Dataprise Defense Digest: TamperedChef Malware Campaign

Executive Summary

TamperedChef is a malware campaign leveraging deceptive “Free PDF” editors to infect users’ systems. Distributed via malvertising and fraudulent download sites, victims are tricked into installing legitimate-looking tools which later become malicious after lying dormant for 30-60 days via a scheduled update.

These apps initially function as advertised, but activate an infostealer 1-2 months later, silently exfiltrating credentials, cookies, and browser data. The malware also establishes a remote backdoor, allowing further compromise.

Organizations across most industries are impacted due to the campaign’s broad distribution and stealthy tactics.

Details

TamperedChef uses two primary delivery methods:

• Malicious Freeware Utilities: Downloaded from malicious ads either while searching for free software or injected by malicious adware browsers. (Listed below)
• Malicious Browsers: Users often download malicious browsers while searching for privacy browsers or via malicious ads. These browsers then inject ads for TamperedChef variants.

The initial software appears safe, often signed with valid certificates. Activation is delayed for 30–60 days, enabling hibernation before payload deployment.

Payload behavior includes forced browser termination, credential harvesting, persistence via registry/tasks, and proxy botnet enrollment. TamperedChef variants often come bundled with additional PUAs.

Impact

• Credential Theft: Harvests saved browser credentials and cookies, enabling account hijacking even with MFA.
• Persistent Access: Attackers gain backdoor control for lateral movement, malware delivery, and system abuse.
• Proxy Abuse: Infected machines may be used as proxy nodes, hiding attacker activity behind your IP.
• Organizational Risk: One infected user can lead to broader compromise if devices are unmanaged or lack detection.

Indicators of Compromise

Node.exe executing JavaScript files from user-writable directories such as:

• %AppData%\Local\*
• %AppData%\Roaming\*

Parent processes commonly include:

• PDF Editor executables listed below
• Malicious Chromium-based browsers listed below

TamperedChef Variants – Including but not limited to:

PDF Editors:

AppSuite PDF Editor, PDF OneStart, PDF ProStart, StartPDF Pro, PDF-Kiosk, PDFKiosk Pro, KioskPDF, PDF ForgePro, ForgePDF, PDFMaximizer, MaxPDF, EZPDF, EZ-PDF Editor, FreePDF, PDFFixer, PDFEnhancer, PDFEnhance Pro, PDFQuickTools, PDFFastEditor, PDF Reader Pro 2025, PDFUtilitySuite, PDFUtilityPro, PDFProSuite, PDFEditPro, PDFOpenSuite, PDF PrintMaster, PDFToolsHub.

Manual Finders:

ManualFinder, All Manuals Reader, Manual Reader Pro, Total User Manual, Any Product Manual, JustAskJacky, Master Chess.

Adware Browsers:

OneStartBrowser, OSBrowser, OneLaunch, OneLaunch.ai, OneLaunchSearch, SearchOneLaunch, WaveBrowser,  ShiftBrowser,  ClearBrowser, EpiBrowser, NearBrowser, BrowseFox, Chromstera, WebNavigatorBrowser, Chromodo, SafeBrowse, SafeBrowser, WebDiscover, InfinityBrowser, UltraBrowser, SparkBrowser, SurfBrowser, BoostBrowser.

Prevention

Ensure users install and use only approved software. This malware campaign heavily relies on users independently seeking PDF editor tools outside of approved channels.

Implement web filtering technologies to block malicious advertisements and fake software download sites commonly used to distribute malicious installers.

Ensure users acquire manuals and vendor-specific documentation from the manufacturer or trusted sources. This campaign often advertises manual-finding software that appears legitimate and functional but is bundled with a TamperedChef variant.

Contributing Author: Nicholas Tenney | Cybersecurity Analyst III