TamperedChef Malware: Fake PDF Editor Stole Credentials After Two Months of Covert Operation

Cybersecurity researchers at WithSecure’s Strategic Threat Intelligence & Research Group (STINGR) have uncovered a highly sophisticated malware campaign, dubbed “TamperedChef,” that used malicious advertising and fully functional decoy software to infiltrate corporate networks across Europe. The operation, which masqueraded as a legitimate PDF editor, remained undetected for nearly two months before activating its payload to harvest browser-stored credentials from countless systems.

The campaign revolved around a fake software called AppSuite PDF Editor, which appeared entirely legitimate. Victims were lured by malvertising—sponsored search engine ads promoting a “free PDF editor.” Clicking on these ads redirected users to attacker-controlled download sites, where a malicious Microsoft Installer (MSI) package awaited.

According to WithSecure, “A typical infection flow began when a user searching for a free PDF editor encountered a malicious ad campaign. Clicking the ad redirected them to a download site controlled by the threat actors.” The installer even displayed a localized End-User License Agreement (EULA)—in some cases in French—enhancing its authenticity.

Once installed, the malware added persistence mechanisms by creating autorun registry entries, ensuring it launched automatically at system logon. Crucially, the installation process required no administrator privileges, making it especially effective in corporate environments with restricted user rights.

AppSuite PDF Editor was written in NodeJS and packaged as an Electron app, using Chromium as its underlying engine. Its primary executable, PDF Editor.exe, ran a seemingly functional document editor interface while silently executing malicious JavaScript code hidden within pdfeditor.js.

The STINGR report explains that this JavaScript file was “heavily obfuscated” and responsible for both the app’s UI rendering and data exfiltration operations. The malware also used a custom NodeJS module, Utilityaddon.node, to manipulate registry keys and create scheduled tasks for persistence.

All network activity pointed back to attacker-owned domains, including vault[.]appsuites[.]ai and pdf-tool[.]appsuites[.]ai, where the malicious web content was hosted.

The malicious payload was activated on August 21, 2025, after nearly two months of stealthy operation. At that point, infected systems began sending browser credential data—such as saved usernames and passwords—to the attacker’s servers.

“When the malicious payload embedded in pdfeditor.js was activated on August 21, 2025, and began stealing browser credentials, the campaign’s true intent was exposed,” WithSecure noted.

Once discovered, the threat actors pivoted quickly. Within days, they released “clean” versions of the app (versions 1.0.40 and 1.0.41) with the malicious JavaScript removed and all code obfuscation lifted—an attempt to cover their tracks. However, these versions continued to connect to attacker-controlled infrastructure, keeping the infection chain alive.

WithSecure warned, “The app continued to connect to attacker-controlled infrastructure, so its use remains strongly discouraged.”

While analyzing the infrastructure, researchers found another decoy tool—AppSuite Print—that appeared to share the same framework and signing certificate as AppSuite PDF Editor.

It was signed by “ECHO INFINI SDN. BHD.” and contained similar malicious code structures, but there was no evidence of deployment among victims. According to the report, “It appears the attackers abandoned this variant, likely due to lower demand for a print utility.”

Following the exposure of TamperedChef, the attackers wasted no time developing a new decoy project. Within days, researchers identified a fresh app named S3-Forge, which bore clear code similarities to the compromised PDF Editor.

WithSecure explains, “S3-Forge builds directly on the PDF Editor concept but remains under active development.” The app’s interface mimicked the PDF Editor but connected to a new domain—freeonlinetools[.]info—and reused the same icon and configuration remnants from the original malware.

Interestingly, S3-Forge introduced a new executable, elevate.exe, an open-source utility that can launch programs with administrator privileges. Though no active malicious payload has been found yet, STINGR suspects the threat actor is testing privilege escalation mechanisms for future weaponization.

Related Posts:

• TamperedChef Malware Rises: Deceptive Apps Use Signed Binaries and SEO Poisoning to Hijack Browsers
• Trojan Horse: A Fake PDF Editor Is Actually a Malware-Laden Backdoor
• RMM Tools Weaponized: Stealthy Campaign Embeds Legitimate Remote Monitoring Software in PDFs to Target European Orgs
• Trojanized KeePass Used to Deploy Cobalt Strike and Steal Credentials
• Microsoft warned that a PDF editor was carrying a mining program after being hacked

Support Our Threat Intelligence

If you find our CVE report and cybersecurity news helpful, consider supporting our work.

Buy Me a Coffee PayPal

Crypto

USDT (TRC20):

TN8BdV8cp4T1Cd28gK9qTAnZknzzuwyUtm Copy

USDT (ERC20):

0x3725e1a7d3bc5765499fa6aaafe307fabcd75bce Copy