A malvertising campaign identified in September 2025 has brought a significant threat to Windows users worldwide. <\/p>\n
Attackers created fake PDF editing applications and promoted them through Google Ads to distribute a dangerous information-stealing malware called TamperedChef. <\/p>\n
The malware<\/a> targets users searching for appliance manuals and PDF editing tools online, exploiting common search behaviors to deliver silent infections across multiple industries and regions.<\/p>\n The campaign began officially on June 26, 2025, when threat actors registered multiple look-alike websites promoting a trojanized application named AppSuite<\/a> PDF Editor. <\/p>\n Users believed they were downloading legitimate software, but the installer actually contained hidden malicious code designed to steal sensitive browser data. <\/p>\n What makes this attack particularly deceptive is its timing\u2014the malware remained dormant for approximately 56 days, matching typical advertising campaign cycles. <\/p>\n This strategic delay allowed the malware to infect as many devices as possible before displaying harmful behavior.<\/p>\n Sophos analysts and researchers identified<\/a> the malware after discovering over 100 affected customer systems during their managed detection and response operations. <\/p>\n Their investigation revealed that victims primarily came from Germany, the United Kingdom, and France, though the campaign affected at least 19 countries globally. <\/p>\n The attackers targeted industries relying on specialized equipment, where employees frequently search for product manuals online\u2014a behavior the threat actors exploited systematically to spread their malicious installer.<\/p>\n The infection mechanism of TamperedChef demonstrates sophisticated multi-stage deployment tactics designed to evade detection. <\/p>\n Users begin by clicking malicious advertisements appearing in search results on platforms like Google and Bing. <\/p>\n These ads direct them to deceptive websites such as fullpdf.com and pdftraining.com, where they download the Appsuite-PDF.msi installer. <\/p>\n Once executed, this file drops a setup executable called PDFEditorSetup.exe along with an obfuscated<\/a> JavaScript file and an additional executable. <\/p>\n PDFEditorSetup.exe then silently establishes persistence by creating registry entries and Windows scheduled tasks, ensuring the malware survives system restarts. <\/p>\n Finally, the installer deploys PDF Editor.exe, the actual infostealer component, which awakened on August 21, 2025, to begin harvesting browser credentials, cookies, and autofill data. <\/p>\n The attackers further enhanced their operation by abusing legitimate code-signing certificates from Malaysian and US-registered entities, enabling their malicious files to bypass Windows SmartScreen<\/a> protections and appear trustworthy to unsuspecting users. <\/p>\n This layered infection process showcases how modern threat actors combine malvertising<\/a>, legitimate-looking software interfaces, and system-level evasion techniques to maximize infection success and minimize early detection.<\/p>\n Follow us on\u00a0Google News<\/a>,\u00a0LinkedIn<\/a>,\u00a0and\u00a0X<\/a>\u00a0to Get More Instant Updates<\/strong>,\u00a0Set CSN as a Preferred Source in\u00a0Google<\/a>.<\/strong><\/p>\n The post Threat Actors Leverage Google Ads to Weaponize PDF Editor with TamperedChef<\/a> appeared first on Cyber Security News<\/a>.<\/p>\n<\/div>\n![\"Timeline](\"https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEi7jO9dfw5ObJyC4Nxp0fGiai3ViqtYZcDueRrFMYEd_pAPG5UvYk2ghs2PpogW41euZ1AMPc-lu2HFC3OmPak6biMsGqBLZ2WY2Yi5T3rluZN4e8ZuUrxcYHILEeYW2IRQYKhhng0VcniOAPNXawWL3MmtzPSW5Ezi0ud-WTDZzDJtn-QgwRQCxez4hKs\/s16000\/Timeline%2520of%2520the%2520TamperedChef%2520campaign%2520%28Source%2520-%2520Sophos%29.webp?ssl=1\")
The Silent Infection: How TamperedChef Operates<\/strong><\/h2>\n
![\"The](\"https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEgHR5jmuW0d_GbJcqeyeUsNR5CU-8MNnsQm7gJTtwUpabgO3iQiXXj0oXW75P4q1nwFDnqADPG2SYdI9dnsKu0JBfqs8ubg2HbzdVMLgO5fSONQBNA-Llt8mnRGv6jsXh9w-xDs6tfaBj2iVWl3TelLpPeAykD6tXvW4ZxeZAJ8-i21LgBLasWGfdBko_E\/s16000\/The%2520TamperedChef%2520attack%2520chain%2520%28Source%2520-%2520Sophos%29.webp?ssl=1\")