Cyber Threat Intelligence Report

This week, we briefed our clients on TamperedChef, an infostealer delivered by a malware campaign luring victims into downloading a malicious PDF editor.

 KEY TAKEAWAYS 

• TamperedChef infostealer campaign distributed via fake PDF Editors.

• Application Control is a key security control to block and prevent this type of malware.

• Critical and high-severity vulnerabilities in Citrix, SAP, FreePBX, Docker, and Sitecore, plus updates to CISA KEV, patch now!

TamperedChef – Or Why Application Control is So Important

Security researchers from Truesec uncovered a stealthy malware campaign distributing the "TamperedChef" infostealer. The threat actors registered a series of websites promoting a free PDF tool called "AppSuite PDF Editor". Using SEO and malvertising, these sites lured victims into downloading what was thought to be a benign PDF editor. However, the research shows these editors had code that would check for daily updates. On August 21, these updates triggered dormant malicious code, effectively enabling the malicious infostealer capabilities, which are referred to as "TamperedChef".

IOC Pivots

Researchers at G DATA Software published a detailed blog on the mechanics of the malicious file. At the bottom of the report, they list a handful of download URLs delivering the initial PDF editor, including: pdfmeta[.]com, pdfartisan[.]com, and pdfreplace[.]com. Using Validin, we find that these sites have the same favicon and favicon hash (b0e1748a803938cb8f0dd29c58061ab3). Using this as a pivot, we find there are 16 sites, all PDF-related, created in late May through June 2025.

These findings show the large internet footprint used by this campaign, and almost 3 months were leveraged to distribute the malicious PDF editor. Additional IOCs can be found in the Trusec blog here. PacketWatch and Crowdstrike queries to detect these IOCs can be found in the appendix below.

The Bigger Picture

Fake software download campaigns are nothing new. SocGholish fake software updates continue to be a pervasive threat and have been around since at least 2017. What makes these attacks so effective is standard users’ ability to download and install their own software. When regular users have any sort of administrative privileges, even local ones, they have the ability to easily download and install these potentially malicious programs. This opens a large attack surface that threat actors are increasingly exploiting.

How to Protect Your Organization

As with many modern-day threat actors, throughout the entire attack chain, no actual malware was used (other than the ransomware encryptor itself). Groups like Warlock exploit known vulnerabilities, then use "living off the land" techniques to blend in with regular network activities. This type of attack chain can render traditional AV tools completely ineffective. Organizations must leverage modern EDR tools in conjunction with application and network monitoring to detect deviations from normal behavior.

• Application Allow-Listing (Default-deny) - Ideally, organizations should have an enforced allow list for only pre-approved applications. In scenarios where this is not possible, full visibility into network traffic with tools such as PacketWatch are a great way to identify remote access tools and data exfiltration tools. Organizations must know which processes are allowed to be used in the network so that any deviation from this can be immediately identified and remediated.
• Restrict user privileges - Regular users should not have administrative privileges on their systems. Any administrative work should be completed with an explicit, separate administrator account.
• Endpoint Protection - Deploy fully up-to-date EDR solution to every endpoint. This will help detect and prevent execution in the event other security controls fail.
• User Awareness Training - Users should be made aware of what type of tools they are expected to use for their work tasks. For example, if a user is required to work with PDF files, and the organization uses Adobe Acrobat, users should be instructed to only use Acrobat for that work.

Resources:

• https://www.truesec.com/hub/blog/tamperedchef-the-bad-pdf-editor
  

• https://www.gdatasoftware.com/blog/2025/08/38257-appsuite-pdf-editor-backdoor-analysis
  

• https://expel.com/blog/you-dont-find-manualfinder-manualfinder-finds-you/
  

• https://thehackernews.com/2025/08/tamperedchef-malware-disguised-as-fake.html

Vulnerability Roundup

Citrix NetScaler RCE Actively Exploited

On August 26, Citrix released a security bulletin for their NetScaler ADC and NetScaler Gateway products. The bulletin includes details for 3 vulnerabilities, the most critical being CVE-2025-7775, which is an unauthenticated remote code execution vulnerability that has been actively exploited in the wild. In order to be vulnerable, the device must meet one of the following configuration requirements:

• NetScaler must be configured as Gateway (VPN virtual server, ICA Proxy, CVPN, RDP Proxy) or AAA virtual server
• NetScaler ADC and NetScaler Gateway 13.1, 14.1, 13.1-FIPS and NDcPP: LB virtual servers of type (HTTP, SSL or HTTP_QUIC) bound with IPv6 services or servicegroups bound with IPv6 servers
• NetScaler ADC and NetScaler Gateway 13.1, 14.1, 13.1-FIPS and NDcPP: LB virtual servers of type (HTTP, SSL or HTTP_QUIC) bound with DBS IPv6 services or servicegroups bound with IPv6 DBS servers
• CR virtual server with type HDX

Users can determine if the appliance meets these configuration requirements by referring to Citrix Support guidance here. In order to protect against these vulnerabilities, administrators are strongly urged to upgrade to the relevant version as soon as possible:

• NetScaler ADC and NetScaler Gateway 14.1-47.48 and later releases
• NetScaler ADC and NetScaler Gateway 13.1-59.22 and later releases of 13.1
• NetScaler ADC 13.1-FIPS and 13.1-NDcPP 13.1-37.241 and later releases of 13.1-FIPS and 13.1-NDcPP
• NetScaler ADC 12.1-FIPS and 12.1-NDcPP 12.1-55.330 and later releases of 12.1-FIPS and 12.1-NDcPP

• https://support.citrix.com/support-home/kbsearch/article?articleNumber=CTX694938
  
• https://www.tenable.com/cve/CVE-2025-7775
  
• https://www.bleepingcomputer.com/news/security/citrix-fixes-critical-netscaler-rce-flaw-exploited-in-zero-day-attacks/
  
• https://www.bleepingcomputer.com/news/security/over-28-200-citrix-instances-vulnerable-to-actively-exploited-rce-bug/

SAP S/4HANA Critical Vulnerability Actively Exploited

In early August, SAP released a fix for a critical vulnerability in their S/4HANA (ERP Software) solution. The vulnerability, tracked as CVE-2025-42957, is an Advanced Business Application Programming (ABAP) code injection flaw, that can allow for a low-privilege user to take complete control over the system. This vulnerability is being actively exploited in the wild. This flaw affects all Private Cloud and On-Premise releases of S/4HANA. Administrators are urged to apply the August "Patch Day" updates as soon as possible.

• https://securitybridge.com/blog/critical-sap-s-4hana-code-injection-vulnerability-cve-2025-42957/
  
• https://support.sap.com/en/my-support/knowledge-base/security-notes-news/august-2025.html
  
• https://www.bleepingcomputer.com/news/security/critical-sap-s-4hana-vulnerability-now-exploited-in-attacks/

FreePBX 0-day

In late August, Sangoma FreePBX published a forum post detailing a maximum-severity vulnerability in the FreePBX administrator control panel (ACP) that is being exploited in the wild. Per the advisory, "insufficiently sanitized user-supplied data allows unauthenticated access to FreePBX Administrator, leading to arbitrary database manipulation (SQLi) and remote code execution (RCE)." The vulnerability affects the following versions:

• FreePBX 15 prior to 15.0.66
• FreePBX 16 prior to 16.0.89, and
• FreePBX 17 prior to 17.0.3

Administrators are urged to apply the update as soon as possible, which can be done with the following command: fwconsole ma upgradeall. Additionally, administrators are urged to restrict internet access to the ACP to only authorized or trusted IP addresses.

• https://community.freepbx.org/t/security-advisory-please-lock-down-your-administrator-access/107203
  
• https://github.com/FreePBX/security-reporting/security/advisories/GHSA-m42g-xg4c-5f3h
  
• https://thehackernews.com/2025/08/freepbx-servers-targeted-by-zero-day.html

Docker Desktop Container Escape

Docker recently released a fix for a server-side request forgery (SSRF) vulnerability in Docker Desktop that can lead to container escape. The flaw, tracked as CVE-2025-9074, allowed any container to connect to the Docker Engine API at 192.168.65[.]7:2375 without authentication. Using this access, a threat actor could gain full access to the underlying host system. The vulnerability was addressed by Docker with version 4.44.3. Administrators are urged to patch as soon as possible.

• https://docs.docker.com/desktop/release-notes/#4443
  
• https://blog.qwertysecurity.com/Articles/blog3.html
  
• https://thehackernews.com/2025/08/docker-fixes-cve-2025-9074-critical.html

Sitecore Exploited With Default Machine Keys

CISA recently warned of a critical vulnerability in Sitecore (digital experience platform) that is being actively exploited in the wild. The vulnerability, tracked as CVE-2025-53690, results from a "deserialization of untrusted data involving the use of default machine keys." These default machine keys allow for attackers to achieve remote code execution. The flaw affects Sitecore Experience Manager (XM), Experience Platform (XP), Experience Commerce (XC), and Managed Cloud instances. Administrators are strongly urged to mitigate this vulnerability as soon as possible. Detailed instructions for remediation can be found on the Sitecore support page here.

• https://support.sitecore.com/kb?id=kb_article_view&sysparm_article=KB1003865
  
• https://thehackernews.com/2025/09/cisa-orders-immediate-patch-of-critical.html

CISA KEV Additions

The following vulnerabilities were added to CISA's Known Exploited Vulnerabilities Catalog in the last 2 weeks:

• CVE-2025-53690 - Sitecore Multiple Products Deserialization of Untrusted Data Vulnerability
• CVE-2025-48543 - Android Runtime Use-After-Free Vulnerability
• CVE-2025-38352 - Linux Kernel Time-of-Check Time-of-Use (TOCTOU) Race Condition Vulnerability
• CVE-2025-9377 - TP-Link Archer C7(EU and TL-WR841N/ND(MS) OS Command Injection Vulnerability
• CVE-2023-50224 - TP-Link TL-WR841N Authentication Bypass by Spoofing Vulnerability
• CVE-2025-55177 - Meta Platforms WhatsApp Incorrect Authorization Vulnerability
• CVE-2020-24363 - TP-link TL-WA855RE Missing Authentication for Critical Function Vulnerability
• CVE-2025-57819 - Sangoma FreePBX Authentication Bypass Vulnerability
• CVE-2025-7775 - Citrix NetScaler Memory Overflow Vulnerability
• CVE-2024-8069 - Citrix Session Recording Deserialization of Untrusted Data Vulnerability
• CVE-2024-8068 - Citrix Session Recording Improper Privilege Management Vulnerability
• CVE-2025-48384 - Git Link Following Vulnerability

Appendix (Queries)

TamperedChef Downloader PacketWatch Query (Favicon Hash Pivot):

http.host:(findthemanual.com OR typdf.com OR scholarpdf.com OR agipdf.com OR pdfideas.com OR gpt-pdf.com OR pdfartisan.com OR pdfhubspot.com OR pdfworker.com OR pdf-central.com OR pdfadmin.com OR click4pdf.com OR pdfmeta.com OR pdforsmartminds.com OR pdfreplace.com OR pdfgj.com)

TamperedChef Post-Compromise PacketWatch Query:

http.host:*.appsuites[.]ai

TamperedChef CrowdStrike Query (Author – Brandon Schwartz):

DomainName = *appsuites.ai
OR ContextBaseFileName = "PDF Editor.exe"
OR FileName = "PDF Editor.exe"
OR TargetFileName = "PDF Editor.exe"
OR SHA256HashData = B0c321d6e2fc5d4e819cb871319c70d253c3bf6f9a9966a5d0f95600a19c0983 OR 1ac61435e8a508647724c7796406107b43c3c1e546782a9bcf14db88ddd5f75d
OR CommandLine = "*--cm=--backupupdate*" OR "*--cm=--fullupdate*"
| groupBy([ComputerName, LocalIP, DomainName, ImageFileName, UserName] ,limit=10000)

This report is provided FREE to the cybersecurity community.

Visit our Cyber Threat Intelligence Blog for additional reports.

Subscribe to be notified of future Reports:

NOTE
We have enhanced our report with data from SOCRadar. You may need to register to view their threat intelligence content.

DISCLAIMER
Kindly be advised that the information contained in this article is presented with no final evaluation and should be considered raw data. The sole purpose of this information is to provide situational awareness based on the currently available knowledge. We recommend exercising caution and conducting further research as necessary before making any decisions based on this information.