A sophisticated malvertising campaign is targeting Windows users worldwide, leveraging Google Ads to distribute a dangerous information-stealing malware known as TamperedChef. The campaign, which began in June 2025 and was identified around September 2025, exploits users searching for PDF editing tools and appliance manuals, leading to silent infections across various industries and regions.
Threat actors have meticulously crafted fake PDF editing applications, promoting them through seemingly legitimate Google Ads. These advertisements redirect unsuspecting users to deceptive websites where they download trojanized software. The malware’s strategic design includes a dormant period, allowing it to evade immediate detection and spread widely before activating its malicious payload.
The Silent Infection: How TamperedChef Exploits Google Ads for Malicious Distribution
The TamperedChef campaign officially commenced on June 26, 2025, with the registration of numerous look-alike websites designed to mimic legitimate software providers. These sites actively promoted a trojanized application named AppSuite PDF Editor. Users, believing they were acquiring a legitimate PDF editing tool, were instead installing malware. This malicious software was engineered to stealthily steal sensitive browser data, including credentials, cookies, and autofill information.
A key element of this attack’s deceptive nature is its delayed activation. According to Sophos researchers who identified the campaign, the malware remained dormant for approximately 56 days. This extended period aligns with typical advertising campaign timelines, allowing the threat actors to maximize their reach before the harmful components of TamperedChef became active. This strategic planning highlights the evolving tactics of cybercriminals in circumventing security measures.
Sophos analysts detected over 100 affected customer systems during their managed detection and response operations, confirming the widespread impact of the campaign. The primary victims were located in Germany, the United Kingdom, and France, though the campaign’s reach extended to at least 19 countries globally. The attackers specifically targeted industries that frequently rely on specialized equipment, where employees are more likely to search for product manuals online—a behavior that was systematically exploited to distribute the malicious installer.
The Multi-Stage Infection Chain of TamperedChef
The operational methodology of TamperedChef involves a sophisticated, multi-stage deployment process designed to bypass security defenses. The initial entry point is through malicious advertisements appearing in search engine results, notably on platforms like Google and Bing. These ads lead users to counterfeit websites, such as fullpdf.com and pdftraining.com, where they are prompted to download the Appsuite-PDF.msi installer.
Upon execution, the installer drops a setup executable, PDFEditorSetup.exe, alongside an obfuscated JavaScript file and another executable. This PDFEditorSetup.exe then establishes persistence by creating registry entries and Windows scheduled tasks, ensuring the malware remains active even after system reboots. The final stage involves the deployment of PDF Editor.exe, the core information-stealing component.
This infostealer component reportedly became active on August 21, 2025, commencing its data exfiltration. The threat actors further enhanced their evasion capabilities by utilizing legitimate code-signing certificates associated with Malaysian and US registered entities. This tactic allowed their malicious files to bypass Windows SmartScreen protections, presenting a veneer of legitimacy to unsuspecting users and significantly increasing the likelihood of successful infection. This layered approach, combining malvertising, deceptive software fronts, and advanced evasion techniques, underscores the increasing sophistication of modern cyber threats.
The ongoing nature of such malvertising campaigns suggests that users should exercise extreme caution when downloading software, particularly when initiated through search engine advertisements. Cybersecurity agencies and software providers are continuously working to identify and neutralize these threats, but user vigilance remains a crucial defense layer against evolving malware like TamperedChef.