Redazione RHC : 21 November 2025 19:20
The large-scale TamperedChef campaign is once again attracting the attention of specialists, as attackers continue to distribute malware via fake installers of popular applications.
This scam, disguised as legitimate software, helps deceive users and gain persistent access to devices. The Acronis team emphasizes that activity continues: new files are discovered, and the associated infrastructure remains operational.
The method relies on social engineering. It uses the names of well-known utilities, fake click ads, search engine optimization, and fake digital certificates. Researchers Darrell Virtusio and József Gegenyi explain that these elements increase trust in the installers and help bypass security mechanisms.
The campaign has been nicknamed TamperedChef because the fake installers it created serve as conduits for the eponymous malware. This activity is considered part of a larger series of EvilAI operations using decoys linked to AI-based tools.
To lend credibility to the fake apps, the operator group uses certificates issued to fictitious companies in the United States, Panama, and Malaysia. When the old certificates are revoked, new ones are issued under a different company name. Acronis emphasizes that this infrastructure resembles an organized production process, allowing for the continuous issuance of new keys and the hiding of malicious code behind signed builds.
It is important to note that several companies have identified different threats under the name TamperedChef: some research teams use the name BaoLoader , and the original malicious file with this name was embedded in a fake recipe app developed by EvilAI .
A typical infection scenario begins with a user searching for hardware manuals or PDF utilities. The results contain advertising links or spoofed results, leading to attacker domains registered through NameCheap . After downloading and running the installer, the user is presented with a standard contract, and upon completion, a thank you message appears in a new browser window.
At this point, an XML file is created on the machine that embeds a hidden, delayed-execution JavaScript component into the system . This module connects to an external node and sends the basic device and session identifiers as an encrypted and HTTPS-encoded JSON packet.
The operators’ objectives remain unclear. Some versions of the malware have been used in deceptive advertising campaigns, indicating an attempt to directly profit. It’s also possible that access is being sold to other criminal groups or used to collect confidential data for later resale on shadow markets.
According to telemetry data, the United States recorded the highest number of infections. Attacks also affected smaller numbers in Israel, Spain, Germany, India, and Ireland . Organizations in the healthcare, construction, and manufacturing sectors were the most affected. Experts attribute this to the fact that employees of these companies regularly search online for instruction manuals for specialized equipment, making them vulnerable to such traps.
Redazione
