Trojanized PDF Editor: “TamperedChef” Campaign Bypasses Windows SmartScreen

A sophisticated new malvertising campaign dubbed TamperedChef has been serving up more than just productivity tools to unsuspecting users. In a recent investigation, Sophos X-Ops revealed how threat actors have infiltrated search results with a Trojanized application, “AppSuite PDF Editor,” to deploy infostealers across the globe.

The campaign, which security researchers believe is part of a wider operation known as EvilAI, was first detected in September 2025. The attackers leveraged a classic but highly effective distribution vector: Google Ads.

By promoting a seemingly useful tool called AppSuite PDF Editor, the threat actors targeted users actively searching for software solutions. The facade was convincing. According to the report, “This application appeared legitimate to users, but silently deployed an infostealer upon installation, targeting Windows devices.”

Sophos Managed Detection and Response (MDR) teams identified over 100 affected customer systems before intervention, tracing the campaign’s origins back to late June 2025.

While many cyber campaigns target specific regions, TamperedChef appears to be casting a wide net, with a particular appetite for European targets. The analysis shows a concentration of victims in Germany (15%), the United Kingdom (14%), and France (9%), though the infection has spread to at least 19 countries.

However, the researchers note that this distribution might be incidental rather than strategic:

“Although the data highlights a significant concentration in Germany and the UK, it likely reflects the campaign’s widespread global reach, rather than any deliberate targeting of specific regions.”

Interestingly, the victims spanned various industries, with a notable pattern among those relying on specialized technical equipment. It appears the attackers capitalized on users searching for product manuals, using the “Manual FinderApp” branding within the malware’s metadata to lure professionals looking for documentation.

One of the more alarming aspects of the TamperedChef campaign is its use of valid EV (Extended Validation) Code Signing certificates. By signing their malicious executables, the attackers were able to bypass Windows SmartScreen warnings, a critical line of defense for preventing users from running unrecognized software.

The report highlights this as a growing trend among financially motivated groups:

“This indicates the deliberate acquisition or compromise of code-signing certificates to bypass Windows SmartScreen and enhance user trust.”

The certificate in question, issued to a seemingly random entity, allowed the malware to install without raising the usual red flags that accompany unsigned code.

The primary payload of this campaign is an infostealer, designed to harvest sensitive data from infected machines. The consequences for victims are immediate and severe. If a user installed the compromised editor, the attackers likely gained access to everything stored in their web browsers—including passwords, session cookies, and autofill data.

Sophos X-Ops offers a stark warning for anyone who may have downloaded the software: “users who have installed AppSuite PDF Editor should consider any credentials stored in their browsers to be compromised.”

As malvertising continues to be a “fruitful and effective infection vector,” this campaign serves as a reminder that even legitimate-looking ads and signed applications can hide malicious intent. Security teams are advised to hunt for the presence of “AppSuite PDF Editor” and review browser-based alerts for suspicious downloads.

Related Posts:

• TamperedChef Malvertising Uses US Shell Companies to Sign Trojanized Apps with Valid Certificates, Deploying Stealth Backdoor
• TamperedChef Malware Rises: Deceptive Apps Use Signed Binaries and SEO Poisoning to Hijack Browsers
• The Escalating Threat of the EV Code Signing Certificate Black Market