In recent weeks, security teams have observed a surge in malvertising campaigns distributing what appears to be a fully functional PDF editor.
Dubbed TamperedChef, this malware masquerades as a legitimate application—AppSuite PDF Editor—leveraging convincing advertisements to lure European organizations and individuals into downloading the installer.
Once executed, the installer exhibits expected functionalities for nearly two months, during which victims remain unaware of its true nature.
During installation, users encounter a professional end-user license agreement dialogue consistent with mainstream software offerings.
This dialog, displayed in multiple languages, reinforces the illusion of legitimacy and bypasses automated sandbox detonations.
Clicking Accept and Install allows the MSI package to proceed without requiring administrative privileges, making it particularly effective in corporate environments with restricted user rights.
WithSecure Labs analysts identified TamperedChef following a sudden spike in credential-theft incidents within enterprise environments.
Telemetry data revealed that, upon activation, the malware’s hidden payload initiates the systematic harvesting of browser-stored usernames and passwords.
This exfiltration occurs silently, with stolen credentials transmitted to attacker-controlled infrastructure, paving the way for backdoor access and further lateral movement.
Once the malicious payload embedded within pdfeditor.js activates, the application transitions from a benign editor to a stealthy credential harvester.
.webp)
The attack is orchestrated using a custom NodeJS module—Utilityaddon.node—which interacts with native Windows APIs to manipulate registry entries and scheduled tasks for persistence.
By inserting autorun registry keys under the current user hive, the malware ensures execution at each logon without elevating privileges.
Infection Mechanism
The infection begins when a user clicks a malicious advertisement and downloads the AppSuite PDF Editor installer from vault.appsuites.ai.
This installer, created with the Nullsoft Scriptable Install System (NSIS), unpacks the Electron-based application under the user’s profile directory.
The primary executable, PDF Editor.exe, launches a Chromium-based interface that loads additional JavaScript modules from remote servers.
Before any PDF editing functionality is available, the installer sets persistence via an autorun registry entry named PDFEditorAutoUp that points to the installed application.
At runtime, the obfuscated pdfeditor.js script checks for command-line switches, notably --cm, which triggers malicious routines:-
if (app.commandLine.hasSwitch('cm')) {
utilityAddon.setupTasks(globals.scheduledTaskName);
startCredentialHarvest();
}By using command-line flags, the threat actors can toggle between benign and malicious behaviors, complicating detection.
.webp)
Once the script executes startCredentialHarvest(), it scans local browser storage for credentials and dispatches them over HTTPS to attacker-controlled endpoints, while the visible PDF editor interface remains functional to avoid arousing suspicion.
Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.
