Cybercriminals are using multiple websites promoted via Google ads to distribute a fake PDF editing app called AppSuite PDF Editor. This app secretly delivers malware known as TamperedChef, which steals sensitive information from users’ computers.
This campaign is part of a larger operation involving several apps that can install one another, sometimes even tricking users into making their computers part of a residential proxy network.
The Scope of the Campaign
Researchers have found over 50 websites hosting fake apps signed with counterfeit digital certificates from at least four different companies. The campaign is very organized; threat actors allowed the ads to run for almost two months before activating the harmful features, maximizing the number of downloads before users get infected.
How TamperedChef Infects Your System
Security experts at Truesec analyzed how TamperedChef infects computers. They discovered that the malware starts by promoting a free tool named AppSuite PDF Editor via Google ads and suspicious websites. The campaign began around June 26, 2025.
Initially, the app behaves normally, but on August 21, it receives an update that activates the malware components designed to steal data like passwords and browser cookies.
The malware uses Windows security features like DPAPI (Data Protection API) to access sensitive information stored in browsers. It also searches for installed security software to avoid detection and can even shut down browsers to access locked data.
Google Ads as a Tool for Distribution
The attack relies heavily on Google advertising, with at least five different Google campaign IDs identified. This points to an extensive and well-planned advertising campaign designed to spread the fake PDF editor widely before any malicious activity kicks in.
Fake Certificates and Related Apps
The fake PDF editor was signed with false certificates from companies including ECHO Infini SDN BHD, GLINT By J SDN BHD, and SUMMIT NEXUS Holdings LLC.
The attackers are also linked to other suspicious programs like OneStart and Epibrowser browsers, which have been flagged as potentially unwanted or malware-like for converting infected computers into proxies that can be abused by attackers or affiliates.
Proxy Network Abuse
In some cases, the fake PDF editor asks users for permission to turn their device into a residential proxy in exchange for free software use. While the proxy network provider might be legitimate, the attackers behind the PDF editor profit by exploiting this system without users’ real consent, putting their privacy and security at risk.
Final Warning and Protection Advice
The researchers warn that even if these programs look like innocuous utility tools, their behavior matches malware, capable of stealing data and executing hidden commands. The campaign involves several other apps that might still be inactive but could later cause harm.
To protect against such threats, users should avoid downloading software from unknown sources, be cautious about software permissions, and keep security software updated. Reporting suspicious apps and ads to cybersecurity organizations and Google can help fight against these attacks.
This article summarizes findings from cybersecurity reports by Truesec and Expel, which include detailed indicators of compromise (IoCs) to help defenders block this malware threat effectively. Staying aware and vigilant is essential to keeping systems safe from evolving scams like TamperedChef.