TamperedChef Malware Delivers Stealers & Uses Signed
A new malware campaign, dubbed TamperedChef, is actively spreading, employing signed productivity applications as a deceptive front. This sophisticated threat delivers potent information stealers and...
A new malware campaign, dubbed TamperedChef, is actively spreading, employing signed productivity applications as a deceptive front. This sophisticated threat delivers potent information stealers and Remote Access Trojans (RATs) to compromised systems. These malicious payloads are designed to exfiltrate user credentials and establish persistent remote control for attackers. For a detailed analysis of this threat, consult the
Since early 2023, attackers have packaged malware inside tools like PDF editors, calendar apps, ZIP extractors, and GIF image makers. These apps work as advertised, which is exactly why victims rarely suspect anything at all.
They sit silently on a device for weeks or even months before triggering malicious activity, making them difficult to catch with standard security tools.
Analysts at Unit42 identified and tracked three distinct clusters of this activity, labeled CL-CRI-1089, CL-UNK-1090, and CL-UNK-1110.
According to Unit42 report shared with Cyber Security News (CSN), researchers found over 4,000 unique samples and more than 100 unique variants across these campaigns, with infections appearing in more than 50% of monitored enterprise environments globally.
What makes TamperedChef so dangerous is how convincingly it mimics real software. Download pages are professionally built with legal terms, contact pages, and one-click download buttons on legitimate-looking domains.
TamperedChef Malware Uses Signed Productivity Apps
The apps deliver on their promises, leaving victims with little reason to question what they just installed. The scale of this operation points to a well-funded, highly organized effort.
Researchers estimate the operators behind just one cluster spent over $10,000 on code-signing certificates alone, which are digital stamps that make software appear trustworthy. This level of investment signals a long-term, profit-driven campaign far beyond what typical adware operations would attempt.
One of TamperedChef’s defining tactics is using legitimate code-signing certificates to make its payloads appear safe. These certificates are issued to verified companies, and most security tools treat signed software as trustworthy.
Threat actors exploited this by building networks of shell companies across Ukraine, Malaysia, Israel, the UK, and the US to obtain valid certificates.
Researchers traced the CL-CRI-1089 cluster to 34 unique code-signing entities, connected through shared certificate usage, overlapping code, and corporate structure analysis.
The Calendaromatic campaign used a self-extracting archive containing a functional calendar app bundled with a hidden remote access Trojan. Once active, that RAT contacted a command-and-control server and pulled down a second-stage payload to further compromise the victim.
The CL-UNK-1090 cluster took a more integrated approach, with the same group owning both the advertising agencies and the malware-signing companies.
Over 20,000 unique ads were traced to this cluster through ad transparency platforms, spanning campaigns like CrystalPDF, OneZip, and Easy2Convert.
Operators used generative AI to build distribution websites at scale, producing pages that looked similar but had structurally different underlying code.
Stealers, RATs, and What Happens After Infection
Once a TamperedChef app activates, it delivers one of two payload categories depending on the campaign. The first is adware and browser hijackers, which redirect searches and take control of browsing behavior.
The second, and more serious, is the deployment of information stealers and remote access Trojans that target saved credentials and allow attackers to run commands remotely.
Second-stage payloads typically arrive weeks after installation through an upstream API connection, long after any initial suspicion fades.
In some campaigns, such as AppSuite, researchers also found proxy-style malware routing traffic through victim machines. The CL-CRI-1089 cluster showed the most aggressive credential theft, while CL-UNK-1090 favored stealthier in-memory payloads leaving fewer traces on disk.
To defend against this threat, security teams should ensure endpoint detection tools are fully updated across all devices and consider enterprise browsers that block malicious downloads before they reach users.
Training employees to recognize unfamiliar software risks is equally critical, even when download sites look entirely professional.
If an infection is discovered, teams should quarantine related files, remove persistence mechanisms like scheduled tasks, reset credentials for affected accounts, and review access logs to confirm whether stolen credentials have already been misused.
Indicators of Compromise (IoCs):-
| Type | Indicator | Description |
|---|---|---|
| SHA256 Hash | 248de1470771904462c91f146074e49b3d7416844ec143ade53f4ac0487fdb4 | RapiDoc binary containing PDB path, linked to CANDY TECH LTD (CL-UNK-1090) |
| SHA256 Hash | 42231bfa7c7bd4a8ff12568074f83de8e4ec95c226230cccc6616a1a4416de268 | RapiDoc binary containing PDB path, linked to CANDY TECH LTD (CL-UNK-1090) |
| PDB Path | D:!WorkClients<user>ProjectsRapiDocSrcForTestsRapiDocx64ReleaseRapiDocRapiDoc.pdb | Program database path found in RapiDoc binaries, likely left by mistake during build |
| Domain | onezipapp[.]com | Distribution site for OneZip malware, signed by TAU CENTAURI LTD (CL-UNK-1090) |
| Domain | crystalpdf[.]com | Distribution site for CrystalPDF, used by CL-UNK-1090 cluster |
| Domain Pattern | pixel.toolname[.]com | C2 domain pattern used by PixelCheck variant (PDFPrime/ManualzPDF campaigns, CL-CRI-1089) |
| Code Signer | CROWN SKY LLC | Code-signing entity used in Calendaromatic campaign (CL-CRI-1089) |
| Code Signer | MARKET FUSION INNOVATIONS LLC | Code-signing entity linked to Calendaromatic campaign (CL-CRI-1089) |
| Code Signer | CANDY TECH LTD | Core signing and advertising entity for CL-UNK-1090 cluster |
| Code Signer | TAU CENTAURI LTD | Signing entity linked to OneZip campaign (CL-UNK-1090) |
| Code Signer | B.L.A ASPIRE LTD | Signing entity for JustConvertFiles binaries (CL-UNK-1090) |
| Code Signer | PASTEL CONCEPTION LTD | Signing entity for JustConvertFiles; linked to PDFPilot, SwiftNav, ShinyPDF, FileEase |
| Code Signer | BUZZ BOOST ADVERTISERS LLC | Certificate entity linked to PixelCheck variant (CL-CRI-1089) |
| Code Signer | ADSMARKETO LLC | Certificate entity linked to PixelCheck variant (CL-CRI-1089) |
| Code Signer | ADVANTAGE WEB MARKETING LLC | Certificate entity linked to PixelCheck variant (CL-CRI-1089) |
| Code Signer | Europae-Solutio Ltd | Certificate entity linked to PixelCheck variant (CL-CRI-1089) |
| Code Signer | SP Development and Solution Limited | Certificate entity linked to PixelCheck variant (CL-CRI-1089) |
| Code Signer | LLC MATCH-TWO-USERS | Certificate entity linked to PixelCheck variant (CL-CRI-1089) |
| Code Signer | Monetize forward LLC | Certificate entity linked to PixelCheck variant (CL-CRI-1089) |
| Malware Sample | calendaromatic-win_x64.exe | First-stage binary from Calendaromatic campaign (CL-CRI-1089) |
| Malware Sample | resources.neu | Obfuscated NeutralinoJS resource file containing C2 logic, Calendaromatic campaign |
| File Name | RapiDoc.pdb | Debug symbol file found in RapiDoc binaries (CL-UNK-1090) |
| Campaign Name | AppSuite PDF | Malicious PDF editor spreading TamperedChef malware; observed deploying proxy-style payloads |
| Campaign Name | Calendaromatic | Calendar app trojan; earliest tracked CL-CRI-1089 activity (late 2023) |
| Campaign Name | CrystalPDF | Malicious PDF tool distributed by CL-UNK-1090; hosted at crystalpdf[.]com |
| Campaign Name | JustAskJacky | App distributed by CL-UNK-1110 cluster |
| Campaign Name | OneZip | Malicious ZIP tool signed by TAU CENTAURI LTD; distributed via onezipapp[.]com |
| Campaign Name | PDFPrime / ManualzPDF | Early CL-CRI-1089 campaigns sharing code and C2 patterns (PixelCheck variant) |
| Campaign Name | ZipMakerPro | TamperedChef-style app linked to CANDY TECH LTD (CL-UNK-1090) |
| Campaign Name | GifsMakerPro | TamperedChef-style app linked to CANDY TECH LTD (CL-UNK-1090) |
| Campaign Name | ScreensRecorder | TamperedChef-style app linked to CANDY TECH LTD (CL-UNK-1090) |
| Campaign Name | RapiDoc | App with CANDY TECH LTD copyright; contained leaked PDB path (CL-UNK-1090) |
| Campaign Name | JustConvertFiles | Malicious file conversion tool distributed by CANDY TECH LTD (CL-UNK-1090) |
| Campaign Name | PDFPilot | Campaign linked to B.L.A ASPIRE LTD and PASTEL CONCEPTION LTD (CL-UNK-1090) |
| Campaign Name | SwiftNav | Campaign linked to B.L.A ASPIRE LTD and PASTEL CONCEPTION LTD (CL-UNK-1090) |
| Campaign Name | ShinyPDF | Campaign linked to B.L.A ASPIRE LTD and PASTEL CONCEPTION LTD (CL-UNK-1090) |
| Campaign Name | FileEase | Campaign linked to B.L.A ASPIRE LTD and PASTEL CONCEPTION LTD (CL-UNK-109 |
Note: IP addresses and domains are intentionally defanged (e.g., [.]) to prevent accidental resolution or hyperlinking. Re-fang only within controlled threat intelligence platforms such as MISP, VirusTotal, or your SIEM.
Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.
No Comment! Be the first one.