TamperedChef: Global Malvertising Attack Disguises Malware as Trusted Software

A sophisticated global malvertising campaign known as TamperedChef is deceiving users into downloading malware disguised as popular software installers. According to the Acronis Threat Research Unit (TRU), attackers are launching bogus installers that appear to be legitimate tools, with the ultimate goal of establishing persistence and delivering JavaScript malware for remote access and control. The campaign remains active, with new samples and infrastructure continuing to emerge, signaling an ongoing and evolving threat.

This activity is linked to a wider set of operations known as EvilAI, which has been leveraging online interest in artificial intelligence tools to spread malware. TamperedChef specifically focuses on distributing an information stealer and backdoor component using installers that appear authentic. To boost their credibility, attackers employ code-signing certificates fraudulently obtained using shell companies registered in countries such as the U.S., Panama, and Malaysia. When older certificates are revoked, they simply acquire new ones, perpetuating the campaign seamlessly and reinforcing the false sense of legitimacy.

Acronis researchers describe the attackers’ infrastructure as “industrialized and business-like,” highlighting how organized the campaign has become. The threat actors design a reproducible pipeline for producing signed, malicious software at scale—an approach that capitalizes on the inherent trust users and security tools place in digitally signed applications. This strategy enables the malware to bypass standard security defenses that would typically flag unknown or unsigned executables.

Victims are commonly lured through malicious advertisements and search engine optimization tactics, particularly when searching for PDF editors, device drivers, or product manuals via engines like Bing. Clicking these ads or poisoned links redirects users to counterfeit download pages hosted on domains registered through NameCheap. The installers present a legitimate-looking interface, often even opening a browser tab with a thank-you message to reinforce the illusion of authenticity.

Unbeknownst to the user, the installer drops an XML configuration file that creates a scheduled task designed to run an obfuscated JavaScript backdoor. This backdoor connects to a remote server, transmitting encrypted and Base64-encoded details such as session IDs, machine IDs, and other basic system metadata. While some versions of the malware have been associated with ad-fraud schemes, researchers believe the threat actors may also plan to sell access, harvest sensitive data, or provide entry points to other cybercriminal groups.

Telemetry from Acronis indicates that the campaign disproportionately affects organizations in the United States, with smaller clusters in Israel, Spain, Germany, India, and Ireland. The most impacted industries include healthcare, construction, and manufacturing—sectors that frequently rely on specialized digital equipment and often search online for manuals and supporting tools. Researchers suspect that this common behavior makes them especially susceptible to TamperedChef’s tactics, enabling cybercriminals to continue capitalizing on user trust in familiar, everyday software names.