A sophisticated malware campaign dubbed TamperedChef has successfully compromised European organizations by masquerading as a legitimate PDF editor application, according to new research from WithSecure’s Strategic Threat Intelligence & Research Group (STINGR).
The campaign demonstrates how threat actors can leverage convincing advertising strategies and fully functional decoy applications to harvest sensitive credentials and establish persistent backdoor access.
The TamperedChef campaign began with users searching for free PDF editing software, only to encounter malicious advertisements that redirected them to attacker-controlled download sites.
The threat actors distributed their payload through a Microsoft Installer (MSI) package that displayed a End User License Agreement (EULA) dialog, creating an appearance of legitimacy while evading automated security detection systems.
The installation process required no administrative privileges, making it particularly effective in corporate environments with restricted user permissions.
Once installed under the user profile directory, the malware established persistence through autorun registry entries, ensuring the application launched automatically at system logon.
Technical Architecture and Payload
AppSuite PDF Editor was built using NodeJS and packaged as an Electron application, functioning as a full-featured Chromium-based browser.
The malicious functionality resided primarily in two components: pdfeditor.js, a heavily obfuscated JavaScript file responsible for both the user interface and malicious activities, and Utilityaddon.node, a custom NodeJS module designed to manipulate registry entries and scheduled tasks.
The application operated as expected for nearly two months, providing legitimate PDF editing capabilities through web content hosted at pdf-tool[.]appsuites[.]ai. This extended dormancy period helped the malware avoid detection while establishing trust with users and security systems.
On August 21, 2025, the embedded payload activated and began systematically harvesting browser-stored credentials from infected systems.
The activation exposed the campaign’s true intent, prompting threat actors to quickly release sanitized versions (1.0.40 and 1.0.41) with malicious JavaScript code removed. However, these “clean” versions continued connecting to attacker-controlled infrastructure, maintaining potential backdoor capabilities.
Research revealed the existence of AppSuite Print, a similar decoy application built simultaneously but apparently abandoned due to lower market demand.
More concerning is the emergence of S3-Forge, identified as the campaign’s successor. This new variant builds directly on the PDF Editor concept while targeting software developers, potentially through Amazon Web Services cloud storage references.
S3-Forge utilizes NuGet packages distributed via Squirrel framework, indicating experimentation with new distribution methods. The application bundles malicious components into app.asar files, making detection more challenging while maintaining the “–cm” command line argument that enables malicious capabilities.
Impact and Recommendations
Organizations affected by TamperedChef should assume complete compromise of browser-stored credentials. The campaign’s success demonstrates sophisticated planning, including obtaining legitimate code-signing certificates and executing targeted advertising campaigns.
Critical security measures include:
- Immediate credential rotation for all affected users.
- Session invalidation across all corporate systems.
- Enforcement of approved software policies in business environments.
- Disabling browser password storage where feasible.
- Implementation of enterprise password managers with strict policy controls.
The TamperedChef campaign represents a concerning evolution in social engineering tactics, combining legitimate application functionality with patient, long-term compromise strategies. Organizations must remain vigilant against similar deceptive software distribution campaigns as threat actors continue refining these sophisticated attack methods.
Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.
