Malicious actors use bogus websites and malvertising to push a trojanized AppSuite PDF Editor installer that delivers the TamperedChef information stealer. The installer displays a terms-of-service prompt while covertly requesting components from an external server and dropping the PDF editor program. The setup makes Windows Registry changes to create persistence and automatically start the downloaded executable after reboot, with the registry key including a --cm argument to pass instructions. The installer executes the main application (equivalent to a --install routine) and creates an autorun entry with --cm=--fullupdate. The campaign began around June 26, 2025.
"The objective is to lure victims into downloading and installing a trojanized PDF editor, which includes an information-stealing malware dubbed TamperedChef," Truesec researchers Mattias Wåhlén, Nicklas Keijser, and Oscar Lejerbäck Wolf said in a report published Wednesday. "The malware is designed to harvest sensitive data, including credentials and web cookies."
At the heart of the campaign is the use of several bogus sites to promote an installer for a free PDF editor called AppSuite PDF Editor that, once installed and launched, displays to the user a prompt to agree to the software's terms of service and privacy policy.
German cybersecurity company G DATA, which also analyzed the activity, said the various websites offering these PDF editors download the same setup installer, which then downloads the PDF editor program from the server once the user accepts the license agreement. "It then executes the main application with no arguments, which is equivalent to starting the --install routine," security researchers Karsten Hahn and Louis Sorita said. "It also creates an autorun entry that supplies the command line argument --cm=--fullupdate for the next run of the malicious application."
Collection
[
|
...
]