Potentially Unwanted Applications (PUAs) weaponized for covert delivery

Sept. 29, 2025, 9:01 a.m.

Description

A malware distribution campaign leveraging digitally signed binaries, deceptive packaging, and browser hijackers has been uncovered. The campaign centers around two malicious applications, ImageLooker.exe and Calendaromatic.exe, delivered via self-extracting 7-Zip archives. These artifacts align with the TamperedChef malware campaign, which uses trojanized productivity tools for initial access and data exfiltration. The malware employs NeutralinoJS framework, Unicode homoglyphs, and multiple digital signers to bypass detection. The campaign exploits user behavior through SEO poisoning and malvertising, masquerading as legitimate software. This sophisticated approach highlights the evolving tactics of threat actors in weaponizing PUAs and abusing digital code signing to evade security measures.

External References

https://fieldeffect.com/blog/potentially-unwanted-applications
https://otx.alienvault.com/pulse/68da3d2fbeb1286aa4f67c07
Tags
malvertising
seo-poisoning
CVE-2025-0411
7-zip
neutralinojs
2025-09-29
pua
imagelooker
digital-signing
trojanized-productivity-tools
code-signing-abuse
calendaromatic
browser-hijacker

Date

  • Created: Sept. 29, 2025, 8:02 a.m.
  • Published: Sept. 29, 2025, 8:02 a.m.
  • Modified: Sept. 29, 2025, 9:01 a.m.

Indicators

  • f4b3c6bb24f20aa995e8b2af92c128b299446a9b7b02b5f45462e5d4c0df87f2
  • a85d13a46213a83ec1910542ac42c9fc58c473b9fd0b1ddb68455cd617814c89
  • e32d6b2b38b11db56ae5bce0d5e5413578a62960aa3fab48553f048c4d5f91f0
  • 69934dc1d4fdb552037774ee7a75c20608c09680128c9840b508551dbcf463ad
  • 497ed5bca59fa6c01f80d55c5f528a40daff4e4afddfbe58dbd452c45d4866a3
  • iolenaightdecipien.org
Download all indicators here!

Attack Patterns

  • Calendaromatic
  • ImageLooker
  • TamperedChef

Linked vulnerabilities

CVE-2025-0411

7.0
    7-Zip
  • 7-Zip
Published: January 25, 2025