A sharp new malware campaign tracked as TamperedChef is leveraging counterfeit software installers, valid-looking certificates and search-engine ads to bypass defences and target organisations globally, cybersecurity researchers warn.
Analysis by different experts show the attack begins when a user downloads what appears to be a legitimate utility (a PDF editor or product manual viewer) but is in fact a trojan, hiding in plain sight.
The installer deploys a JavaScript back-door, sets up scheduled tasks that activate after a dormant period and uses valid code-signing certificates issued to shell companies to avoid detection.
More than 50 malicious domains and over five separate Google Ads campaigns were identified, indicating wide deployment of this vector. The installers often masquerade as everyday software to exploit user trust and search engine results. One of the most concerning elements: the campaign remains dormant for up to 56 days, allowing the malware to evade early detection while establishing persistence.
While the campaign’s impact is global, telemetry reveals heavy infections in the U.S. with significant activity also in Europe and Asia. The sectors hardest hit so far include healthcare, construction and manufacturing, industries where employees frequently download specialised manuals or software, making them prime targets. As cybersecurity experts from Acronis put it:
These industries appear especially vulnerable … likely due to their reliance on highly specialised and technical equipment, which often prompts users to search online for product manuals — one of the behaviours exploited by the TamperedChef campaign.
Some of the key modus operandi revealed include:
Security professionals say TamperedChef illustrates a worrying evolution in malware strategy where attacker sophistication increasingly targets how users seek and install software, not just exploit vulnerabilities:
It’s therefore critical for organisations to implement software-allow-listing, enforce strict installer policies and carry out exploratory audits of scheduled tasks and unusual certificate usage.
Analysis suggests the operators behind the campaign are driven by both monetary gain and broader strategic ambitions. Their activities point to several objectives, such as offering remote access to compromised machines on criminal marketplaces, stealing confidential medical and corporate data for resale, and positioning themselves for possible ransomware attacks down the line. If the malware lands inside particularly sensitive networks, incidental intelligence gathering could also come into play.
Security analysts warn that the presence of valid signatures on an application no longer guarantees its safety. Criminal groups have become adept at abusing or fraudulently acquiring certificates, making malicious tools appear authentic. The TamperedChef operation demonstrates how easily trust systems can be manipulated, reinforcing the need for multiple layers of defense and far stricter scrutiny of where software comes from.
“TamperedChef illustrates a critical security lesson: Even software bearing valid digital signatures can be malicious. Attackers can exploit the inherent trust that users place in signed applications to distribute stealthy malware, bypass traditional defenses and gain persistence on systems. This underscores that digital signatures alone are not a guarantee of safety, and organizations must implement additional layers of security, vigilance and user awareness to detect and mitigate threats effectively,” said Darrel Virtusio, Senior Malware Researcher, Acronis.