A sophisticated cyber campaign launched around June 26, 2025, using Google Ads and malicious websites to promote fake PDF editors, which later activated malicious functions from August 21, 2025.

The campaign distributed heavily obfuscated malware, including a Trojan called PDF Editor.exe, which exploited a 60-day ad cycle to maximize downloads before deploying malicious payloads.

This malware, acting as a backdoor, communicates with command-and-control servers, maintains persistence through registry entries, and executes obfuscated scripts to deploy its payload.

Once activated, the malware, known as TamperedChef, queries browser databases using DPAPI to extract sensitive information, terminates browser processes, and exfiltrates data, including credentials, cookies, and history.

TamperedChef also conducts system reconnaissance to evade security measures, exploiting browser databases and using privilege escalation techniques with signed samples like elevate.exe.

The threat actor’s tactics have evolved to include privilege escalation attempts, with samples like elevate.exe, signed by ECHO Infini, indicating ongoing development for higher system privileges.

Indicators of compromise include malicious hosting domains such as apdft.net and mypdfonestart.com, command-and-control servers, and specific SHA256 hashes linked to malware variants.

The campaign demonstrates the industrialization of cybercrime, utilizing AI-generated code and fake business fronts, emphasizing the need for strict software vetting and security awareness.

Activities date back to at least August 2024, with malware bundled with benign-looking PUPs like OneStart and Epibrowser, disguising malicious code as utility tools.

The campaign employs dubious digital signatures from entities like ECHO Infini SDN BHD and SUMMIT NEXUS Holdings LLC, often linked to suspicious or malicious entities, and uses AI-generated content to sign malware.

Since August 2024, the campaign has affected multiple European companies, including BYTE Media, with malware bundled with files like 'elevate.exe' and other unwanted programs such as OneStart browser.

Cybersecurity researchers have uncovered a campaign distributing a weaponized PDF editor called 'AppSuite PDF Editor' via malvertising, which is used to steal sensitive data and login credentials.

The malware campaign, identified as TamperedChef, involves downloading core payloads from compromised servers, establishing persistence, and activating malicious commands from August 21, 2025.