TamperedChef Campaign Uses Forged Certificates to Distribute Malware via Fake Installers
A large-scale TamperedChef campaign has once again drawn the attention of security researchers, as attackers continue distributing malware through counterfeit installers of popular applications. This method of disguising malicious payloads as familiar software enables them to deceive users and secure persistent access to targeted systems. According to Acronis, the activity has not subsided: new files are still being discovered, and the related infrastructure remains fully operational.
At the heart of the operation lies social engineering. The attackers rely on well-known utility names, poisoned ads that reroute clicks, search-engine manipulation, and forged digital certificates. Researchers Darrel Virtucio and József Gégény note that these components increase trust in the installers and help the malware slip past defensive mechanisms.
The campaign is named TamperedChef because the fake installers it deploys serve as delivery vehicles for the malware of the same name. This activity is viewed as part of the broader EvilAI series of operations, which use lures themed around artificial-intelligence tools.
To give their fake applications an air of authenticity, the operators employ certificates issued to fictitious companies registered in the United States, Panama, and Malaysia. When older certificates are revoked, new ones appear under different corporate names. Acronis points out that this infrastructure resembles a coordinated production line, capable of continually minting fresh keys and shielding malicious code inside signed binaries.
It is worth noting that under the name TamperedChef, different security vendors have documented more than one threat: some refer to the loader component as BaoLoader, and the original malicious file with that name was embedded in a spoofed recipe application as part of EvilAI.
A typical infection scenario begins when a user searches for equipment manuals or PDF-handling tools. The search results surface ads or manipulated links leading to NameCheap-registered domains controlled by the attackers. After downloading and launching the installer, the user is shown a standard license agreement and, upon completion, a “thank you” message in a newly opened browser window.
Meanwhile, the system quietly creates an XML file that schedules the delayed execution of a hidden JavaScript module. This component connects to an external endpoint and transmits basic device identifiers and session details as an encrypted, encoded JSON payload over HTTPS.
The operators’ ultimate goals remain only partially understood. Some versions of the malware have been involved in fraudulent advertising schemes, suggesting an attempt at direct monetization. At the same time, the gained access may be sold to other criminal groups or used to harvest confidential information for resale on underground markets.
Telemetry shows the highest concentration of infections in the United States, with smaller clusters observed in Israel, Spain, Germany, India, and Ireland. Organizations in healthcare, construction, and manufacturing are affected most frequently — a trend researchers attribute to employees’ routine searches for manuals for specialized equipment, making them especially susceptible to such traps.
Support Our Threat Intelligence
If you find our technology report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
