A sophisticated global hacking campaign, identified as TamperedChef, is actively distributing malware by disguising malicious applications as legitimate software, including manual readers, PDF editors, and games. This operation leverages fake installers with valid code-signing certificates to bypass security measures and earn user trust, according to recent findings from Acronis security researchers. The primary objective of TamperedChef is to deliver payloads that grant attackers remote access to compromised systems.
The TamperedChef campaign has been operational since at least June 2025, with evidence suggesting earlier activity. While the majority of infections, approximately 80 percent, are concentrated in the United States, the campaign’s global infrastructure points towards a broad, rather than regionally specific, threat. Key industries targeted include healthcare, construction, and manufacturing, likely due to the prevalence of users in these sectors searching for specialized equipment manuals, a common exploit vector.
TamperedChef: A Malicious Operation Leveraging Trusted Software
The core of the TamperedChef hacking campaign lies in its deceptive distribution methods. Attackers employ malvertising and search engine optimization (SEO) techniques to make their malicious websites highly visible in search engine results. Users searching for everyday tools or product information are thus enticed to download fake installers that appear legitimate. The use of valid code-signing certificates is a critical element, allowing these malicious applications to pass initial security checks and appear trustworthy to end-users. Acronis security researchers identified this campaign in June 2025.
Behind TamperedChef is an industrially scaled operation that has established a network of U.S.-registered shell companies. These entities are used to acquire Extended Validation (EV) certificates, a higher level of assurance for digital certificates. By obtaining these trusted certificates, the threat actors can sign their malicious applications, further enhancing their perceived legitimacy. This tactic is crucial for deceiving both users and security software.
The disposable nature of these shell companies allows the attackers to maintain operational continuity. Once a certificate is flagged or revoked by a certificate authority, the operators quickly register new shell companies. These new entities are often given generic names, such as “Digital Marketing,” enabling them to acquire new certificates and continue signing their fake applications without significant operational downtime. This agile approach makes it challenging for cybersecurity firms to fully dismantle their infrastructure.
Infection Chain and Persistence Mechanism
The TamperedChef infection chain begins when unsuspecting users download fake applications from malicious websites that are promoted through search results or advertisements. Once a user executes the downloaded installer, it presents a standard license agreement window, mimicking the installation process of legitimate software. This design choice is intended to further lull the victim into a false sense of security.
During the installation process, the malware strategically places a configuration file named “task.xml.” This file can be found either within the installer’s temporary directory or the program’s installation directory, typically located at %APPDATA%Programs[Fake Application Name]. This XML file is instrumental in establishing a persistence mechanism for the malware.
The “task.xml” file is configured to create a scheduled task on the victim’s system. This is achieved through the Windows Task Scheduler command: schtasks /Create /tn "Scheduled Daily Task" /xml "%APPDATA%LocalProgramsAnyProductManualtask.xml". The scheduled task is designed to execute immediately upon creation and then repeat every 24 hours, with a random delay of up to 30 minutes. This scheduling strategy helps to distribute the execution times, making it harder to detect, and ensures that the malicious payload runs consistently.
The scheduled task launches a heavily obfuscated JavaScript payload. This payload is designed to evade detection by employing advanced obfuscation techniques, often sourced from tools like obfuscator.io. These techniques include string and function renaming, control flow flattening (making the code harder to follow), and dead code injection (adding irrelevant code to confuse analysis). The primary function of this JavaScript backdoor is to establish communication with command-and-control (C2) servers.
Communication with the C2 servers is established over HTTPS, which helps to blend the malicious traffic with legitimate network activity. Before transmission, the malware encrypts data using XOR encryption with a random 16-byte key and then encodes it using base64. The payload also includes capabilities for remote code execution, allowing the attackers to issue commands to compromised systems, effectively giving them direct control.
The campaign’s infrastructure is reliant on domain registrations through NameCheap, with domains often registered for one-year periods and protected by domain privacy services to obscure ownership. This allows for rapid rebuilding of their infrastructure in the event of takedowns. Recent observations indicate the continued expansion of the TamperedChef operation, with new shell company signers such as Stratus Core Digital LLC, DataX Engine LLC, and Nova Sphere Systems LLC emerging, all adhering to the same exploitative attack patterns.
The ongoing activity of TamperedChef highlights the persistent threat posed by sophisticated threat actors who skillfully leverage social engineering and legitimate-looking software to infiltrate systems. Users must exercise extreme caution when downloading software from the internet, especially if found via untrusted search results or advertisements. Verifying software sources and scrutinizing digital certificates are critical defenses against such widespread campaigns.