Full Report
Threat actors have been using multiple websites promoted through Google ads to distribute a convincing PDF editing app that delivers an info-stealing malware called TamperedChef. [...]
Analysis Summary
# Tool/Technique: TamperedChef infostealer
## Overview
TamperedChef is an information-stealing malware distributed through a seemingly legitimate application, AppSuite PDF Editor, promoted via fraudulent Google advertisements. The delivery mechanism involves a multi-stage campaign where initial benign-looking applications eventually download or activate the malicious components. A key secondary effect observed in related applications in the campaign is the enrollment of infected hosts into residential proxy networks.
## Technical Details
- Type: Malware family (Infostealer)
- Platform: Windows (Implied by use of DPAPI)
- Capabilities: Steals credentials and web cookies, checks for security software, uses Windows DPAPI for decryption/access.
- First Seen: Verified on VirusTotal on May 15th (before malicious activation on August 21st, 2025).
## MITRE ATT&CK Mapping
*Note: Direct mappings for TamperedChef are inferred based on its function as an infostealer.*
- T1555 - Credentials from Password Stores
- T1555.003 - Credentials from Web Browsers
- T1082 - System Information Discovery
- T1082.001 - System Checks: Security Software Discovery (Checking for security agents)
- T1016 - System Network Configuration Discovery (Implied, needed for proxy operations)
- T1547.001 - Registry Run Keys / Startup Folder (Likely persistence mechanism, though not detailed)
## Functionality
### Core Capabilities
- Information Theft: Designed to collect sensitive data, specifically credentials and web cookies stored by browsers.
- Security Evasion: Attempts to detect and check for the presence of installed security agents on the host system.
- Data Access: Utilizes the Windows Data Protection Application Programming Interface (DPAPI) to query and access encrypted data from installed web browsers.
### Advanced Features
- Multi-stage Delivery: Delivered via a legitimate-sounding PDF Editor executable (AppSuite PDF Editor) using the `-fullupdate` argument to activate malicious code.
- Camouflage: Initial distribution relied on widespread and well-orchestrated Google ad campaigns, maximizing downloads before full weaponization activation.
## Indicators of Compromise
- File Hashes: SHA256 (Sample scanned on VT): `cb15e1ec1a472631c53378d54f2043ba57586e3a28329c9dbf40cb69d7c10d2c`
- File Names: `AppSuite PDF Editor` executable (triggering file)
- Registry Keys: Not specified in the context.
- Network Indicators: Not specified in the context (C2 details are missing).
- Behavioral Indicators: Checking for installed security agents; querying browser databases via DPAPI; initiating residential proxy duties (via related tools like OneStart/ManualFinder).
## Associated Threat Actors
The threat actor behind this campaign (active since at least August 2024) is linked to the distribution of other tools like OneStart and Epibrowser, suggesting a broader operation monetizing through data theft and affiliate programs for residential proxies.
## Detection Methods
- Signature-based detection: Detection hashes associated with the final malware payload or the initial Dropper (AppSuite PDF Editor).
- Behavioral detection: Monitoring applications attempting to interact with the Windows DPAPI for accessing browser data, or processes making unexpected outbound connections indicative of proxy participation.
- YARA rules: Not specified in the context, but custom rules targeting string patterns related to credential/cookie harvesting would be applicable.
## Mitigation Strategies
- Prevention: Restrict execution of untrusted applications downloaded from non-official sources, especially those promoted via search engine advertisements offering "free" tools.
- Hardening recommendations: Implement advanced endpoint protection configured to monitor for DPAPI usage anomalies and security product enumeration attempts. Users should be cautious about granting permissions for system resource sharing (like residential proxies).
## Related Tools/Techniques
- AppSuite PDF Editor (The initial distribution vehicle/dropper)
- OneStart (Potentially unwanted program that can download related components)
- Epibrowser
- ManualFinder (Another suspicious application observed dropping files in connection with this campaign)