Unit 42 researchers document three distinct TamperedChef malware clusters (CL-CRI-1089, CL-UNK-1090, CL-UNK-1110) that trojanize productivity apps like PDF editors and calendar tools to deliver stealthy payloads. Over 4,000 samples across 100+ variants were tracked using code-signing certificate reuse, code overlap analysis, ad transparency platforms, and OSINT on corporate structures. The malware remains dormant for weeks to months before activating, then deploys infostealers, browser hijackers, RATs, or proxy tools. CL-UNK-1090 shows vertical integration between an Israeli advertising agency (FireArc/Candy Tech Ltd) and malware creation. The campaigns distribute via malvertisements and SEO manipulation, with evidence suggesting AI-assisted development and website generation. Detection methods, IOCs including 80+ code-signing entities, and remediation guidance are provided.
Table of contents
Executive SummaryThe Rise of Malicious Productivity ApplicationsA Historical Review of TamperedChef (Aka EvilAI)VictimologyTracking TamperedChef-Style SamplesMalvertising as a Service: How Did the Threat Scale?Technical Analysis of TamperedChef Malware SamplesDistilling the MotivationsDetection, Prevention and Response to Future ThreatsConclusionIndicators of CompromiseAdditional ResourcesSort: