TamperedChef: Infostealer Hiding in Fake PDF Tools (2025)

TamperedChef: Inside the Info-Stealer Hiding in Fake PDF Tools

Posted on September 16, 2025

Spanish telecommunications giant Telefonica recently fell victim to a significant cybersecurity breach, showing that even large organizations can be vulnerable. The event highlights how important it is to maintain strong defenses, especially against infostealers, which are designed specifically to steal information.

The Breach: What Happened?

This month (January 2025), Telefonica confirmed unauthorized access to its internal Jira ticketing system. The breach, orchestrated by a group of attackers allegedly linked to the Hellcat ransomware group, resulted in the theft of approximately 2.3 GB of sensitive data. The stolen information included:

24,000 employee emails and names
500,000 Jira issues and summaries
5,000 internal documents
236,493 lines of customer data

The Attack Vector: Infostealer Malware

The breach was facilitated by infostealer malware, a type of malicious software designed to harvest sensitive information such as login credentials from infected devices. Numerous employees were reported to be compromised, providing attackers with critical credentials for initial access

469 employee credentials on Telefonica’s domain were compromised.
469 employee credentials on Telefonica’s domain were compromised.
469 employee credentials on Telefonica’s domain were compromised.
469 employee credentials on Telefonica’s domain were compromised.

TamperedChef: Inside the Info-Stealer Hiding in Fake PDF Tools

Infostealers

Posted on September 16, 2025

Cybercriminals are increasingly exploiting PDFs as a delivery vehicle for malware, capitalizing on the trust users place in everyday document tools. Attacks using malicious PDF files have skyrocketed, rising more than 1,160% in recent years, as threat actors turn to more deceptive and effective tactics to compromise their victims.

The latest example of this trend is TamperedChef, a stealthy new information-stealing malware cooked into a fake PDF editing program. This infostealer hides behind the guise of a legitimate PDF editor, lying dormant at first and then stealing sensitive data once activated.

In this deep dive, we’ll explore how TamperedChef’s recent campaign works, why it’s dangerous to organizations, and how you can defend against it.

The Malvertising Bait: “Free PDF Editor” Trojan

TamperedChef burst onto the scene in mid-2025 through a malvertising campaign designed to blend seamlessly with everyday web activity. Threat actors set up dozens of spoofed websites promoting a free tool called AppSuite PDF Editor, pushed aggressively through Google Ads.

Unsuspecting users (often searching for PDF editing software) would click these sponsored links and land on a convincing site offering the AppSuite PDF Editor download.

After running the installer, nothing seemed amiss: a familiar setup wizard and license agreement greeted them, reinforcing the illusion of legitimacy while quietly masking the malicious payload.

In the background, however, the installer was pulling double duty. It did install a working PDF editor application, but also covertly installed the TamperedChef malware and set it up to persist on the system.

The malicious installer made stealthy requests to attacker-controlled servers to fetch the payload, and even added a Windows Registry autorun key to ensure TamperedChef would launch on startupt.

Crucially, TamperedChef did not strike immediately. The attackers opted for a delayed detonation approach. Security researchers found that although the tainted AppSuite PDF Editor was first seen as early as May 2025, its malicious behaviors remained inactive for weeks.

The campaign kicked off around June 26, 2025, when many of the fake PDF sites went live and began snagging victims. Yet TamperedChef’s payload stayed dormant until August 21, 2025, when it received a special update command (“–fullupdate”) that suddenly flipped on its infostealing features.

=Why the wait? It appears the threat actors were being patient and strategic. 56 days is roughly the length of a typical Google Ads campaign, so the malware operators let the ads run their full course to maximize the number of infected downloads.

By the time the trap was sprung in late August, thousands of users could have the infostealer quietly embedded in their systems.

How TamperedChef Steals Data

When TamperedChef finally awakens after its dormancy period, it shifts into attack mode, and it’s quite a feature-rich threat. Upon activation (triggered by that “full update” instruction), TamperedChef establishes persistence on the host via previously planted Registry entries and Scheduled Tasks.

It then proceeds to harvest a wealth of sensitive information from the infected machine. Specifically, TamperedChef is designed to steal login credentials, browser session cookies, and other confidential data.

It does this by aggressively targeting web browsers. The malware will force-terminate browser processes to unlock any in-use files and then exploit the Windows Data Protection API (DPAPI) to decrypt stored passwords and secure browser data.

Next, TamperedChef performs a quick system reconnaissance, checking what security software is installed on the machine, likely to identify antivirus or endpoint protection that might hinder its operation. With that knowledge, it can try to stay under the radar or disable certain defenses (though specifics on AV evasion are still being analyzed). The malware then opens a backdoor channel to its command-and-control (C2) server.

TamperedChef’s backdoor capabilities allow the attackers to send further commands or payloads to the infected PC. In essence, once active, TamperedChef acts as both an infostealer and a foothold for broader compromise: it can exfiltrate the stolen data (passwords, cookies, etc.) and also download additional malware or instructions from the C2.

Some of TamperedChef’s internal commands and design reveal a toolkit-like approach. Researchers found that the malicious PDF Editor application accepted special command-line arguments (like –install, –check, –ping, –fullupdate, etc.) which triggered different behaviors.

For example, the “–install” mode creates scheduled tasks for persistence, whereas “–check” instructs the malware to phone home to the C2 for new instructions. This modular design suggests the authors built TamperedChef to be flexible and control-rich, perhaps even leaving room to sell it as a MaaS (malware-as-a-service) offering in the cybercrime underground.

Key Malicious Actions of TamperedChef (once activated):

Credential & Session Theft: Kills browsers and digs into files (via DPAPI) to steal saved passwords and session cookies, giving attackers access to victim accounts.
Persistence: Ensures it restarts on boot by adding autorun Registry keys and scheduling background tasks to re-invoke the malware.
System Recon: Checks for installed security tools and possibly adjusts behavior to avoid or neutralize them.
Backdoor Access: Maintains a channel to attackers, who can issue commands to download more malware, exfiltrate files, or even use the PC for other nefarious purposes.

A Wider “Spoiled” Software Ecosystem

The AppSuite PDF Editor is not an isolated case. TamperedChef appears to be part of a larger malware distribution operation that uses fake or trojanized software installers as bait. Cybersecurity investigators uncovered that over 50 lookalike domains were hosting not only the fake PDF editor, but also other phony apps in the same timeframe.

A full list of malicious domains and applications can be found here.

Some examples include PDF OneStart, ManualFinder, and a browser called Epibrowser, all of which have been observed behaving suspiciously or downloading one another. In some instances, these dubious applications even explicitly prompt users to agree to their machine being used as a residential proxy node in exchange for “free” software access.

This means the attackers were not only after credentials, but were also trying to monetize infected machines by siphoning internet bandwidth (turning victims into unwitting proxy servers for other criminal traffic).

There has been some debate in the security community about whether these kinds of fake software installers should be classified as full-blown malware or simply potentially unwanted programs (PUPs).

While some of the behavior (like showing ads or installing proxies) borders on the gray area of adware, researchers urge that TamperedChef proves these are far from harmless. Even if an app looks like a minor nuisance initially, it can turn into a serious breach.

In short, if it quacks like a trojan, it’s a trojan. Organizations should treat any such uninvited software as a security incident, not a mere PUP.

Indicators of Compromise (IoCs)

Type	Indicator	Notes / Context
Malicious Apps	AppSuite PDF Editor, OneStart, ManualFinder, EpiBrowser	Trojanized/fake apps used to deliver TamperedChef or related malware
Hosting Domains	Over 50+ malicious lookalike domains identified (See a full list here)	Includes spoofed PDF editor and productivity tools, distributed via Google Ads
Example Domains	apdft[.]net, mypdfonestart[.]com, ltdpdf[.]com, pdfreplace[.]com, pdf-tool[.]appsuites[.]ai	Landing pages for fake PDF editors and productivity apps
File Names	AppSuitePDFEditorSetup.exe, PDFEditorUpdater.exe	Installer + persistence/updater component
Registry Keys	HKCU\Software\Microsoft\Windows\CurrentVersion\Run\PDFEditorUpdater	Autorun persistence entry
	Scheduled Task: PDFEditorUpdater	Ensures malware runs on startup
Command-Line Args	–install, –check, –ping, –fullupdate	Arguments used to control TamperedChef behaviors
Code-Signing Certs	ECHO Infini SDN BHD, GLINT By J SDN BHD, SUMMIT NEXUS Holdings LLC	Fraudulent certs used to sign malicious installers
Hash Values (SHA-256)	cb15e1ec1a472631c53378d54f2043ba57586e3a28329c9dbf40cb69d7c10d2c – AppSuite PDF Editorda3c6ec20a006ec4b289a90488f824f0f72098a2f5c2d3f37d7a2d4a83b344a0 – AppSuite PDF Editor2e4de114ad10967f1807f317f476290dc0045bdfa9395553d1b443ef9f905018 – EpiBrowser71edb9f9f757616fe62a49f2d5b55441f91618904517337abd9d0725b07c2a51 – ManualFinder	Known malicious binaries tied to the campaign
C2 Domains	y2iax5[.]com, abf26u[.]com, mka3e8[.]com, 5b7crp[.]com	Active TamperedChef command-and-control infrastructure
Behavioral Indicators	• Browser processes unexpectedly terminated• Access to DPAPI-protected credential stores• Creation of autorun Registry entries / Scheduled Tasks• Obfuscated execution of resources/pdfeditor.js	Key runtime signals of TamperedChef infostealer activity

How to Defend Against TamperedChef and Similar Threats

Defeating a threat like TamperedChef requires a combination of preventive measures, user awareness, and active monitoring. Here are some steps organizations should take to reduce the risk of infostealers embedded in fake software:

Clamp Down on Unverified Software:
Restrict or at least monitor the installation of software from outside approved sources. Many companies are now implementing application allow-listing or app stores to prevent employees from downloading random tools.

Specifically, block known malicious installs like AppSuite PDF Editor and other suspicious PDF editors. If an employee truly needs a PDF editor, provide them a vetted, safe option.

User Education (Think Before You Download):
Social engineering isn’t limited to emails. Educate staff that search results and ads can be dangerous too. Encourage a culture where employees, especially those seeking productivity tools, double-check software legitimacy (e.g. verify the official vendor site, reviews, or ask IT) before installing.

Endpoint Protection & Behavior Monitoring:
Traditional antivirus alone may miss heavily obfuscated malware like TamperedChef. Deploy Endpoint Detection and Response (EDR) tools or advanced anti-malware that look for behavioral indicators.

For example, an EDR can flag if a PDF editor process suddenly starts adding run keys, spawning suspicious tasks, or killing browser processes – all odd behaviors for a PDF app.

Microsoft Sysmon or similar can be configured to log events like unusual registry writes or process terminations, which security teams can alert on.

How Twilight Cyber Stops Infostealers like TamperedChef

Even with strong defenses, infostealers often find a way to slip through. That’s where Twilight adds a critical extra layer of protection.

Twilight Cyber specializes in Identity Threat Protection and rapid breach detection, which is a perfect fit for combating stealthy info-stealing campaigns.

Our platform continuously monitors dark web marketplaces, paste sites, and criminal forums for signs of stolen data. If an employee’s credentials or authentication cookies stolen by malware like TamperedChef show up for sale or are posted, Twilight’s systems will detect those leaked credentials in real time and immediately alert your security team.

This means you can respond in hours, not months, by resetting passwords and securing accounts before attackers use the stolen logins to infiltrate your network.

Ready to see Twilight in action? Contact us today for a full demo, or enjoy a complimentary scan to check whether your credentials are already exposed.