Cybersecurity researchers have discovered a cybercrime campaign that’s using malvertising tricks to direct victims to fraudulent sites to deliver a new information stealer called TamperedChef.
“The objective is to lure victims into downloading and installing a trojanized PDF editor, which includes an information-stealing malware dubbed TamperedChef,” Truesec researchers Mattias Wåhlén, Nicklas Keijser, and Oscar Lejerbäck Wolf said in a report published Wednesday. “The malware is designed to harvest sensitive data, including credentials and web cookies.”
At the heart of the campaign is the use of several bogus sites to promote an installer for a free PDF editor called AppSuite PDF Editor that, once installed and launched, displays to the user a prompt to agree to the software’s terms of service and privacy policy.
In the background, however, the setup program makes covert requests to an external server to drop the PDF editor program, while also setting up persistence on the host by making Windows Registry changes to ensure that the downloaded executable is automatically started after a reboot. The registry key contains a –cm arguments parameter to pass instructions to the binary.
German cybersecurity company G DATA, which also analyzed the activity, said the various websites offering these PDF editors download the same setup installer, which then retrieves the PDF editor program from the server once the user accepts the license agreement.
“It then executes the main application with no arguments, which is equivalent to starting the –install routine,” security researchers Karsten Hahn and Louis Sorita said. “It also creates an autorun entry that supplies the command line argument –cm=–fullupdate for the next run of the malicious application.”
It’s assessed that the campaign kicked off on June 26, 2025, when many of the counterfeit sites were either registered or began advertising the PDF editing software through at least five different Google advertising campaigns.
“At first the PDF appears to have behaved mostly harmless, but the code included instructions to regularly check back for potential updates in a .js file that includes the –cm arguments,” the researchers explained. “From August 21, 2025, machines that called back received instructions that activated the malicious capabilities, an information stealer, referred to as ‘Tamperedchef.'”
Once initialised, the stealer gathers a list of installed security products and attempts to terminate web browsers so as to access sensitive data, such as credentials and cookies.
Further analysis of the malware-laced application by G DATA has revealed that it acts as a backdoor, supporting a number of features –
- –install, to create scheduled tasks named PDFEditorScheduledTask and PDFEditorUScheduledTask that run the application with –cm=–partialupdate and –cm=–backupupdate arguments, respectively, to trigger the –check and –ping routines
- –cleanup, which is called by the uninstaller to remove the backdoor files, unregister the machine from the server, and delete the two scheduled tasks
- –ping, to initiate communications with a command-and-control (C2) for actions to execute on the system, which, among others, allow additional malware downloads, data exfiltration, and Registry changes
- –check, to contact the C2 server for configuration, read browser keys, alter browser settings, and execute arbitrary commands to query, exfiltrate, and manipulate data associated with Chromium, OneLaunch, and Wave browsers, including credentials, browser history, cookies, or setting custom search engines
- –reboot, same as –check along with capabilities to kill specific processes
“The length from the start of the [ad] campaign until the malicious update was also 56 days, which is close to the 60-day length of a typical Google advertising campaign, suggesting the threat actor let the ad campaign run its course, maximizing downloads, before activating the malicious features,” Truesec said.
The disclosures coincide with an analysis from Expel that detailed a large ad campaign advertising PDF editors, with the ads directing users to websites offering downloads of tools like AppSuite, PDF OneStart, and PDF Editor. In some cases, these PDF programs have been found to download other trojanized apps without users’ consent or turn the hosts into residential proxies.
“AppSuite PDF Editor is malicious,” G DATA said. “It is a classic trojan horse with a backdoor that is currently massively downloaded.”
