Sophos: What is the TamperedChef Malvertising Campaign?
Ever heard of EvilAI? It is not a sci-fi movie, but a prominent malware campaign that finds its way into user systems camouflaging as AI productivity tools and software.
Globally targeted, the campaign leverages AI written code to deploy advanced infostealers that mimic legitimate software and evade detection.
A list of trojan applications under the EvilAI campaign include: App Suite, Epi Browser, JustAskJacky, Manual Finder, One Start, PDF Editor, Recipe Lister and TamperedChef.
Sophos: TamperedChef Infostealer Campaign
The infostealer – dubbed TamperedChef – found its way into systems via a trojanised PDF editing application called AppSuite PDF Editor, distributed globally through Google Ads and SEO poisoning.
It targeted Windows devices, featuring multiple advanced tactics such as delayed activation, decoy software, staged payload delivery, abuse of code-signing certificates and efforts to evade endpoint protection mechanisms.
Research from the Managed Detection and Response (MDR) teams at Sophos identified more than 300 impacted hosts across at least 100 customer environments across 19 countries.
With early activity suggesting the threat actors have been active since 2024, some researchers suggest that the campaign could still be alive.
Sophisticated malvertising attack chain of TamperedChef
Sophos says the TamperedChef campaign began in June 2025 with the registration of multiple look-alike PDF utility websites. When searching for instruction manuals for certain appliances, sponsored results took the unsuspecting users to a legitimate library of manuals: manualslib[.]com.
Before reaching this legitimate page, users were taken to an ad redirect with an offer to install a PDF tool, AppSuite PDF, from the domain fullpdf[.]com.
The malicious ad enticed users to download PDFEditorSetup.exe, which establishes persistence through registry modifications before installing the PDF Editor.exe info stealer. The clever malware, in an attempt to remain hidden, runs commands to find out what security software is used by the system.
After this, Sophos finds that the PDF Editor.exe proceeds to its info stealing task, by terminating browser processes and utilising Windows data protection API (DPAPI) to extract stored browser credentials, cookies and autofill data.
It then establishes a connection to a command-and-control (C2) server for data exfiltration, thereby retrieving a secondary payload called ManualFinderApp.exe, a trojanised application that uses compromised security certificates.
Sushmita Shetty, Threat Analyst at Sophos, explains: "What stands out with TamperedChef is how ordinary it all looks on the surface.
“People were searching for PDFs or manuals they trusted or being shown ads that looked completely legitimate – not clicking on links that were obviously dodgy. That sense of familiarity is what makes these attacks so effective and so dangerous.
“The long delay before the malware did anything harmful is also telling. It’s the perfect example of just how calculated these operations have become and also how easily attackers can sidestep traditional security assumptions.
“In this case, organisations should assume that any credentials stored in browsers on affected systems are now compromised. Security teams should take quick steps to educate teams on safe software acquisition, implement strict application controls and harden credential management to reduce the risk of credential theft or unauthorised access.”
Security recommendations
Sophos advises that installation of the AppSuite PDF Editor will likely have corrupted devices, meaning all credentials stored on the browser can be considered compromised.
The firm offers the following recommendations:
- Avoid installation of any software from installation links or pop-ups in online ads, regardless of whether they appear to come from familiar or well-known brands
- Only obtain software from official vendor sites
- In enterprise settings, installations should be restricted only to approved software.
