All news with #tamperedchef tag

TamperedChef Malware Uses Fake Installers in Global Campaign

⚠️ Acronis Threat Research Unit (TRU) reports an ongoing global malvertising campaign, dubbed TamperedChef, that employs counterfeit installers masquerading as popular utilities and product manuals to deploy an information-stealer and obfuscated JavaScript backdoors. Operators use SEO poisoning, malicious ads, and abused code-signing certificates from shell companies in the U.S., Panama, and Malaysia to increase trust and evade detection. Installers drop an XML file to create a scheduled task that launches the JavaScript backdoor, which exfiltrates encrypted, Base64-encoded JSON over HTTPS. Infections concentrate in the U.S. and have also been observed in Israel, Spain, Germany, India, and Ireland, with healthcare, construction, and manufacturing among the most affected sectors.

EvilAI Campaign: Malware Masquerading as AI Tools Worldwide

🛡️ Security researchers at Trend Micro detail a global campaign called EvilAI that distributes malware disguised as AI-enhanced productivity tools and legitimate applications. Attackers employ professional-looking interfaces, valid code-signing certificates issued to short-lived companies, and covert encoding techniques such as Unicode homoglyphs to hide malicious payloads and evade detection. The stager-focused malware — linked to families tracked as BaoLoader and TamperedChef — performs reconnaissance, exfiltrates browser data, maintains AES-encrypted C2 channels, and stages systems for follow-on payloads. Targets span manufacturing, government, healthcare, technology, and retail across Europe, the Americas and AMEA.

TamperedChef infostealer spread via fake PDF Editor ads

🔍 Threat actors used Google ads to promote a fraudulent AppSuite PDF Editor that silently delivered the TamperedChef infostealer. Multiple domains hosted signed installers with revoked certificates; the malicious payload was activated after a delay and is launched with the "-fullupdate" argument, checking for security agents and extracting browser secrets via DPAPI. Operators also pushed related apps such as OneStart, ManualFinder and Epibrowser, and in some cases converted hosts into residential proxies; Truesec and Expel published IoCs for detection.