This week, we briefed our clients on TamperedChef, an infostealer delivered by a malware campaign luring victims into downloading a malicious PDF editor.
KEY TAKEAWAYS
TamperedChef infostealer campaign distributed via fake PDF Editors.
Application Control is a key security control to block and prevent this type of malware.
Security researchers from Truesec uncovered a stealthy malware campaign distributing the "TamperedChef" infostealer. The threat actors registered a series of websites promoting a free PDF tool called "AppSuite PDF Editor". Using SEO and malvertising, these sites lured victims into downloading what was thought to be a benign PDF editor. However, the research shows these editors had code that would check for daily updates. On August 21, these updates triggered dormant malicious code, effectively enabling the malicious infostealer capabilities, which are referred to as "TamperedChef".
IOC Pivots
Researchers at G DATA Software published a detailed blog on the mechanics of the malicious file. At the bottom of the report, they list a handful of download URLs delivering the initial PDF editor, including: pdfmeta[.]com, pdfartisan[.]com, and pdfreplace[.]com. Using Validin, we find that these sites have the same favicon and favicon hash (b0e1748a803938cb8f0dd29c58061ab3). Using this as a pivot, we find there are 16 sites, all PDF-related, created in late May through June 2025.
These findings show the large internet footprint used by this campaign, and almost 3 months were leveraged to distribute the malicious PDF editor. Additional IOCs can be found in the Trusec blog here. PacketWatch and Crowdstrike queries to detect these IOCs can be found in the appendix below.
The Bigger Picture
Fake software download campaigns are nothing new. SocGholish fake software updates continue to be a pervasive threat and have been around since at least 2017. What makes these attacks so effective is standard users’ ability to download and install their own software. When regular users have any sort of administrative privileges, even local ones, they have the ability to easily download and install these potentially malicious programs. This opens a large attack surface that threat actors are increasingly exploiting.
How to Protect Your Organization
As with many modern-day threat actors, throughout the entire attack chain, no actual malware was used (other than the ransomware encryptor itself). Groups like Warlock exploit known vulnerabilities, then use "living off the land" techniques to blend in with regular network activities. This type of attack chain can render traditional AV tools completely ineffective. Organizations must leverage modern EDR tools in conjunction with application and network monitoring to detect deviations from normal behavior.
Resources:
https://www.truesec.com/hub/blog/tamperedchef-the-bad-pdf-editor
https://www.gdatasoftware.com/blog/2025/08/38257-appsuite-pdf-editor-backdoor-analysis
https://expel.com/blog/you-dont-find-manualfinder-manualfinder-finds-you/
https://thehackernews.com/2025/08/tamperedchef-malware-disguised-as-fake.html
Vulnerability Roundup
On August 26, Citrix released a security bulletin for their NetScaler ADC and NetScaler Gateway products. The bulletin includes details for 3 vulnerabilities, the most critical being CVE-2025-7775, which is an unauthenticated remote code execution vulnerability that has been actively exploited in the wild. In order to be vulnerable, the device must meet one of the following configuration requirements:
Users can determine if the appliance meets these configuration requirements by referring to Citrix Support guidance here. In order to protect against these vulnerabilities, administrators are strongly urged to upgrade to the relevant version as soon as possible:
In early August, SAP released a fix for a critical vulnerability in their S/4HANA (ERP Software) solution. The vulnerability, tracked as CVE-2025-42957, is an Advanced Business Application Programming (ABAP) code injection flaw, that can allow for a low-privilege user to take complete control over the system. This vulnerability is being actively exploited in the wild. This flaw affects all Private Cloud and On-Premise releases of S/4HANA. Administrators are urged to apply the August "Patch Day" updates as soon as possible.
In late August, Sangoma FreePBX published a forum post detailing a maximum-severity vulnerability in the FreePBX administrator control panel (ACP) that is being exploited in the wild. Per the advisory, "insufficiently sanitized user-supplied data allows unauthenticated access to FreePBX Administrator, leading to arbitrary database manipulation (SQLi) and remote code execution (RCE)." The vulnerability affects the following versions:
Administrators are urged to apply the update as soon as possible, which can be done with the following command: fwconsole ma upgradeall. Additionally, administrators are urged to restrict internet access to the ACP to only authorized or trusted IP addresses.
Docker recently released a fix for a server-side request forgery (SSRF) vulnerability in Docker Desktop that can lead to container escape. The flaw, tracked as CVE-2025-9074, allowed any container to connect to the Docker Engine API at 192.168.65[.]7:2375 without authentication. Using this access, a threat actor could gain full access to the underlying host system. The vulnerability was addressed by Docker with version 4.44.3. Administrators are urged to patch as soon as possible.
CISA recently warned of a critical vulnerability in Sitecore (digital experience platform) that is being actively exploited in the wild. The vulnerability, tracked as CVE-2025-53690, results from a "deserialization of untrusted data involving the use of default machine keys." These default machine keys allow for attackers to achieve remote code execution. The flaw affects Sitecore Experience Manager (XM), Experience Platform (XP), Experience Commerce (XC), and Managed Cloud instances. Administrators are strongly urged to mitigate this vulnerability as soon as possible. Detailed instructions for remediation can be found on the Sitecore support page here.
The following vulnerabilities were added to CISA's Known Exploited Vulnerabilities Catalog in the last 2 weeks:
TamperedChef Downloader PacketWatch Query (Favicon Hash Pivot):
http.host:(findthemanual.com OR typdf.com OR scholarpdf.com OR agipdf.com OR pdfideas.com OR gpt-pdf.com OR pdfartisan.com OR pdfhubspot.com OR pdfworker.com OR pdf-central.com OR pdfadmin.com OR click4pdf.com OR pdfmeta.com OR pdforsmartminds.com OR pdfreplace.com OR pdfgj.com)
TamperedChef Post-Compromise PacketWatch Query:
http.host:*.appsuites[.]ai
TamperedChef CrowdStrike Query (Author – Brandon Schwartz):
DomainName = *appsuites.ai
OR ContextBaseFileName = "PDF Editor.exe"
OR FileName = "PDF Editor.exe"
OR TargetFileName = "PDF Editor.exe"
OR SHA256HashData = B0c321d6e2fc5d4e819cb871319c70d253c3bf6f9a9966a5d0f95600a19c0983 OR 1ac61435e8a508647724c7796406107b43c3c1e546782a9bcf14db88ddd5f75d
OR CommandLine = "*--cm=--backupupdate*" OR "*--cm=--fullupdate*"
| groupBy([ComputerName, LocalIP, DomainName, ImageFileName, UserName] ,limit=10000)
This report is provided FREE to the cybersecurity community.
Visit our Cyber Threat Intelligence Blog for additional reports.
Subscribe to be notified of future Reports:
NOTE
We have enhanced our report with data from SOCRadar. You may need to register to view their threat intelligence content.
DISCLAIMER
Kindly be advised that the information contained in this article is presented with no final evaluation and should be considered raw data. The sole purpose of this information is to provide situational awareness based on the currently available knowledge. We recommend exercising caution and conducting further research as necessary before making any decisions based on this information.