Analyzing “TamperedChef”: A Sophisticated Malvertising Campaign Leveraging Signed Productivity Tools
A widespread and highly organized malware campaign, identified by researchers as “TamperedChef,” is currently exploiting the trust users place in common productivity software. By trojanizing ubiquitous applications—such as PDF editors, calendar utilities, and file converters—threat actors are successfully deploying a secondary layer of information stealers and Remote Access Trojans (RATs) into target environments.
Recent threat intelligence has mapped this activity into several distinct clusters, specifically CL-CRI-1089, CL-UNK-1090, and CL-UNK-1110. While these clusters exhibit significant overlap in infrastructure and tactical execution, forensic analysis suggests they are likely driven by independent threat actors rather than a unified entity.
The scale of the operation is substantial: since the beginning of 2024, security telemetry has captured over 4,000 unique malware samples spanning more than 100 distinct variants. These malicious sites are engineered to mimic legitimate service providers, featuring professional-grade web design, functional application interfaces, and even legitimate-looking legal disclaimers to deceive users.
Unlike standard Potentially Unwanted Programs (PUPs) or aggressive adware, TamperedChef applications are designed to be functional. They provide the utility the user expects, while covertly executing malicious subroutines in the background. To further evade modern Endpoint Detection and Response (EDR) systems, many of these binaries are digitally signed with legitimate code-signing certificates, lending them an air of authenticity that bypasses traditional reputation-based security filters.
According to a technical report from Unit42, the primary infection vector is malvertising. Malicious advertisements redirect unsuspecting users to highly convincing landing pages that host the compromised software.
Upon successful installation, the applications establish persistence via registry modifications or the creation of scheduled tasks. Once a foothold is secured, the malware begins gathering system metadata and establishing communication with Command-and-Control (C2) infrastructure.
Evasive Tactics: Delayed Execution and Modular Payloads
One of the most sophisticated characteristics of the TamperedChef campaign is its use of delayed execution. Rather than triggering malicious behavior immediately—which would likely be flagged by automated sandbox analysis—the software can remain dormant for weeks or even months. This “sleeper” approach allows the malware to bypass initial scrutiny and evade behavioral detection during the critical early stages of infection.
During the 2023–2024 period, several specific malicious applications were identified, including AppSuite PDF, Calendaromatic, JustAskJacky, and CrystalPDF.

Once the dormancy period expires, the malware initiates a second-stage payload retrieval process. These modular payloads typically consist of:
- Information Stealers: Designed to exfiltrate browser credentials, cookies, and active session data.
- Remote Access Trojans (RATs): Providing attackers with comprehensive, unauthorized control over the infected host.
- Proxy Tools: Utilized for traffic relaying, allowing attackers to mask their origins or monetize stolen bandwidth.
- Browser Hijackers: Modifying browser settings to serve ads or redirect search queries.
The operational depth of these groups is further evidenced by the reuse of code-signing entities. Researchers have identified over 81 unique code-signing entities associated with these campaigns. For instance, the Calendaromatic operators—specifically the PDFPrime and ManualzPDF campaigns—share highly similar codebases, suggesting a shared development pipeline.

The CL-UNK-1090 cluster represents a particularly advanced model of cybercrime, effectively integrating malware development with large-scale advertising infrastructure. This group appears to control both the code-signing entities and the ad distribution networks, facilitating a seamless, high-volume malvertising operation. A notable example includes the domain “onezipapp[.]com,” which was supported by thousands of advertisements tied to a single advertising entity.

Telemetry suggests that while the United States and Israel show higher infection rates, the campaign is globally distributed and opportunistic, lacking a specific industry target. Researchers estimate approximately 12,000 confirmed infection instances across monitored environments.
Defensive Posture and Detection Challenges
The convergence of legitimate-looking binaries, valid digital signatures, and staged, delayed execution makes TamperedChef a significant challenge for traditional signature-based defenses. While these apps often include End User License Agreements (EULAs) that technically “disclose” data collection to obfuscate their intent, their ability to execute remote commands and deploy unauthorized payloads places them firmly in the category of malware.
Recommended Mitigation Strategies:
- Persistence Monitoring: Implement rigorous auditing for unusual scheduled tasks and non-standard registry modifications.
- Certificate Scrutiny: Monitor for and inspect signed binaries originating from lesser-known or newly established digital publishers.
- Network Observability: Track outbound telemetry for connections to suspicious or unclassified Command-and-Control (C2) infrastructure.
- Application Control: Enforce strict policies regarding software installation from untrusted or unverified sources.
- Identity Management: In the event of a suspected compromise, prioritize immediate credential rotation and comprehensive log review.
Deploying robust EDR/XDR solutions and utilizing secure enterprise browsers can significantly reduce the attack surface against these evolving threats.
Indicators of Compromise (IoC) Summary
| Signer | Related Cluster |
|---|---|
| CANDY TECH LTD | CL-UNK-1090 |
| G.R.CIGAR. LTD | CL-UNK-1090 |
| TAU CENTAURI LTD | CL-UNK-1090 |
| AMARYLLIS SIGNAL LTD | CL-UNK-1090 |
| METROPOLITAN DESIGN LLC | CL-UNK-1090 |
| BLACK INDIGO LTD | CL-UNK-1090 |
| Red Root LTD | CL-UNK-1090 |
| A1A Marketing Ltd. | CL-UNK-1090 |
| GOLD HARMONY LTD | CL-UNK-1090 |
| BEGONIA LIFE LTD | CL-UNK-1090 |
| SAMBUSAK LLC | CL-UNK-1090 |
| ACTIVE INTELLECT AI LLC | CL-UNK-1090 |
| VAST LAKE LTD | CL-UNK-1090 |
| LONG SOUND LTD | CL-UNK-1090 |
| B.L.A ASPIRE LTD | CL-UNK-1090 |
| VANILLA FORCE LTD | CL-UNK-1090 |
| SELA LINES LTD | CL-UNK-1090 |
| WIND TRUST LTD | CL-UNK-1090 |
| BLUE TAKIN LTD | CL-UNK-1090 |
| ORCHID MARS LTD | CL-UNK-1090 |
| ENIGMATIC SAOLA LTD | CL-UNK-1090 |
| TROPICAL RIFF LTD | CL-UNK-1090 |
| BITTERN SKY LTD | CL-UNK-1090 |
| astro bright ltd | CL-UNK-1090 |
| my tech media ltd | CL-UNK-1090 |
| LIGHTNER TOK LTD | CL-UNK-1090 |
| TOGO NETWORKS LTD | CL-UNK-1090 |
| CHRONO ORION LTD | CL-UNK-1090 |
| LOGOS AQUA LTD | CL-UNK-1090 |
| Impresan Solutions OÜ | CL-UNK-1090 |
| Shopcut LLC | CL-UNK-1090 |
| Judy Wanjiru | CL-UNK-1090 |
| Keen Internet Technologies Ltd | CL-UNK-1090 |
| ROYAL STEP LTD | CL-UNK-1090 |
| Smart Contract LLC | CL-UNK-1090 |
| DORNOVI LTD | CL-UNK-1090 |
| Green Topaz Ltd | CL-UNK-1090 |
| SPARROW TIDE LTD | CL-UNK-1090 |
| mania tech ltd | CL-UNK-1090 |
| PASTEL CONCEPTION LTD | CL-UNK-1090 |
| Mainstay Crypto LLC | OneBrowser Signers |
| Crowd Sync LLC | OneBrowser Signers |
| WORK PRODUCT, INC. | OneBrowser Signers |
| Chickadee Digital | OneBrowser Signers |
| Riya Software | OneBrowser Signers |
| Eman Group, LLC | OneBrowser Signers |
| MATCH-TWO-USERS LLC | CL-CRI-1089 |
| TWEAKSCODE LLC | CL-CRI-1089 |
| AFFILIDADOS | CL-CRI-1089 |
| MARKET FUSION INNOVATIONS LLC | CL-CRI-1089 |
| BUZZ BOOST ADVERTISERS LLC | CL-CRI-1089 |
| ADSMARKETO LLC | CL-CRI-1089 |
| CROWN SKY LLC | CL-CRI-1089 |
| Summit Nexus Holdings LLC | CL-CRI-1089 |
| Europae-Solutio Ltd | CL-CRI-1089 |
| SP Development and Solution Limited | CL-CRI-1089 |
| Echo Infini SDN BHD | CL-CRI-1089 |
| COMMERCE GROUP TECHNOLOGY LTD | CL-CRI-1089 |
| ALGORYTHM TECH LTD | CL-CRI-1089 |
| Byte Media Sdn Bhd | CL-CRI-1089 |
| GLINT SOFTWARE SDN. BHD | CL-CRI-1089 |
| Global Tech Allies ltd | CL-CRI-1089 |
| SOFT SOLUTIONS HUB | CL-CRI-1089 |
| Monetize forward LLC | CL-CRI-1089 |
| ADVANTAGE WEB MARKETING LLC | CL-CRI-1089 |
| Incredimarket | CL-CRI-1089 |
| ILLUSION MEDIA SOLUTIONS | CL-CRI-1089 |
| Virtual Media App Ltd | CL-CRI-1089 |
| DEV SPOTS LLC | CL-CRI-1089 |
| Digit Consult | CL-CRI-1089 |
| Outsource Genius LLC | CL-CRI-1089 |
| OneStart Technologies LLC | CL-CRI-1089 |
| Apollo Technologies Inc | CL-CRI-1089 |
| Caerus Media LLC | CL-CRI-1089 |
| Digital Promotions Sdn. Bhd. | CL-CRI-1089 |
| Eclipse Media Inc. | CL-CRI-1089 |
| Astral Media Inc | CL-CRI-1089 |
| Incredible Media Inc | CL-CRI-1089 |
| STYLE SOLUTION LIMITED | CL-CRI-1089 |