Sophos X-Ops explores a malvertising campaign that leverages Google Ads to distribute an infostealer
Sophos, a global leader of innovative security solutions for defeating cyberattacks, recently identified a malvertising campaign distributing an infostealer dubbed TamperedChef – believed to be part of a wider campaign known as EvilAI.
Previous coverage of this campaign suggests it began on June 26, 2025, with many of the associated websites being registered or first identified on that date. The sites were promoting a trojanized PDF editing application called AppSuite PDF Editor via Google Ads. This application appeared legitimate to users, but silently deployed an infostealer upon installation, targeting Windows devices.
Through telemetry analysis and threat hunting, Sophos MDR confirmed that over 100 customer systems were affected before our detection and response efforts began.
According to Sophos telemetry, the majority of victims affected by this campaign are in Germany (~15%), the United Kingdom (~14%), and France (~9%). Although the data highlights a significant concentration in Germany and the UK, it likely reflects the campaign’s widespread global reach, rather than any deliberate targeting of specific regions; we identified 19 countries affected in total.
Victims of this campaign span a variety of industries, particularly those where operations rely heavily on specialized technical equipment – possibly because users in those industries frequently search online for product manuals, a behavior that the TamperedChef campaign exploits to distribute malicious software.
Further investigation revealed that this large, multi-layered distribution network featured multiple advanced tactics, including a delayed activation/dormancy period, decoy software, staged payload delivery, staged payload delivery, abuse of code-signing certificates, and efforts to evade endpoint protection mechanisms.
According to other researchers, the campaign appears to still be active, with new components still being uncovered and supporting infrastructure continuing to operate (although the domains we observed in our investigations now seem to be inactive).
Conclusions and recommendations
The threat actors behind the TamperedChef campaign crafted convincing malicious applications, leveraged targeted advertising to achieve large-scale distribution, and secured code-signing certificates. The consequences are severe; users who have installed AppSuite PDF Editor should consider any credentials stored in their browsers to be compromised.
Threat actors are well aware that malvertising can be a fruitful and effective infection vector. It’s very possible that the adversaries behind TamperedChef, and others, will cook from a similar recipe in the future.
Proactive recommended actions
- Avoid installing software from ads:Avoid clicking installation links or pop-ups in online ads — even if they appear to come from familiar or well-known brands. Instead, obtain software only from official vendor sites
- Implement strict application controls: In corporate settings, restrict installations to approved software only where appropriate
- Harden credential management:Disable browser-based password storage where possible and enforce the use of secure, organization-approved password managers; require MFA or passkeys for all accounts to reduce the risk of credential theft and unauthorized access.
- Educate end users on safe software acquisitionConduct awareness training focused on recognizing malvertising, deceptive download pages, and fraudulent installers — reinforcing that software should only be downloaded from official vendor websites or trusted app stores.
Post-incident recommended actions
- Conduct comprehensive endpoint scans using updated threat intelligence to detect known indicators of compromise
- Reimage compromised endpoints and enforce immediate credential resets to eliminate persistence risks
- Verify and enforce Multi-Factor Authentication (MFA) for all impacted users and systems not previously protected
- Strengthen behavioural monitoring and detection capabilities to identify malicious activity and potential follow-on payloads
- Restrict installation of unverified or unauthorized software using application control and publisher validation policies
Learn more about TamperedChef from the Sophos website
