EXECUTIVE SUMMARY
The TamperedChef campaign is a widespread malvertising and SEO-driven operation that distributes fake installers disguised as common everyday applications. These deceptive tools imitate browsers, PDF readers, manual viewers and other utilities, tricking users into believing they are downloading legitimate software. The operators strengthen credibility by abusing digital certificates, rotating shell companies and hosting applications on realistic websites designed to appear trustworthy. Victims across multiple regions encounter these installers through search results and ads optimized for common tool-related queries. Sectors that frequently search for technical manuals–such as health care, construction, and manufacturing–are affected more often because their workforce depends heavily on specialized equipment and online documentation.
The campaign follows a consistent kill chain centered around fake signed installers that drop an XML file responsible for creating a scheduled task. This task ensures persistence and repeatedly executes an obfuscated JavaScript backdoor with randomized delays. The JavaScript payload is heavily obfuscated using public tools that alter control flow, rename functions, and inject dead code, making traditional analysis difficult. Once active, the script collects device information, interacts with registry values, and communicates with remote servers through encrypted JSON objects. It also supports remote code execution, enabling complete control of the compromised system. Pivoting from observed domains reveals numerous related samples signed by newly created shell companies, confirming an evolving infrastructure designed for long-term continuity and rapid replacement of compromised components.
In conclusion, the campaign–s goals appear to blend financial gain, long-term access opportunistic intelligence collection. The backdoor provides a persistent entry point that can be monetized, used for credential theft, or prepared for future ransomware deployment. The operators demonstrate adaptability by shifting from long-term certificates to short-lived ones and moving from algorithm-generated domains to more polished naming schemes. These changes suggest a flexible campaign that evolves to evade security controls while maintaining reliability. Although broad in distribution, the threat can still reach high-value environments, creating opportunities for deeper exploitation. TamperedChef ultimately shows how trusted-looking software, certificate abuse and layered obfuscation can be combined to create a stealthy and resilient threat ecosystem capable of sustained access and multi-purpose malicious activity.
THREAT PROFILE:
| Tactic | Technique ID | Technique | Sub-technique |
|---|---|---|---|
| Initial Access | T1189 | Drive-by Compromise | – |
| Execution | T1204.002 | User Execution | Malicious File |
| Execution | T1059.007 | Command and Scripting Interpreter | JavaScript |
| Persistence | T1053.005 | Scheduled Task/Job | Scheduled Task |
| Defense Evasion | T1036.001 | Masquerading | Invalid Code Signature |
| Defense Evasion | T1027 | Obfuscated Files or Information | – |
| Discovery | T1012 | Query Registry | – |
| Command & Control | T1071.001 | Application Layer Protocol | Web Protocols |
| Command & Control | T1132.001 | Data Encoding | Standard Encoding |
REFERENCES:
The following reports contain further technical details:
https://thehackernews.com/2025/11/tamperedchef-malware-spreads-via-fake.html
https://www.acronis.com/en/tru/posts/cooking-up-trouble-how-tamperedchef-uses-signed-apps-to-deliver-stealthy-payloads/