A malware campaign is using fake PDF editing software promoted through Google ads to infect users with an info-stealer known as TamperedChef, cybersecurity researchers warn.
According to a technical analysis by cybersecurity firm Truesec, threat actors have created a convincing PDF tool called AppSuite PDF Editor, which behaves like a legitimate application but contains hidden malicious capabilities. The app, advertised via over 50 deceptive domains, delivers the TamperedChef malware once installed.
Truesec discovered that the app’s malicious behavior was only activated on August 21, weeks after it was first verified on VirusTotal on May 15, and nearly two months after related domains began appearing on June 26. This delayed activation, researchers believe, allowed the campaign to gather maximum downloads before launching its payload, likely in alignment with the 60-day typical lifespan of Google Ads.
TamperedChef is designed to steal sensitive data such as credentials and browser cookies. It checks for security software and uses the Windows DPAPI to access encrypted information stored by browsers. It is deployed using a “-fullupdate” argument passed to the app’s executable.
Besides PDF tools, the campaign involves other related apps, including OneStart and Epibrowser, some of which can download each other and even enroll compromised machines into residential proxy networks. In some cases, users are explicitly asked to allow their device to be used as a proxy in exchange for free access to the software.
The fraudulent applications were digitally signed with certificates from at least four companies, including ECHO Infini SDN BHD, GLINT By J SDN. BHD, and SUMMIT NEXUS Holdings LLC. The certificates have since been revoked, but researchers warn the threat remains for existing installations.
Cybersecurity firm Expel, which also analyzed the threat, described related apps like ManualFinder and OneStart as exhibiting malware-like behavior, including dropping suspicious files, executing unexpected commands, and converting systems into proxies.
Though some of the apps are labeled as Potentially Unwanted Programs (PUPs), researchers say that their behavior is consistent with actual malware and should be treated as such.