Hackers are distributing a fake PDF Editor loaded with TamperedChef
credential stealing malware
Date:
Fri, 29 Aug 2025 14:13:00 +0000
Description:
Be careful when searching for PDF editors, many are fake despite being advertised on Google.
FULL STORY ======================================================================At
least five Google ads campaigns were running, promoting spoofed software Someone trojanized different PDF editors to deliver infostealers Defenders
are warning about the TamperedChef infostealing malware
Be careful when downloading a program called AppSuite PDF Editor - there are poisoned variants circulating around the web.
In late June, security researchers Truesec saw multiple websites, all
spoofing the program, being published. At the same time, at least five different Google ads campaigns were set up to promote the websites.
Therefore, whoever searched for AppSuite PDF Editor could have ended up on
one of the many sites that were serving a trojanized version of the app.
Those that downloaded it would get the usual installation process and user license agreements prompts in the foreground, while in the background, an infostealer and backdoor called TamperedChef was being deployed. PDF Editors loaded with malware
What makes this malware particularly sinister is the deceptive delay with which it operates. It will wait for approximately 56 days before activating, most likely to give threat actors enough time to distribute the infostealer
to as many victims as possible, before being spotted by the defenders.
"The length from the start of the [ad] campaign until the malicious update
was also 56 days, which is close to the 60-day length of a typical Google advertising campaign, suggesting the threat actor let the ad campaign run its course, maximizing downloads, before activating the malicious features," Truesec said.
In the meantime, it will achieve persistence via Windows Registry modifications, and will create different scheduled tasks. Once activated, TamperedChef can collect browser credentials, session cookies, and other sensitive data, mostly by terminating browser processes and exploiting
Windows Data Protection API (DPAPI).
It also performs system reconnaissance to detect which antivirus or malware protection tools the victim is running, and can function as a backdoor to deploy additional malware.
AppSuite is not the only PDF editor being spoofed in this campaign, either. PDF OneStart, and PDF Editor, have all been observed abused in the same (or adjacent) campaign.
Via The Hacker News You might also like Criminals are impersonating a
popular online PDF converter service to trick users into downloading malware Take a look at our guide to the best authenticator app We've rounded up the best password managers
======================================================================
Link to news story:
https://www.techradar.com/pro/security/hackers-are-distributing-a-fake-pdf-edi tor-loaded-with-tamperedchef-credential-stealing-malware
--- Mystic BBS v1.12 A49 (Linux/64)
* Origin: tqwNet Technology News (1337:1/100)