Critical Threat Research : The Iranian Cyber War Intensifies!
Comprehensive Threat Exposure Management Platform
The TamperedChef campaign represents a sophisticated 2025 malware operation that distributes signed fake PDF tools through SEO-driven malvertising to gain user trust. This high-severity multi-stage infostealer operation targets Windows platforms worldwide, with a unique 56-day dormancy period that allowed malicious applications to function normally before mass activation on August 21, 2025. The TamperedChef malware campaign deployed an obfuscated backdoor designed for credential theft, data exfiltration, and remote access capabilities.
TamperedChef malware operators used shell companies to obtain Extended Validation (EV) certificates and employed rapidly rotating infrastructure to evade detection. The TamperedChef campaign heavily impacted U.S. victims, representing approximately 80% of infections, with significant targeting of healthcare, construction, and manufacturing sectors. The TamperedChef threat demonstrates financially motivated objectives including initial access brokerage, credential theft, and potential ransomware staging capabilities.
The TamperedChef malware operation targeted regions worldwide with primary concentration in the United States. Affected industries include healthcare organizations, construction companies, manufacturing facilities, industrial operations, hospitality businesses, legal firms, non-profit organizations, technology companies, retail establishments, transportation services, agriculture operations, automotive businesses, educational institutions, energy providers, and government agencies. The TamperedChef campaign specifically exploited users searching for product manuals and PDF editing utilities through poisoned search results and malicious SEO-optimized advertisements.
The TamperedChef campaign began in late June 2025, utilizing highly convincing malvertising techniques with fake, signed installers masquerading as legitimate productivity tools such as PDF editors. TamperedChef malware distribution relied on poisoned search results and malicious SEO-optimized advertisements targeting users searching for product manuals or PDF editing utilities. The TamperedChef installers were signed with legitimate Extended Validation certificates obtained through U.S. shell companies including Stratus Core Digital LLC and DataX Engine LLC, as well as Malaysian entities, lending credibility to the malicious applications.
A defining characteristic of the TamperedChef malware is its deliberate 56-day dormancy period. During this TamperedChef dormancy phase, the fake PDF applications provided genuine PDF-editing functionality while covertly establishing persistence mechanisms. This TamperedChef delay strategy, aligned with common Google Ads campaign cycles, enabled the malware to evade sandbox analysis and achieve broad distribution before mass activation. The TamperedChef payload was triggered using the “–fullupdate” command on August 21, 2025, initiating the malicious activities across infected systems simultaneously.
Upon TamperedChef activation, the malware drops task.xml to create a scheduled task that executes a heavily obfuscated JavaScript backdoor. The TamperedChef backdoor runs silently in the background, forcibly terminates browser processes, and abuses Windows Data Protection API (DPAPI) to decrypt stored passwords, cookies, and authentication tokens. The TamperedChef malware gathers comprehensive machine metadata including system information, installed software, and security configurations. Stolen data is transmitted to attacker-controlled Command and Control (C2) servers using XOR encryption with random keys to obfuscate exfiltration activities.
The TamperedChef backdoor supports remote code execution capabilities, enabling persistent access to compromised systems. TamperedChef operators can execute arbitrary commands, deploy additional payloads, and maintain long-term access for credential theft, data exfiltration, and potential ransomware deployment. The TamperedChef persistence mechanisms include registry key modifications at HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\PDFEditorUpdater, scheduled tasks named “PDFEditorScheduledTask,” and file placement in %LOCALAPPDATA%\Programs\PDFEditor\ directories.
TamperedChef operators demonstrate strong industrialization capabilities, utilizing U.S. shell companies and Malaysian entities to obtain legitimate Sectigo Extended Validation certificates, which they rapidly rotate after revocation. The TamperedChef infrastructure employs short-lived NameCheap-registered domains and evolving Command and Control naming conventions, transitioning from Domain Generation Algorithm (DGA)-style strings to human-readable names. While the TamperedChef campaign remains unattributed to specific threat actors, motivations appear financially driven, focusing on initial access brokerage, credential theft, ransomware staging, with possible opportunistic espionage capabilities.
Organizations should immediately search for TamperedChef persistence indicators including the registry key HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\PDFEditorUpdater, scheduled tasks named “PDFEditorScheduledTask,” and file presence in %LOCALAPPDATA%\Programs\PDFEditor\ directories. These indicators directly align with known TamperedChef Indicators of Compromise (IOC) patterns. For confirmed TamperedChef infections, security teams should implement immediate credential resets across affected user accounts and perform full system reimaging due to the malware’s deep persistence and advanced evasion capabilities. TamperedChef remediation requires comprehensive forensic analysis to identify lateral movement and data exfiltration scope.
Implement Endpoint Detection and Response (EDR) solutions tuned specifically for TamperedChef behavioral patterns including browser process termination by non-browser applications, creation of scheduled tasks using XML files, and suspicious JavaScript execution from AppData folders. These detection capabilities address the TamperedChef campaign’s obfuscation techniques and modular tactics effectively. Deploy Microsoft Sysmon with custom detection rules aligned with TamperedChef Tactics, Techniques, and Procedures (TTPs) following documented incident response practices. EDR behavioral monitoring should flag TamperedChef indicators including Windows DPAPI abuse for credential access and XOR-encrypted C2 communications.
Security teams should block known TamperedChef Command and Control domains including api.mxpanel.com and associated infrastructure at network perimeter layers. Implement DNS security solutions and integrate TamperedChef Indicators of Compromise feeds into Security Information and Event Management (SIEM) systems for automated containment. Monitor HTTPS outbound connections from productivity applications to suspicious domains associated with TamperedChef operations. Network security controls should enforce strict egress filtering to prevent TamperedChef data exfiltration and C2 communications through non-standard ports and protocols.
Enforce strict software installation policies allowing only vetted PDF editors and productivity suites through approved corporate channels to prevent TamperedChef malware installation. Block unauthorized software downloads and implement application whitelisting to reduce user exposure to TamperedChef malicious installers. This foundational security control directly prevents the initial infection vectors used by TamperedChef campaigns. Organizations should maintain an approved software catalog and enforce digital signature verification for all executables, specifically validating Extended Validation certificates against revocation lists to detect TamperedChef signed malware.
Conduct comprehensive user awareness training addressing TamperedChef social engineering tactics, emphasizing the dangers of downloading free or unknown software alternatives from search engine results. Train employees to recognize TamperedChef malvertising techniques on search engines and understand the risks of clicking sponsored results or advertisements for productivity tools. Emphasize mandatory IT approval processes for all software installations as an industry best practice to prevent TamperedChef infections. Security awareness programs should include specific examples of TamperedChef fake PDF editor distribution and the importance of obtaining software exclusively from official vendor websites or authorized enterprise software repositories.
The following SHA256 file hashes are associated with TamperedChef malware samples. Security teams should integrate these TamperedChef IOCs into endpoint protection platforms, SIEM solutions, and threat intelligence feeds for detection and blocking:
| Type | SHA256 Hash Value |
|---|---|
| SHA256 | 0826824694c80b854603f4c4103133113a197d3ecbca4308899ae9d6f05847fa |
| SHA256 | 08ea829d5c97aab089abe19686d274f829aa1cee3670d2819885e33f39a4d602 |
| SHA256 | 105e58c4c04b56607badd705411e3322c152b8dbb21d994e7cdec62253a0e454 |
| SHA256 | 244251cab1f6df4bb39ba28645cbc4e26f84298b588b568a796d6520912c6156 |
| SHA256 | 26163c7da9f0d9000937663497d7eb15df5c205cc2edbb71d664f08a5b1f80ce |
| SHA256 | 2a3f76fc7f953403653eff71f21c16d40512c1bcd7a038657bb1d0a4efbee677 |
| SHA256 | 2bfa87dee2000f4e7889174f051ab88f4b690d08629b94721e321c44b7cf1bd3 |
| SHA256 | 2c9895fbdf8b86715a8e501f85d206b28cf9b61478826409a8a8ea17a067da22 |
| SHA256 | 35c34043a4a8b1f15ce9ab7661be6ace91348f725d59e53f04a36c41999812c7 |
| SHA256 | 3d4bdd41ebc630b8b676fc39e14de75a59cebf545cf342a4dea8072f5768c13e |
| SHA256 | 406e26453a9eb779da6dd792e82cf904fbaf11b9e15471316276bb49098bdbf6 |
| SHA256 | 504a614d8baae84c7c57e1786d22981fb016e4c9396ab10cc73197aa483d9261 |
| SHA256 | 6438b3c4eb5810c003d6f2cf1712652d3ce0504f08ae05aec1f07594e0a58a52 |
| SHA256 | 6c4e54bbf98113068bdeef172ae6fb05fe1e99bb50ae4622b06e06af35b2b043 |
| SHA256 | 6e4cd57e87e034723d4c1a3ff93e8c9def0f27961da3e5bc361536e847a119cb |
| SHA256 | 898aa0bca40ec01d3564cb33f7a79f2e651f987ea65db913a62d427973ba5478 |
| SHA256 | 94acbfe1958b1b985701c8232fd3262ee01ef665ba59a92489b900d8f988b233 |
| SHA256 | 9704e97a395649e9ea4450b3afde5c1f1b22caa05407c4db3ef1625b9db05324 |
| SHA256 | 9f572779dba2ef760f8a2bd7391dcafc099c430bcbd94c7d5247b210e1f095da |
| SHA256 | abb7541aba5abe1ff27b3867c1d45cea9c678743648ed8eed50bf32f8676e510 |
Note: Additional TamperedChef SHA256 hashes are available in the complete Indicators of Compromise dataset. The PDF document indicates that remaining IOCs can be accessed on the threat intelligence platform. Organizations should request the complete TamperedChef IOC feed for comprehensive protection.
The TamperedChef malware campaign employs numerous techniques mapped to the MITRE ATT&CK framework. Security teams should configure detection rules and behavioral analytics aligned with these TamperedChef TTPs:
| Tactic ID | Tactic Name | Technique ID | Technique Name |
|---|---|---|---|
| TA0001 | Initial Access | T1189 | Drive-by Compromise |
| TA0001 | Initial Access | T1608 | Stage Capabilities |
| TA0001 | Initial Access | T1608.006 | SEO Poisoning |
| TA0002 | Execution | T1204 | User Execution |
| TA0002 | Execution | T1204.002 | Malicious File |
| TA0002 | Execution | T1059 | Command and Scripting Interpreter |
| TA0002 | Execution | T1059.003 | Windows Command Shell |
| TA0002 | Execution | T1059.007 | JavaScript |
| TA0002 | Execution | T1053 | Scheduled Task/Job |
| TA0002 | Execution | T1053.005 | Scheduled Task |
| TA0003 | Persistence | T1547 | Boot or Logon Autostart Execution |
| TA0003 | Persistence | T1547.001 | Registry Run Keys / Startup Folder |
| TA0004 | Privilege Escalation | T1548 | Abuse Elevation Control Mechanism |
| TA0005 | Defense Evasion | T1027 | Obfuscated Files or Information |
| TA0005 | Defense Evasion | T1036 | Masquerading |
| TA0005 | Defense Evasion | T1070 | Indicator Removal |
| TA0005 | Defense Evasion | T1497 | Virtualization/Sandbox Evasion |
| TA0005 | Defense Evasion | T1497.003 | Time Based Evasion |
| TA0005 | Defense Evasion | T1553 | Subvert Trust Controls |
| TA0005 | Defense Evasion | T1553.002 | Code Signing |
| TA0006 | Credential Access | T1555.003 | Credentials from Web Browsers |
| TA0006 | Credential Access | T1539 | Steal Web Session Cookie |
| TA0006 | Credential Access | T1552 | Unsecured Credentials |
| TA0007 | Discovery | T1082 | System Information Discovery |
| TA0007 | Discovery | T1518 | Software Discovery |
| TA0007 | Discovery | T1518.001 | Security Software Discovery |
| TA0007 | Discovery | T1046 | Network Service Discovery |
| TA0007 | Discovery | T1012 | Query Registry |
| TA0009 | Collection | T1005 | Data from Local System |
| TA0010 | Exfiltration | T1041 | Exfiltration Over C2 Channel |
| TA0011 | Command and Control | T1071 | Application Layer Protocol |
| TA0011 | Command and Control | T1071.001 | Web Protocols |
| TA0011 | Command and Control | T1102 | Web Service |
| TA0011 | Command and Control | T1132 | Data Encoding |
| TA0011 | Command and Control | T1132.001 | Standard Encoding |
| TA0011 | Command and Control | T1573 | Encrypted Channel |
| TA0040 | Impact | Various | Potential Ransomware Deployment |
The following authoritative sources provide additional technical analysis and intelligence regarding the TamperedChef malware campaign:
1. Acronis Threat Research Unit:
https://www.acronis.com/en/tru/posts/cooking-up-trouble-how-tamperedchef-uses-signed-apps-to-deliver-stealthy-payloads/
2. WithSecure Labs:
https://labs.withsecure.com/publications/tamperedchef
3. Twilight Cyber:
https://twilightcyber.com/tamperedchef-infostealer-fake-pdf-editor-malvertising-2025/
Security teams should consult these TamperedChef threat intelligence publications for comprehensive technical indicators, behavioral analysis, and additional detection methodologies.
Get through updates and upcoming events, and more directly in your inbox