TamperedChef malware hidden in fake PDF editor targets European organisations

A new malware campaign, TamperedChef, is targeting European organisations through a fake PDF editor called AppSuite PDF Editor. Distributed via spoofed websites and promoted through Google Ads campaigns, this credential-stealing malware poses a significant risk to enterprises across multiple sectors.

How TamperedChef works

Attackers set up multiple spoofed websites to distribute the fake PDF tool. Once installed, the malware lies dormant for around 56 days, mirroring the typical duration of Google Ads campaigns. This delay helps it evade detection during early security checks.

When activated, TamperedChef:

• Creates persistence using Windows Registry entries and scheduled tasks.
• Steals browser credentials, session cookies, and sensitive data by killing browser processes and exploiting DPAPI.
• Conducts system reconnaissance to identify installed security solutions.
• Acts as a backdoor to deliver future payloads.

Why this matters

Confirmed infections have already impacted enterprises in Europe. The malware’s long dormancy period allows attackers to establish control and move laterally without being noticed. Its advanced obfuscation techniques make detection by traditional antivirus tools extremely difficult.

Immediate actions to reduce risk

To reduce the risk of infection, take the following steps immediately:

1. Block or monitor downloads of AppSuite PDF Editor and similar tools from unverified sources.
2. Warn employees, especially those who often download external software, about the risk of fake PDF editors.
3. Add detection for persistence indicators such as unusual registry entries or scheduled tasks referencing PDFEditorUpdater.
4. Use behavioural detection tools (EDR, Sysmon) to flag:
   • Registry autorun entries.
   • Forced termination of browsers and DPAPI access attempts.
   • Suspicious outbound network connections.
5. Enforce application whitelisting and strict installation policies for third-party tools.
6. Report suspicious activity to your IT security team immediately.

How Nomios can help

Nomios supports organisations in defending against advanced threats like TamperedChef with cybersecurity solutions and managed services. Our Managed Detection and Response (MDR) service gives you 24/7 monitoring, advanced threat detection, and rapid incident response. We also offer endpoint security, EDR deployment, and security awareness programmes to minimise the risk of malware infections.

If you want to strengthen your security posture against campaigns like TamperedChef, speak to our experts today.