Cybersecurity researchers have uncovered a cybercrime campaign that uses malvertising to direct victims to fraudulent sites and drop a new information stealer dubbed TamperedChef. The findings were reported by Truesec researchers Mattias Wåhlén, Nicklas Keijser and Oscar Lejerbäck Wolf on the organization’s blog.
According to the researchers, the objective is to lure victims into downloading and installing a trojanized PDF editor that quietly carries TamperedChef in the background. The campaign relies on counterfeit sites promoting an installer for a free PDF editor called AppSuite PDF Editor, which, once launched, prompts the user to accept terms of service and a privacy policy while the malicious components operate covertly behind the scenes.
In the background, the setup program makes covert requests to an external server to drop the PDF editor program, and it establishes persistence on the host by creating Windows Registry entries that ensure automatic startup after reboot. The registry key contains a –cm arguments parameter to pass instructions to the binary. The referenced analysis notes that the attacker appears to leverage this parameter to activate malicious features after an initial delay.
German cybersecurity firm G DATA also analyzed the activity and found that multiple fake sites offering PDF editors download the same setup installer, which then retrieves the actual PDF editor from a remote server after the user accepts the license agreement. G DATA researchers Karsten Hahn and Louis Sorita describe the process as a classic trojan horse with a backdoor, currently downloaded at scale.
The campaign is traced to a timeline beginning on June 26, 2025, when counterfeit sites appeared or began advertising the PDF editing software across several Google campaigns. Researchers note that the ad campaign lasted roughly 56 days before malicious features were activated on August 21, 2025, at which point machines that connected back to the server received instructions to enable TamperedChef’s capabilities.
Expel, in a separate analysis, highlighted a broad ad campaign promoting PDF editors such as AppSuite, PDF OneStart, and PDF Editor, with ads directing users to sites that host trojanized software or transform hosts into residential proxies. The collaboration among these analyses underscores the risk posed by trojanized PDF editors and the role of ad networks in distributing malicious payloads. Expel blog describes the broader phenomenon of backdoored applications in the PDF editing space.
Authorities and researchers point to the backdoor features embedded within the compromised AppSuite PDF Editor as the engine of TamperedChef. The operator’s capabilities include:
- –install, to create scheduled tasks named PDFEditorScheduledTask and PDFEditorUScheduledTask that run the application with –cm=–partialupdate and –cm=–backupupdate arguments, respectively, to trigger the –check and –-ping routines
- –cleanup, which is called by the uninstaller to remove the backdoor files, unregister the machine from the server, and delete the two scheduled tasks
- –ping, to initiate communications with a command-and-control (C2) for actions to execute on the system, including additional malware downloads, data exfiltration, and Registry changes
- –check, to contact the C2 server for configuration, read browser keys, alter browser settings, and execute arbitrary commands to query, exfiltrate, and manipulate data associated with Chromium, OneLaunch, and Wave browsers, including credentials, browser history, cookies, or setting custom search engines
- –reboot, which extends –check with the ability to terminate specific processes
The convergence of malvertising, counterfeit PDF editors, and a robust backdoor underscores a growing trend in information-stealer campaigns that leverage legitimate-looking software installers as delivery vehicles. Security researchers urge users to verify software sources, scrutinize license and privacy prompts, and monitor for unusual startup entries or scheduled tasks that might indicate persistence mechanisms.