A new global hacking campaign tracked as TamperedChef has emerged, exploiting everyday software names to trick users into installing malicious applications that deliver remote access tools.
The campaign uses fake installers disguised as common programs like manual readers, PDF editors, and games, all equipped with valid code-signing certificates to appear legitimate.
These applications are distributed through malvertising and search engine optimization techniques, making them easily discoverable by unsuspecting users searching for everyday tools or product manuals online.
The attackers behind TamperedChef have built an industrial-scale operation using a network of U.S.-registered shell companies to acquire Extended Validation certificates.
These disposable fronts allow the threat actors to sign their fake applications with trusted certificates, which helps them bypass security defenses and gain user trust.
Once a certificate is flagged or revoked, operators quickly register new shell companies under generic names like “Digital Marketing” to maintain continuous operations and keep their malicious software appearing legitimate.
Acronis security researchers identified the campaign in June 2025, though evidence suggests earlier activity. The operation primarily affects victims in the Americas, with roughly 80 percent concentrated in the United States, though the global infrastructure indicates a broad reach rather than targeted regional focus.
Healthcare, construction, and manufacturing sectors show the highest concentration of infections, likely because users in these industries frequently search online for specialized equipment manuals, one of the behaviors TamperedChef exploits.
.webp "TamperedChef Hacking Campaign Leverages Common Apps to Deliver Payloads and Gain Remote Access 3")
The malware’s attack chain begins when users download fake applications from malicious websites that appear in search results or advertisements.
After installation, these applications drop an XML configuration file used to create a scheduled task for persistence. This task executes a heavily obfuscated JavaScript payload that functions as a backdoor, establishing communication with command-and-control servers over HTTPS.
The JavaScript payload encrypts data using XOR encryption with a random 16-byte key before encoding it with base64 for transmission.
Infection Chain and Persistence Mechanism
The TamperedChef infection process follows a multi-stage execution chain designed to evade detection while maintaining persistent access.
When users execute the downloaded installer, they encounter a standard license agreement window that mimics legitimate software installation.
During installation, the malware places a file named “task.xml” either in the installer’s temporary directory or the program installation directory at %APPDATA%Programs[Fake Application Name].
.webp "TamperedChef Hacking Campaign Leverages Common Apps to Deliver Payloads and Gain Remote Access 4")
This XML file serves as the configuration for creating a scheduled task using the command: schtasks /Create /tn "Scheduled Daily Task" /xml "%APPDATA%LocalProgramsAnyProductManualtask.xml".
The task executes immediately after creation and repeats every 24 hours with a random delay of up to 30 minutes.
This configuration allows extended runtimes, blocks multiple simultaneous instances, and automatically runs any missed schedules, ensuring the JavaScript payload executes consistently without raising suspicion.
The JavaScript payload itself is heavily obfuscated using tools from obfuscator.io, applying multiple techniques including string and function renaming, control flow flattening, and dead code injection.
Once executed, the malware establishes communication with hard-coded command-and-control servers that evolved from random domain-generated strings to more recognizable domain names to blend with normal network traffic.
The payload generates a machine ID to fingerprint devices and performs registry operations for system reconnaissance.
The malware sends encrypted JSON objects containing event names, session IDs, machine IDs, and metadata to the C2 server. It also possesses remote code execution capabilities, allowing attackers to run commands on compromised systems.
The campaign’s infrastructure relies on NameCheap for domain registration with one-year registration periods and domain privacy protection to hide ownership, enabling quick infrastructure rebuilding following takedowns.
Recent discoveries show the operation continues expanding with new shell company signers including Stratus Core Digital LLC, DataX Engine LLC, and Nova Sphere Systems LLC, all following identical attack patterns.
Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.
