Close Menu
  • Home
  • Lifestyle
  • Tech
  • Travel
  • Review
  • About
  • Contact
What's Hot

BASE Bahay collaborates with ICC-ES to pave the way for global acceptance of structural bamboo in construction 

April 18, 2026

Smart backs active living as Filipinos embrace healthier lifestyles

April 18, 2026

Fisher Mall’s ultimate Guide to Community Well-Being with Comprehensive Wellness and Sports Programs

April 18, 2026
Facebook X (Twitter) Instagram
Manila Republic
  • Home
  • Lifestyle
  • Tech
  • Travel
  • Review
  • About
  • Contact
Manila Republic
Home»Tech»TamperedChef serves bad ads, with infostealers as the main course
Tech

TamperedChef serves bad ads, with infostealers as the main course

GabrielBy GabrielJanuary 29, 2026No Comments3 Mins Read
Share
Facebook Twitter LinkedIn Pinterest Email

Sophos X-Ops explores a malvertising campaign that leverages Google Ads to distribute an infostealer

Sophos, a global leader of innovative security solutions for defeating cyberattacks, recently identified a malvertising campaign distributing an infostealer dubbed TamperedChef – believed to be part of a wider campaign known as EvilAI. 

Previous coverage of this campaign suggests it began on June 26, 2025, with many of the associated websites being registered or first identified on that date. The sites were promoting a trojanized PDF editing application called AppSuite PDF Editor via Google Ads. This application appeared legitimate to users, but silently deployed an infostealer upon installation, targeting Windows devices.

Through telemetry analysis and threat hunting, Sophos MDR confirmed that over 100 customer systems were affected before our detection and response efforts began. 

According to Sophos telemetry, the majority of victims affected by this campaign are in Germany (~15%), the United Kingdom (~14%), and France (~9%). Although the data highlights a significant concentration in Germany and the UK, it likely reflects the campaign’s widespread global reach, rather than any deliberate targeting of specific regions; we identified 19 countries affected in total.

Victims of this campaign span a variety of industries, particularly those where operations rely heavily on specialized technical equipment – possibly because users in those industries frequently search online for product manuals, a behavior that the TamperedChef campaign exploits to distribute malicious software.

Further investigation revealed that this large, multi-layered distribution network featured multiple advanced tactics, including a delayed activation/dormancy period, decoy software, staged payload delivery, staged payload delivery, abuse of code-signing certificates, and efforts to evade endpoint protection mechanisms.

According to other researchers, the campaign appears to still be active, with new components still being uncovered and supporting infrastructure continuing to operate (although the domains we observed in our investigations now seem to be inactive).

Conclusions and recommendations

The threat actors behind the TamperedChef campaign crafted convincing malicious applications, leveraged targeted advertising to achieve large-scale distribution, and secured code-signing certificates. The consequences are severe; users who have installed AppSuite PDF Editor should consider any credentials stored in their browsers to be compromised.

Threat actors are well aware that malvertising can be a fruitful and effective infection vector. It’s very possible that the adversaries behind TamperedChef, and others, will cook from a similar recipe in the future.

Proactive recommended actions

  • Avoid installing software from ads:Avoid clicking installation links or pop-ups in online ads — even if they appear to come from familiar or well-known brands. Instead, obtain software only from official vendor sites
  • Implement strict application controls: In corporate settings, restrict installations to approved software only where appropriate
  • Harden credential management:Disable browser-based password storage where possible and enforce the use of secure, organization-approved password managers; require MFA or passkeys for all accounts to reduce the risk of credential theft and unauthorized access.
  • Educate end users on safe software acquisitionConduct awareness training focused on recognizing malvertising, deceptive download pages, and fraudulent installers — reinforcing that software should only be downloaded from official vendor websites or trusted app stores.

Post-incident recommended actions

  • Conduct comprehensive endpoint scans using updated threat intelligence to detect known indicators of compromise
  • Reimage compromised endpoints and enforce immediate credential resets to eliminate persistence risks
  • Verify and enforce Multi-Factor Authentication (MFA) for all impacted users and systems not previously protected
  • Strengthen behavioural monitoring and detection capabilities to identify malicious activity and potential follow-on payloads
  • Restrict installation of unverified or unauthorized software using application control and publisher validation policies

Learn more about TamperedChef from the Sophos website

Share. Facebook Twitter Pinterest LinkedIn Tumblr Email
Gabriel
  • Facebook
  • X (Twitter)

Introvert, wanderer, blogger, foodie, a hip-hop music writer, and one of the co-founders of a tech start-up company called GigsManila.

Related Posts

Only 5% of organizations have full trust in their cybersecurity vendors

April 18, 2026

Alibaba Unveils Wan2.7-Video to Elevate Creators from Executors to Directors

April 15, 2026

Kaspersky leads independent security tests in 2025, achieving first place in 90% of evaluations

April 14, 2026
Leave A Reply Cancel Reply

Advertisement
Top Posts

BASE Bahay collaborates with ICC-ES to pave the way for global acceptance of structural bamboo in construction 

April 18, 2026

Smart backs active living as Filipinos embrace healthier lifestyles

April 18, 2026

Fisher Mall’s ultimate Guide to Community Well-Being with Comprehensive Wellness and Sports Programs

April 18, 2026

Globe Boosts Metro Manila Connectivity to Power Work, Learning, and Everyday Life

April 18, 2026

FinanceAsia names SM companies among Asia’s Best Companies for 2026

April 18, 2026
Advertisement
Don't Miss

BASE Bahay collaborates with ICC-ES to pave the way for global acceptance of structural bamboo in construction 

GabrielApril 18, 2026

BASE Bahay Foundation (BASE), a recognized global leader in bamboo bamboo-based research and technology, today…

Smart backs active living as Filipinos embrace healthier lifestyles

April 18, 2026

Fisher Mall’s ultimate Guide to Community Well-Being with Comprehensive Wellness and Sports Programs

April 18, 2026

Globe Boosts Metro Manila Connectivity to Power Work, Learning, and Everyday Life

April 18, 2026
Stay In Touch
  • Facebook
  • Twitter
  • Pinterest
  • Instagram
  • YouTube
  • Vimeo
© 2026 ThemeSphere. Designed by ThemeSphere.
  • Home
  • Lifestyle
  • Tech
  • Travel
  • Review
  • About
  • Contact

Type above and press Enter to search. Press Esc to cancel.