The TamperedChef hacking campaign is characterized by its use of fake installers disguised as legitimate applications, including manual readers and PDF editors. By employing valid code-signing certificates and malvertising, the attackers effectively trick users into installing malicious software that enables remote access. Identified by Acronis security researchers in June 2025, the operation appears to have been active prior to that date, primarily impacting users in the United States and other regions, particularly in healthcare, construction, and manufacturing sectors where users frequently seek online tools and manuals.
Once a user inadvertently installs the malware, it initiates a complex infection chain designed to maintain persistent access while evading detection. This involves the drop of an XML configuration file for creation of a scheduled task, which executes an obfuscated JavaScript payload, establishing communication with command-and-control servers. The malware also utilizes XOR encryption for data transmission and incorporates remote code execution capabilities, enabling attackers to execute commands on compromised systems. The campaign’s infrastructure is continually rebuilding using various shell companies to maintain operations.
👉 Pročitaj original: Cyber Security News
