A sophisticated malware campaign dubbed “TamperedChef” is exploiting trojanized productivity tools—disguised as seemingly benign applications—to bypass security controls, establish persistence, and siphon sensitive information from targeted systems.
On September 22, 2025, Field Effect researchers investigating a potentially unwanted application (PUA) flagged by Microsoft Defender uncovered two malicious applications—ImageLooker.exe and Calendaromatic.exe—delivered via self-extracting 7-Zip archives.
Both executables carried valid digital signatures from CROWN SKY LLC, a publisher previously tied to deceptive Calendaromatic samples.
Further analysis revealed that these artifacts align with the broader TamperedChef malware campaign, which weaponizes PUAs and code-signed binaries to slip past reputation-based defenses.
The initial infection vector relies on self-extracting 7-Zip archives masquerading as productivity utilities.
Both ImageLooker.exe and Calendaromatic.exe are built on NeutralinoJS, enabling arbitrary JavaScript execution within a lightweight desktop framework.
When launched, each binary automatically extracts its payload without user intervention—evading Windows’ Mark of the Web protections and reputation filters such as SmartScreen—likely exploiting CVE-2025-0411 to disable standard archive warnings.
Digital signatures from publishers including CROWN SKY LLC, APPSOLUTE, OneStart Technologies LLC, and a dozen others lend a veneer of legitimacy to the executables.
This broad set of suspicious signing entities suggests the campaign either leverages a malware-as-a-service provider or a code-signing marketplace for distribution.
Covert Execution and Persistence
Once executed, the malware variants contact command-and-control domains—movementxview[.]com for ImageLooker and calendaromatic[.]com for Calendaromatic—to retrieve additional payloads.
They establish persistence via scheduled tasks and registry modifications, leveraging command-line flags like --install, --enableupdate, and --fullupdate to ensure ongoing execution and stealthy updates.
Crucially, TamperedChef uses Unicode homoglyphs to encode hidden payloads within seemingly harmless API responses.
This technique bypasses string-based detection and signature matching by substituting visually identical characters in code, effectively cloaking malicious functionality within benign scripts.
After establishing foothold, both malware samples employ NeutralinoJS to interact with native system APIs, enabling covert file system access and process spawning.
Network traffic analysis revealed outbound connections to residential proxy services and adware-style infrastructures—suggesting reuse of browser hijacker components. The malware proceeds to:
- Harvest browser-stored credentials and session tokens.
- Exfiltrate document files and configuration data.
- Redirect browser traffic to malicious pages via altered settings.
This focus on credential theft and reconnaissance indicates a campaign geared toward long-term espionage or follow-on access.
TamperedChef distribution heavily relies on SEO poisoning and deceptive advertising. Keyword-stuffed landing pages mimic legitimate download sites for “free PDF editor,” “calendar app for Windows,” or “image viewer download,” complete with fake reviews and trust badges.
Sponsored search results and malvertising banners funnel victims to self-extracting archives that appear harmless—only to launch malicious payloads once downloaded.
Mitigations
Organizations and end users should remain vigilant when installing unfamiliar utilities from web searches. Recommended defenses include:
- Strict enforcement of code-signing certificate validation.
- Endpoint monitoring for newly created scheduled tasks or registry entries.
- Network detection of outbound connections to known malicious domains.
- Sandboxed analysis of PUAs and self-extracting archives.
Given the campaign’s evolving use of PUAs as delivery mechanisms, traditional reputation-based defenses may prove insufficient. Implementing behavior-based detection and robust application allow-listing can help block trojanized tools before they execute.
The TamperedChef campaign demonstrates how threat actors are weaponizing potentially unwanted applications, abusing digital code signing, and employing covert encoding techniques to evade detection.
By masquerading as productivity tools and leveraging self-extracting archives, these attackers exploit common user behaviors—clicking sponsored results and downloading free utilities—to gain access, harvest credentials, and exfiltrate sensitive data.
Heightened scrutiny of digitally signed binaries and deceptive packaging, combined with behavior-based monitoring, remains essential to counter this emerging threat.
Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.
