Cybercriminals are distributing the TamperedChef information-stealing malware by promoting a fake PDF editing tool called AppSuite PDF Editor through Google Ads. Researchers from Truesec discovered that more than 50 domains hosted deceptive apps signed with certificates from at least four companies, suggesting a coordinated and large-scale operation. The attackers delayed activating the malware until August 21, when an update enabled the program to harvest credentials, cookies, and other sensitive data using Windows DPAPI.
The campaign began in late June, although traces of the malware appeared as early as May, with Google ad campaigns driving traffic to multiple distribution sites. Signed certificates from companies like ECHO Infini SDN BHD and GLINT By J SDN. BHD were used to make the apps appear legitimate, though they have since been revoked. TamperedChef is launched with the “-fullupdate” argument and checks for security software before collecting browser data.
Further investigation revealed that the same operators also pushed other questionable programs such as OneStart and Epibrowser, often flagged as potentially unwanted software but capable of malware-like behavior. These apps not only installed infostealers but also attempted to enroll user devices into residential proxy networks, sometimes even asking permission to do so in exchange for free access. Security experts warn that this ecosystem of malicious and grayware apps is expanding, with some tools still inactive but potentially weaponized later. Both Truesec and Expel have released indicators of compromise to help defenders detect and mitigate these threats.
