Ptechhub
  • News
  • Industries
    • Enterprise IT
    • AI & ML
    • Cybersecurity
    • Finance
    • Telco
  • Brand Hub
    • Lifesight
  • Blogs
No Result
View All Result
  • News
  • Industries
    • Enterprise IT
    • AI & ML
    • Cybersecurity
    • Finance
    • Telco
  • Brand Hub
    • Lifesight
  • Blogs
No Result
View All Result
PtechHub
No Result
View All Result

TamperedChef Malware Spreads via Fake Software Installers in Ongoing Global Campaign

The Hacker News by The Hacker News
November 20, 2025
Home Cybersecurity
Share on FacebookShare on Twitter


Nov 20, 2025Ravie LakshmananMalvertising / Artificial Intelligence

Threat actors are leveraging bogus installers masquerading as popular software to trick users into installing malware as part of a global malvertising campaign dubbed TamperedChef.

The end goal of the attacks is to establish persistence and deliver JavaScript malware that facilitates remote access and control, per a new report from Acronis Threat Research Unit (TRU). The campaign, per the Singapore-headquartered company, is still ongoing, with new artifacts being detected and associated infrastructure remaining active.

“The operator(s) rely on social engineering by using everyday application names, malvertising, Search Engine Optimization (SEO), and abused digital certificates that aim to increase user trust and evade security detection,” researchers Darrel Virtusio and Jozsef Gegeny said.

DFIR Retainer Services

TamperedChef is the name assigned to a long-running campaign that has leveraged seemingly legitimate installers for various utilities to distribute an information stealer malware of the same name. It’s assessed to be part of a broader set of attacks codenamed EvilAI that uses lures related to artificial intelligence (AI) tools and software for malware propagation.

To lend these counterfeit apps a veneer of legitimacy, the attackers use code-signing certificates issued for shell companies registered in the U.S., Panama, and Malaysia to sign them, and acquire new ones under a different company name as older certificates are revoked.

Acronis described the infrastructure as “industrialized and business-like,” effectively allowing the operators to steadily churn out new certificates and exploit the inherent trust associated with signed applications to disguise the malicious software as legitimate.

It’s worth noting at this stage that the malware tracked as TamperedChef by Truesec and G DATA is also referred to as BaoLoader by Expel, and is different from the original TamperedChef malware that was embedded within a malicious recipe application distributed as part of the EvilAI campaign.

Acronis told The Hacker News that it’s using TamperedChef to refer to the malware family, since it has already been widely adopted by the cybersecurity community. “This helps avoid confusion and stay consistent with existing publications and detection names used by other vendors, which also refer to the malware family as TamperedChef,” it said.

A typical attack plays out as follows: Users who search for PDF editors or product manuals on search engines like Bing are served malicious ads or poisoned URLs, when clicked, take users to booby-trapped domains registered on NameCheap that deceive them into downloading the installers.

Once executing the installer, users are prompted to agree to the program’s licensing terms. It then launches a new browser tab to display a thank you message as soon as the installation is complete in order to keep up the ruse. However, in the background, an XML file is dropped to create a scheduled task that’s designed to launch an obfuscated JavaScript backdoor.

CIS Build Kits

The backdoor, in turn, connects to an external server and sends basic information, such as session ID, machine ID, and other metadata in the form of a JSON string that’s encrypted and Base64-encoded over HTTPS.

That being said, the end goals of the campaign remain nebulous. Some iterations have been found to facilitate advertising fraud, indicating their financial motives. It’s also possible that the threat actors are looking to monetize their access to other cybercriminals, or harvest sensitive data and sell it in underground forums to enable fraud.

Telemetry data shows that a significant concentration of infections has been identified in the U.S., and to a lesser extent in Israel, Spain, Germany, India, and Ireland. Healthcare, construction, and manufacturing are the most affected sectors.

“These industries appear especially vulnerable to this type of campaign, likely due to their reliance on highly specialized and technical equipment, which often prompts users to search online for product manuals – one of the behaviors exploited by the TamperedChef campaign,” the researchers noted.



Source link

Tags: computer securitycyber attackscyber newscyber security newscyber security news todaycyber security updatescyber updatesdata breachhacker newshacking newshow to hackinformation securitynetwork securityransomware malwaresoftware vulnerabilitythe hacker news
The Hacker News

The Hacker News

Next Post
Kyndryl Extends Partnership with Vodafone Idea Limited to Deliver Automated IT Operations and Delivery Transformation

Kyndryl Extends Partnership with Vodafone Idea Limited to Deliver Automated IT Operations and Delivery Transformation

Recommended.

NERDS ON SITE INC. REPORTS Q3 FY2026 RESULTS: RETURN TO PROFITABILITY AND CONTINUED REVENUE MOMENTUM

NERDS ON SITE INC. REPORTS Q3 FY2026 RESULTS: RETURN TO PROFITABILITY AND CONTINUED REVENUE MOMENTUM

April 29, 2026
On-prem AI resurgence reveals how leaders are defining their AI strategy

On-prem AI resurgence reveals how leaders are defining their AI strategy

August 25, 2025

Trending.

Cloud Market Share Q1 2026: AWS, Microsoft, Google Battling In AI Era

Cloud Market Share Q1 2026: AWS, Microsoft, Google Battling In AI Era

May 4, 2026
AWS Vs. Google Cloud Vs. Microsoft Azure Q1 Earnings Face-Off

AWS Vs. Google Cloud Vs. Microsoft Azure Q1 Earnings Face-Off

May 1, 2026
Anaconda Extends AI-Native Application Development With Acquisition

Anaconda Extends AI-Native Application Development With Acquisition

May 1, 2026
AWS Solution Provider Caylent Unveils Dedicated Anthropic Claude Unit

AWS Solution Provider Caylent Unveils Dedicated Anthropic Claude Unit

April 30, 2026
Google’s 0 Million Partner Fund Targets AI Agent Era Channel Paradigm Shift

Google’s $750 Million Partner Fund Targets AI Agent Era Channel Paradigm Shift

April 24, 2026

PTechHub

A tech news platform delivering fresh perspectives, critical insights, and in-depth reporting — beyond the buzz. We cover innovation, policy, and digital culture with clarity, independence, and a sharp editorial edge.

Follow Us

Industries

  • AI & ML
  • Cybersecurity
  • Enterprise IT
  • Finance
  • Telco

Navigation

  • About
  • Advertise
  • Privacy & Policy
  • Contact

Subscribe to Our Newsletter

  • About
  • Advertise
  • Privacy & Policy
  • Contact

Copyright © 2025 | Powered By Porpholio

No Result
View All Result
  • News
  • Industries
    • Enterprise IT
    • AI & ML
    • Cybersecurity
    • Finance
    • Telco
  • Brand Hub
    • Lifesight
  • Blogs

Copyright © 2025 | Powered By Porpholio