Threat actors are increasingly leveraging promoted websites through Google Ads to disseminate a deceptive PDF editing application known as AppSuite PDF Editor. This application is specifically designed to deploy an information-stealing malware dubbed TamperedChef. The ongoing campaign forms part of a broader operation involving numerous applications capable of downloading one another, with some effectively coercing users into enrolling their systems as residential proxies.
Extensive investigations have identified over 50 domains associated with these misleading applications, all of which are signed using fraudulent certificates from at least four distinct companies. This orchestrated effort appears sophisticated, with operators strategically delaying the activation of malicious features until after the ads have completed their run, as noted by cybersecurity researchers.
Delivery of the Infostealer
A comprehensive technical analysis conducted by cybersecurity firm Truesec reveals the intricacies involved in the deployment of the TamperedChef infostealer onto user systems. The researchers traced the malware’s distribution back to various websites advertising the AppSuite PDF Editor.
The campaign appears to have commenced on June 26, coinciding with the registration and advertising of many associated websites. Interestingly, malware scans using VirusTotal indicated that the malicious application was verified as early as May 15.
Initially, the application operates without raising suspicions, until it receives a pivotal update on August 21 that activates its infostealer functionalities, enabling the collection of sensitive information including credentials and web cookies. According to Truesec, the malware exploits the “-fullupdate” command line argument upon executing the PDF editor.
Furthermore, the malware checks for various security agents installed on the host system while probing web browser databases using the Data Protection Application Programming Interface (DPAPI) in Windows, which encrypts sensitive information.
Identification of Security Agents by TamperedChef Infostealer source: Truesec
Truesec’s investigation found compelling evidence suggesting that the distribution of TamperedChef via AppSuite PDF Editor has relied heavily on Google Ads to amplify its visibility. The firm documented at least five distinct Google campaign IDs, indicative of a widespread initiative.
The strategic timing appears deliberate, with the threat actors seeking to maximize download rates prior to activating malicious elements, delivering the infostealer just four days before the standard 60-day expiration period for Google ad campaigns.
Further investigation into AppSuite PDF Editor reveals that various iterations of the software have been signed with certificates from at least four companies, including ECHO Infini SDN BHD, GLINT By J SDN. BHD, and SUMMIT NEXUS Holdings LLC.
Involvement in Residential Proxies
The campaign’s operators have been active at least since August 2024, promoting additional tools such as OneStart and Epibrowser. Notably, OneStart is often flagged as a potentially unwanted program (PUP), typically associated with adware behaviors.
However, Expel, a managed detection and response firm, has also examined incidents linked to AppSuite PDF Editor, ManualFinder, and OneStart—all of which exhibit alarming behaviors such as dropping suspicious files, executing unauthorized commands, and converting hosts into residential proxies, resembling malware activities.
Research indicated that OneStart is capable of downloading AppSuite-PDF (signed by a certificate from ECHO INFINI SDN. BHD), which subsequently fetches the PDF Editor application.
The initial downloads for OneStart, AppSuite-PDF, and PDF Editor are marketed through a substantial ad campaign highlighting PDFs and PDF editors, redirecting users to various domains that provide these downloads.
Although the code-signing certificates utilized in this campaign have been revoked, the danger remains for installations already in use. In certain instances, the PDF Editor application prompts users to permit their devices to function as residential proxies in exchange for the free use of the tool.
Researchers noted that the proxy network provider could be a legitimate entity unaffected by the campaign, suggesting that the PDF Editor operator is merely exploiting these affiliates for financial gain.
Ultimately, despite categorization as PUPs, the functionalities of these applications align closely with malware characteristics and warrant serious consideration. The discovery of this operation reveals that numerous other applications, some yet to be weaponized, could distribute malware or execute unauthorized commands silently within the system.
Both Truesec and Expel have compiled extensive indicators of compromise (IoCs) that can aid defenders in safeguarding users and assets from potential infections.
Notably, recent statistics reveal that 46% of environments experienced password compromises, nearly doubling from the previous year’s 25%. Stay informed by accessing the Picus Blue Report 2025 for a comprehensive overview of findings related to prevention, detection, and data exfiltration trends.