A sophisticated malvertising campaign tracked as TamperedChef has compromised over 100 organizations across 19 countries by distributing weaponized PDF editing software through Google Ads.
Sophos Managed Detection and Response (MDR) teams discovered the operation in September 2025, revealing a multi-layered attack infrastructure designed to steal browser credentials and establish persistent backdoor access on Windows systems.
The campaign, which security researchers link to the broader EvilAI operation, began in June 2025 when threat actors registered numerous deceptive domains promoting a trojanized application called AppSuite PDF Editor.
By leveraging malicious advertisements on legitimate sites like ManualsLib and search engine optimization tactics, attackers successfully lured users searching for product manuals or PDF editing tools into downloading the infected installer.
The malware remained dormant for approximately 56 days before activating its credential-stealing capabilities on August 21, 2025.
Sophos MDR analysts identified Germany as the most affected country with 15% of victims, followed by the United Kingdom at 14% and France at 9%.
The campaign primarily targeted industries that rely on specialized technical equipment, targeting users who frequently search online for appliance manuals and documentation.
Security telemetry confirmed over 300 compromised systems across the affected organizations before coordinated takedown operations began.
Malvertising Distribution
The TamperedChef operation demonstrated advanced evasion tactics through its 56-day dormancy period, strategically aligned with typical advertising campaign durations.
This delay allowed threat actors to maximize infections before triggering malicious behavior, making detection significantly more challenging.
Users clicking on sponsored search results were redirected to fraudulent domains, including fullpdf[.]com and pdftraining[.]com, where the Appsuite PDF.msi installer was hosted.
Upon execution, the installer deployed PDFEditorSetup.exe and established persistence through registry modifications and scheduled tasks.
The malware included a heavily obfuscated JavaScript file (pdfeditor.js) that researchers believe may be AI-generated, creating unique variants capable of bypassing signature-based antivirus detection.
The primary payload, PDF Editor.exe, functioned as both a legitimate PDF editing tool and a hidden infostealer targeting browser-stored credentials.
Before executing data theft operations, the malware enumerated installed security products including Bitdefender, CheckPoint, Fortinet, G DATA, Kaspersky, and Zillya through registry queries.
It terminated active browser processes and leveraged the Windows Data Protection API (DPAPI) to extract stored credentials, cookies, and autofill data from Google Chrome, Microsoft Edge, and other browsers.
The Bing click URL includes tracking and redirect parameters, indicating that the user arrived at the ManualsLib page via a search engine result or ad redirect, as opposed to directly typing the ManualsLib URL into a browser.
The campaign deployed a secondary payload called ManualFinderApp.exe, which established command-and-control communication with mka3e8[.]com and portal[.]manualfinder[.]app domains.
This backdoor component enabled remote code execution and continuous data exfiltration from compromised systems.
These certificates enabled the malicious installers to bypass Windows SmartScreen protections and appear legitimate to users. Although several certificates have been revoked, existing installations remain functional, and attackers may acquire new signing credentials to continue operations.
Mitigations
Threat actors obtained fraudulent code-signing certificates from Malaysian and US-registered entities including ECHO Infini SDN. BHD, GLINT by J SDN. BHD, and SUMMIT NEXUS Holdings LLC.
Sophos deployed multiple protections against TamperedChef variants, including Mal/Isher-Gen, JS/Agent-BLMN, Troj/EvilAI-H, and OneStart.ai detection signatures.
Organizations should consider all browser-stored credentials compromised on affected systems and implement immediate password resets across enterprise accounts.
Security teams should monitor for suspicious scheduled tasks executing from user profile directories and registry modifications under CurrentVersionRun keys as indicators of TamperedChef activity.
Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.