TamperedChef malware disguised as PDF editor stealing data

Researchers at Truesec uncovered a malware campaign distributing a weaponized PDF editor called “AppSuite PDF Editor” since June 2025. Promoted via multiple websites and Google Ads, the malicious software initially appears legitimate but later activates the TamperedChef infostealer.

TamperedChef malware disguised as PDF editor stealing dataTamperedChef malware disguised as PDF editor stealing data

The malware uses heavy obfuscation, likely AI-generated, and establishes persistence through registry keys. After about 56 days, it downloads and runs an obfuscated payload that steals browser data using DPAPI, scans for security software, and kills browser processes to access login credentials.

TamperedChef malware disguised as PDF editor stealing dataTamperedChef malware disguised as PDF editor stealing data

The campaign is linked to dubious digital certificates from suspicious companies and ties to previous malware like OneStart and Epibrowser. Threat actors have been active since at least August 2024, disguising malware as utility tools.

Truesec warns to carefully vet software from unknown sources, as seemingly harmless apps can quickly become dangerous. Google is cooperating with CERTs to address the threat.


NPAV offers a robust solution to combat cyber fraud. Protect yourself with our top-tier security product, Z Plus Security