A new wave of malware disguised as everyday productivity tools has been quietly spreading across the internet, stealing user credentials and giving attackers remote control of infected systems.
Researchers have tracked hundreds of campaigns tied to a threat known as TamperedChef, also called EvilAI, which wraps dangerous code inside apps that look and feel completely legitimate.
Since early 2023, attackers have packaged malware inside tools like PDF editors, calendar apps, ZIP extractors, and GIF image makers. These apps work as advertised, which is exactly why victims rarely suspect anything at all.
They sit silently on a device for weeks or even months before triggering malicious activity, making them difficult to catch with standard security tools.
Analysts at Unit42 identified and tracked three distinct clusters of this activity, labeled CL-CRI-1089, CL-UNK-1090, and CL-UNK-1110.
According to Unit42 report shared with Cyber Security News (CSN), researchers found over 4,000 unique samples and more than 100 unique variants across these campaigns, with infections appearing in more than 50% of monitored enterprise environments globally.
What makes TamperedChef so dangerous is how convincingly it mimics real software. Download pages are professionally built with legal terms, contact pages, and one-click download buttons on legitimate-looking domains.
TamperedChef Malware Uses Signed Productivity Apps
The apps deliver on their promises, leaving victims with little reason to question what they just installed. The scale of this operation points to a well-funded, highly organized effort.
Researchers estimate the operators behind just one cluster spent over $10,000 on code-signing certificates alone, which are digital stamps that make software appear trustworthy. This level of investment signals a long-term, profit-driven campaign far beyond what typical adware operations would attempt.
One of TamperedChef’s defining tactics is using legitimate code-signing certificates to make its payloads appear safe. These certificates are issued to verified companies, and most security tools treat signed software as trustworthy.
Threat actors exploited this by building networks of shell companies across Ukraine, Malaysia, Israel, the UK, and the US to obtain valid certificates.
Researchers traced the CL-CRI-1089 cluster to 34 unique code-signing entities, connected through shared certificate usage, overlapping code, and corporate structure analysis.
The Calendaromatic campaign used a self-extracting archive containing a functional calendar app bundled with a hidden remote access Trojan. Once active, that RAT contacted a command-and-control server and pulled down a second-stage payload to further compromise the victim.
The CL-UNK-1090 cluster took a more integrated approach, with the same group owning both the advertising agencies and the malware-signing companies.
Examples of download pages for TamperedChef-style fake productivity applications (Source – Unit42)
Over 20,000 unique ads were traced to this cluster through ad transparency platforms, spanning campaigns like CrystalPDF, OneZip, and Easy2Convert.
Operators used generative AI to build distribution websites at scale, producing pages that looked similar but had structurally different underlying code.
Stealers, RATs, and What Happens After Infection
Once a TamperedChef app activates, it delivers one of two payload categories depending on the campaign. The first is adware and browser hijackers, which redirect searches and take control of browsing behavior.
Simplified signature flow of reuse between samples (Source – Unit42)
The second, and more serious, is the deployment of information stealers and remote access Trojans that target saved credentials and allow attackers to run commands remotely.
Second-stage payloads typically arrive weeks after installation through an upstream API connection, long after any initial suspicion fades.
In some campaigns, such as AppSuite, researchers also found proxy-style malware routing traffic through victim machines. The CL-CRI-1089 cluster showed the most aggressive credential theft, while CL-UNK-1090 favored stealthier in-memory payloads leaving fewer traces on disk.
To defend against this threat, security teams should ensure endpoint detection tools are fully updated across all devices and consider enterprise browsers that block malicious downloads before they reach users.
Training employees to recognize unfamiliar software risks is equally critical, even when download sites look entirely professional.
If an infection is discovered, teams should quarantine related files, remove persistence mechanisms like scheduled tasks, reset credentials for affected accounts, and review access logs to confirm whether stolen credentials have already been misused.
Indicators of Compromise (IoCs):-
TypeIndicatorDescriptionSHA256 Hash248de1470771904462c91f146074e49b3d7416844ec143ade53f4ac0487fdb4RapiDoc binary containing PDB path, linked to CANDY TECH LTD (CL-UNK-1090)SHA256 Hash42231bfa7c7bd4a8ff12568074f83de8e4ec95c226230cccc6616a1a4416de268RapiDoc binary containing PDB path, linked to CANDY TECH LTD (CL-UNK-1090)PDB PathD:!Work\Clients\<user>\Projects\RapiDoc\SrcForTests\RapiDoc\x64\Release\RapiDoc\RapiDoc.pdbProgram database path found in RapiDoc binaries, likely left by mistake during buildDomainonezipapp[.]comDistribution site for OneZip malware, signed by TAU CENTAURI LTD (CL-UNK-1090)Domaincrystalpdf[.]comDistribution site for CrystalPDF, used by CL-UNK-1090 clusterDomain Patternpixel.toolname[.]comC2 domain pattern used by PixelCheck variant (PDFPrime/ManualzPDF campaigns, CL-CRI-1089)Code SignerCROWN SKY LLCCode-signing entity used in Calendaromatic campaign (CL-CRI-1089)Code SignerMARKET FUSION INNOVATIONS LLCCode-signing entity linked to Calendaromatic campaign (CL-CRI-1089)Code SignerCANDY TECH LTDCore signing and advertising entity for CL-UNK-1090 clusterCode SignerTAU CENTAURI LTDSigning entity linked to OneZip campaign (CL-UNK-1090)Code SignerB.L.A ASPIRE LTDSigning entity for JustConvertFiles binaries (CL-UNK-1090)Code SignerPASTEL CONCEPTION LTDSigning entity for JustConvertFiles; linked to PDFPilot, SwiftNav, ShinyPDF, FileEaseCode SignerBUZZ BOOST ADVERTISERS LLCCertificate entity linked to PixelCheck variant (CL-CRI-1089)Code SignerADSMARKETO LLCCertificate entity linked to PixelCheck variant (CL-CRI-1089)Code SignerADVANTAGE WEB MARKETING LLCCertificate entity linked to PixelCheck variant (CL-CRI-1089)Code SignerEuropae-Solutio LtdCertificate entity linked to PixelCheck variant (CL-CRI-1089)Code SignerSP Development and Solution LimitedCertificate entity linked to PixelCheck variant (CL-CRI-1089)Code SignerLLC MATCH-TWO-USERSCertificate entity linked to PixelCheck variant (CL-CRI-1089)Code SignerMonetize forward LLCCertificate entity linked to PixelCheck variant (CL-CRI-1089)Malware Samplecalendaromatic-win_x64.exeFirst-stage binary from Calendaromatic campaign (CL-CRI-1089)Malware Sampleresources.neuObfuscated NeutralinoJS resource file containing C2 logic, Calendaromatic campaignFile NameRapiDoc.pdbDebug symbol file found in RapiDoc binaries (CL-UNK-1090)Campaign NameAppSuite PDFMalicious PDF editor spreading TamperedChef malware; observed deploying proxy-style payloadsCampaign NameCalendaromaticCalendar app trojan; earliest tracked CL-CRI-1089 activity (late 2023)Campaign NameCrystalPDFMalicious PDF tool distributed by CL-UNK-1090; hosted at crystalpdf[.]comCampaign NameJustAskJackyApp distributed by CL-UNK-1110 clusterCampaign NameOneZipMalicious ZIP tool signed by TAU CENTAURI LTD; distributed via onezipapp[.]comCampaign NamePDFPrime / ManualzPDFEarly CL-CRI-1089 campaigns sharing code and C2 patterns (PixelCheck variant)Campaign NameZipMakerProTamperedChef-style app linked to CANDY TECH LTD (CL-UNK-1090)Campaign NameGifsMakerProTamperedChef-style app linked to CANDY TECH LTD (CL-UNK-1090)Campaign NameScreensRecorderTamperedChef-style app linked to CANDY TECH LTD (CL-UNK-1090)Campaign NameRapiDocApp with CANDY TECH LTD copyright; contained leaked PDB path (CL-UNK-1090)Campaign NameJustConvertFilesMalicious file conversion tool distributed by CANDY TECH LTD (CL-UNK-1090)Campaign NamePDFPilotCampaign linked to B.L.A ASPIRE LTD and PASTEL CONCEPTION LTD (CL-UNK-1090)Campaign NameSwiftNavCampaign linked to B.L.A ASPIRE LTD and PASTEL CONCEPTION LTD (CL-UNK-1090)Campaign NameShinyPDFCampaign linked to B.L.A ASPIRE LTD and PASTEL CONCEPTION LTD (CL-UNK-1090)Campaign NameFileEaseCampaign linked to B.L.A ASPIRE LTD and PASTEL CONCEPTION LTD (CL-UNK-109
Note: IP addresses and domains are intentionally defanged (e.g., [.]) to prevent accidental resolution or hyperlinking. Re-fang only within controlled threat intelligence platforms such as MISP, VirusTotal, or your SIEM.
Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.
The post TamperedChef Malware Uses Signed Productivity Apps to Deliver Stealers and RATs appeared first on Cyber Security News.
