudulent installers — reinforcing that software should only be downloaded from official vendor websites or trusted app stores.
- Conduct comprehensive endpoint scans using updated threat intelligence to detect known indicators of compromise
- Reimage compromised endpoints and enforce immediate credential resets to eliminate persistence risks
- Verify and enforce Multi-Factor Authentication (MFA) for all impacted users and systems not previously protected
- Strengthen behavioural monitoring and detection capabilities to identify malicious activity and potential follow-on payloads
- Restrict installation of unverified or unauthorized software using application control and publisher validation policies
https://www.sophos.com/en-us/blog/tamperedchef-serves-bad-ads-with-infostealers-as-the-main-course