Security researchers have uncovered a large-scale cybercrime campaign that uses malicious Google Ads and fraudulent websites to trick users into downloading a trojanized PDF editor called AppSuite PDF Editor. Hidden within the installer is a new information stealer dubbed TamperedChef, designed to harvest credentials, cookies, and other sensitive data. The campaign was first observed in late June 2025, with its malicious features activated nearly two months later—timed to match the lifespan of typical Google advertising runs.
The installer behaves like legitimate software by prompting users to agree to a license agreement, but in the background, it sets up persistence through Windows Registry modifications and scheduled tasks. Once activated, TamperedChef connects back to a command-and-control (C2) server, enabling capabilities such as additional malware downloads, browser data exfiltration, and even backdoor operations. The malware can execute commands against Chromium-based browsers and is capable of altering browser settings to compromise user privacy further.
The malicious PDF editor download. Source: truesec.com.
German cybersecurity firm G DATA confirmed that multiple fraudulent sites distribute the same setup file, which behaves differently depending on the commands supplied. The campaign escalated on August 21, 2025, when infected machines began receiving update instructions that unlocked the malware’s full stealing and backdoor functions. Researchers noted that TamperedChef’s lifecycle—from initial lure to activation—suggests a deliberate strategy to maximize infections before turning on its malicious features.
Alongside Truesec and G DATA’s findings, Expel has also tracked a surge in malicious ad campaigns promoting trojanized PDF editors. Some of these tools have even been caught installing secondary malware or converting victim systems into residential proxies without consent, amplifying the risk to users.
TamperedChef highlights the persistent threat of malvertising and the dangers of downloading software from unverified sources. Organizations and individuals should double down on user awareness training, enforce stronger application control, and rely on trusted distribution channels to reduce exposure to malware campaigns that weaponize common productivity tools.
