A sophisticated malware campaign has emerged that weaponizes seemingly legitimate productivity tools to infiltrate systems and steal sensitive information.
The TamperedChef malware represents a concerning evolution in threat actor tactics, utilizing trojanized applications disguised as calendar tools and image viewers to bypass traditional security defenses.
This campaign demonstrates how cybercriminals increasingly exploit user trust in digitally signed software to facilitate initial access and establish persistent footholds within targeted environments.
The malware campaign centers around two primary applications: Calendaromatic.exe and ImageLooker.exe, both masquerading as benign productivity software while harboring malicious capabilities.
These applications are distributed through self-extracting 7-Zip archives that exploit CVE-2025-0411 to evade Windows’ Mark of the Web protections, allowing them to execute without triggering SmartScreen warnings or other reputation-based security controls.
The campaign leverages deceptive advertising and search engine optimization techniques to direct victims toward malicious downloads, often targeting users searching for free productivity utilities.
Field Effect analysts identified the campaign on September 22, 2025, during routine analysis of a potentially unwanted application flagged by Microsoft Defender.
Their investigation revealed a broader distribution network involving multiple suspicious signing publishers and command-and-control infrastructure.
The researchers discovered that both malicious applications were digitally signed by entities including CROWN SKY LLC and LIMITED LIABILITY COMPANY APPSOLUTE, providing a veneer of legitimacy that helps bypass user suspicion and endpoint defenses.
The malware’s impact extends beyond simple data theft, as it establishes comprehensive system compromise through browser hijacking, credential harvesting, and persistent backdoor access.
TamperedChef demonstrates particular sophistication in its ability to exfiltrate browser-stored credentials and session information while simultaneously redirecting web traffic and altering browser settings to facilitate ongoing malicious activities.
Advanced Evasion Through Unicode Encoding and Framework Exploitation
The TamperedChef campaign showcases remarkable technical sophistication through its exploitation of modern application frameworks and advanced encoding techniques.
Both Calendaromatic.exe and ImageLooker.exe are built using NeutralinoJS, a lightweight desktop framework that enables the execution of arbitrary JavaScript code within native applications.
This framework choice allows the malware to seamlessly interact with system APIs while maintaining the appearance of legitimate desktop software.
The malware employs Unicode homoglyphs as a primary evasion mechanism, encoding malicious payloads within seemingly benign API responses.
This technique enables the malware to bypass traditional string-based detection systems and signature matching algorithms that security products rely upon for identification.
When executed, the malware decodes these hidden payloads and executes them through the NeutralinoJS runtime, effectively creating a covert execution channel that operates beneath the radar of conventional monitoring systems.
Persistence mechanisms include the creation of scheduled tasks and registry modifications using specific command-line flags such as --install, --enableupdate, and --fullupdate.
Upon successful installation, the malware establishes immediate communication with command-and-control servers including calendaromatic[.]com and movementxview[.]com, enabling remote operators to issue commands and exfiltrate collected data.
The network communication occurs through encrypted channels that further complicate detection and analysis efforts by security teams.
Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.
