Malicious Appsuite PDF Editor Spreads Tamperedchef Malware

Aug. 28, 2025, 1:50 p.m.

Description

A large cybercrime campaign has been observed involving multiple fraudulent websites promoted through Google advertising. The campaign aims to trick users into downloading and installing a trojanized PDF editor containing the TamperedChef information-stealing malware. The malware harvests sensitive data, including credentials and web cookies. The campaign began on June 26, 2025, with the PDF editor initially appearing harmless but later activating malicious capabilities. The threat actor used Google advertising to promote the PDF editor, with at least 5 different campaign IDs observed. The malware's activation occurred 56 days after the campaign's start, coinciding with a typical Google ad campaign duration. The threat actor has a history of distributing malicious code disguised as free utility tools, and this campaign has successfully affected several European organizations.

External References

https://www.truesec.com/hub/blog/tamperedchef-the-bad-pdf-editor
https://otx.alienvault.com/pulse/68b05ada69e45706752086fa
Tags
obfuscation
credential theft
information stealer
trojanized software
tamperedchef
2025-08-28
google advertising
appsuite pdf editor

Date

  • Created: Aug. 28, 2025, 1:34 p.m.
  • Published: Aug. 28, 2025, 1:34 p.m.
  • Modified: Aug. 28, 2025, 1:50 p.m.

Indicators

  • fc4d1107958f70bd553d824224fc74b3b5ad2365f3599bfda795e0b718f3c76a
  • f97c7edb0d8d9b65bf23df76412b6d2bbfbab6e3614e035789e4e1a30e40b7f1
  • f6e323d4741baf047445a13bb9587acfb79cc2b16737b91df18a8a9bf5b307f4
  • f4bc13b8b76656e4e4b7306d2dc6a5be4e19e752b015bcefbfdcc885a8bb122f
  • e6286f5f4c7cdde39c9300d1204ff504499c760bbffa56fc7e3830796537f71b
  • e08cc90e738e7e5f275d220b3914c2860a388e7ada67ed34fda1a01a23bf42bc
  • da3c6ec20a006ec4b289a90488f824f0f72098a2f5c2d3f37d7a2d4a83b344a0
  • d7315bbccff2899c1751c7f7e0e0b48d561366771699f48c90d9b448418856c2
  • cf5194e7f63de52903b5d61109fd0d898b73dd3a07512e151077fba23cdf4800
  • cebe0ce89e4622118371f60cd82a9d0a7659e0916edf522cacba6b308bded8de
  • ce0019424497040351c9054aa2ee6b07fc610024cc2cb2cc810de80f838c7a14
  • ce1a6009f013eafecbe13d72bee044c546654dad3805b7d2744d453e6544ecc8
  • bdb0e1f2582547fdc64a656a813b0e67f8819f96918050f6114b159d7ca7fd69
  • bd21360149904ce42c6927d9c3fb482316f2537a4a7bce8b64990428e27a54ac
  • b7f63771d24f07f5ce30f2a9f8895b815e47ab01a1e3c09322f55c16f140e041
  • b07ffbd8eed8dc989db1c58d84d3f8b9d57fb6a7b5f30af6d982e2bd4da0e696
  • aefab9c1959c5cb86fd656d9ea2148c584cae543ac203dd2ae4467a36382586a
  • ab376fbec6ca90c8cac2fd4ec92c564638bde0e6737a48f687b5367c51f49a0b
  • aaf6e40848b904e664cdfbefa1e42870c3e42387471a03361e4fd0781943a032
  • a3fc5447a9638a3469bab591d6f94ee2bc9c61fc12fd367317eec60f46955859
  • 9fa4d8a68d6f231577d62d560d110a66fd3f311cc8dcb1b4b10a50632d03ad1d
  • 9e3334afa4a951c7e6eacc2ce16637919eb113ac1ca5527ece7140ae1f364e76
  • 9bbe83ec13fc6397ddb69c47a3266ae39b3204d68674b529170bc6b56bcbdfcc
  • 987a94fbe252da32dfb83daeb52d5636bd61d4b88fb45e9a97b79df3c03edcb8
  • 95176fc574f3d707e68965690826759260c5867e865b19a000bebb20a01a2e0a
  • 8f1960939eee8d0689cc07613189f27054beff96e8740045de88fa1b6764b5b5
  • 88450ae2c0c19d2a3a54e7b2c029998ed3daf68e78fbd664aea50c7ed582f544
  • 7e0d909c934620140db7d53e2caefdd58866484cb049f876f8a8428e6334618a
  • 76cf960146bf07ad8b459ceb401a35ed37c98cb4e84ace329595b5b0f3955d3a
  • 6ec7acd0ff0980b88801d5eed7dfe69d6349f2044bd5e1768f6d1ed7f403e43e
  • 6ec07c1d2dc566d59a7576cc4a89c605bcfc8abd414c77338c940fb8e3ed5f1a
  • 6c6cde420ea1b48c2f070ae139a71294b3c4c6c768da4279e4fe3bd2a9ff1885
  • 6aa61426d77da6674efdf6f7d139b4ccd9eebf4afb86831b79da0b8913ba89d8
  • 69b373084e47cbb54a9003ae2435adb49f184bfa11989a2800700da22a153dff
  • 5f52dc64c6d56287abcdd16d1e2a42db1a4bccc43263cbc259d881fc709242b9
  • 5d3a41e2c6b854d12b70cea9000cafe1f3877bbccc51ca20f29da2e47f79a088
  • 5cbd51bbd10008b92fe490a6fa87339dd3d0f57fce82d10dc4fa0566133ac94d
  • 5c839e560530a7a4077baa16294cc9dc404f98a42c004f2013903543383af669
  • 5c21b5d1eb58367cb1ac189d383a7f0eb1e8d00d6722712897eb2efdbc670d1d
  • 5adc11546db45ab8e57f9bc2808b46898dc7eef179ccbf963552b694f0ec61b6
  • 5964e5c15ea512ea3208109d7175e6b43c5f85a77de95f44d3dc81e1940f94e3
  • 57c92ed1e87dda6091903e1360c065e594576e2125f5d45f159269b0bef47f32
  • 5485bafd43f2f3865f18e74a14a00a433971cdc5b50c357bd0307179e0187e3d
  • 458ef97817fa4537ff9a4b73844260e4a9951ec4e7e4b4d3c13240bb8675764b
  • 42222692739edf910e1e25310923ddfbbea465a69b6d9e5ec01091c5aa0aee0f
  • 3c702aa9c7e0f2e6557f3f4ac129afd2ad4cfa2b027d6f4a357c02d4185359c4
  • 3b32696ebac176a898f277bb662099deebecf7216dae942e610dc8b7b3dd4c48
  • 3a2b1f97a47e63d48f8955311f18664aa2c5e5a865ec6f43d8943b81eefd5a65
  • 2fe2d16e51488337de25bb02c7ca4a06e2b7e3229cd2af9903db7c9efdf88e31
  • 2f66690072dae1ca203e8c93330fccb8b5ccf8b8c9cce747250a11096d551794
  • 2e4de114ad10967f1807f317f476290dc0045bdfa9395553d1b443ef9f905018
  • 2e06a801c4bdfca8061c04dea3a43b0fd3b883b96f32dd901a076be786d466e6
  • 2ce20ceb2aaa24de8d3d7714bf87cef90b9cc90a21234d0b7cc78f22d9d5d5c1
  • 25d1fd2706c39edeb453a30fbca7561142978468d3e94efa0982504d60b06757
  • 232006ef149a2dcc150d765a3b330317d5e62f21391c1f355fba4a833a9dd49f
  • 2221b218ad03b615683941d11bd8085ca87b7b576bc5d1a6c720a0eb223d4405
  • 189b0ba8c61740d5ad1c802649718958a86f5b7a8c8e795dc2e990909a9ab88a
  • 14fb07941492c7f014435633a02bf14761d91d1df3023fa0dd4c3210e80554b7
  • 13698b05960edbda52fa8f4836526f27e8fc519ca0f4a7bc776990568523113e
  • 10640dcc67b3e2e4a6dbbfdb2fab981de4676d57f9f093af3cfb6f4f8351baf6
  • 0faaec07a598784fc76caa5254307a01383b229397e271020f319be84c7b8bf9
  • 0a15e90c062bf6137336beba0ec480af8f370ceaedca3e1ff76cd131f2e54927
  • 031682d2f69322a68cd13d0e380cf149199b20755c6e08f4fb7b41d27a5378f0
  • download04.pdfgj.com
  • download04.masterlifemastermind.net
  • download02.pdfgj.com
  • download02.apdft.online
  • transmitcdnzion.com
  • proonestarthub.com
  • proonestartpdf.com
  • pdfworker.com
  • pdfts.site
  • pdfsmartkit.com
  • pdfscraper.com
  • pdfonestarttoday.com
  • pdfonestartlive.com
  • pdfonestarthub.com
  • pdfhubspot.com
  • pdffilehub.net
  • pdfdoccentral.com
  • pdfappsuite.com
  • pdf-kiosk.net
  • onestartbrowser.com
  • mypdfonestart.com
  • micromacrotechbase.com
  • ltdpdf.net
  • ltdpdf.com
  • itpdf.net
  • getsmartpdf.com
  • fileconverterdownload.com
  • fastonestartpdf.com
  • easyonestartpdf.com
  • convertpdfplus.com
  • click4pdf.com
  • cdasynergy.net
  • apdft.net
  • advancedtransmitart.net
Download all indicators here!

Attack Patterns

  • TamperedChef