Cybersecurity researchers have recently exposed a dangerous new malware campaign that hides inside what looks like a harmless PDF editing tool. Attackers are disguising their malicious software as “AppSuite PDF Editor,” which is being pushed through fake advertisements online. The campaign has already affected multiple organizations in Europe and poses a serious threat to anyone downloading such tools from unverified sources.

The trick begins with online ads that promote free PDF editors. When users click on them, they are directed to professional-looking download pages. The installer file appears genuine and even displays a standard license agreement, but behind the scenes, it contacts attacker-controlled servers. This connection allows the program to install not only the PDF editor but also a hidden malware called TamperedChef.

At first, the software appears to work normally, which helps avoid suspicion. However, the installer also modifies system settings in Windows to make sure the program runs again after every reboot. Researchers noted that the malware adds registry entries and scheduled tasks, giving it persistence so it cannot be removed easily by just restarting the computer.

Investigations show that this campaign started around June 26, 2025. During the first several weeks, the fake editor behaved in a relatively harmless way, which allowed it to spread widely across systems without being flagged as malicious. But on August 21, 2025, the attackers activated the true capabilities of TamperedChef, turning it into a powerful information-stealing tool.

Once activated, TamperedChef immediately scans the system and checks for installed security products. It then forcefully closes web browsers and begins stealing sensitive data. The main targets are Chromium-based browsers where people usually store login credentials, cookies, and browsing history. By using Windows Data Protection API (DPAPI), the malware is able to access protected browser databases and extract private information.

The malware does not just steal information but also behaves like a backdoor, allowing attackers to maintain long-term control over infected machines. It accepts special command-line instructions such as “–install,” “–check,” “–ping,” and “–reboot.” It also creates scheduled tasks named like “PDFEditorScheduledTask” or “PDFEditorUScheduledTask” and sets up autorun entries with update commands to make sure it continues running silently in the background.

This technique means that even if the fake PDF editor itself looks harmless, the hidden processes keep working secretly. The combination of an apparently useful application with a concealed backdoor makes the attack highly effective and harder for users to notice until the damage has already been done.

Security analysts have confirmed that several organizations in Europe have already been affected, showing that the campaign is not just experimental but actively targeting real victims. Since the distribution relies on fake Google Ads and similar campaigns, it is possible that many more people could unknowingly fall into the trap.

Experts strongly advise avoiding downloads of “AppSuite PDF Editor” or similar free PDF editing tools that come from untrusted websites or ads. Users and organizations should scan their systems for suspicious autorun entries, registry changes, and scheduled tasks with names linked to the fake editor. Blocking the domains connected to the malware and removing the infected applications are also essential steps in minimizing the impact.

The TamperedChef campaign highlights once again how attackers are exploiting everyday needs like free PDF editing software to push dangerous malware. By running silently for weeks before activating its stealing features, the malware was able to spread more widely and maximize its reach. This incident is a clear reminder that even common tools can become traps, and downloading software only from verified sources is the best way to stay safe.

Stay alert, and keep your security measures updated!

Source: Follow cybersecurity88 on X and LinkedIn for the latest cybersecurity news