TamperedChef

TamperedChef, also known as EvilAI, is a cybercrime malware and malvertising operation that distributes trojanized productivity software masquerading as legitimate applications such as PDF editors, calendar apps, ZIP extractors, GIF makers, converters, and related utilities. Reported campaigns and variants linked in the provided content include Calendaromatic, Recipe Lister, AppSuite PDF, DocuFlex, JustAskJacky, GoCookMate, RocketPDFPro, ManualReaderPro, CrystalPDF, Easy2Convert, OneZip, PDF-Ezy, PDFPrime, ManualzPDF, and RapiDoc. Palo Alto Networks Unit 42 reported overlap across three tracked clusters: CL-CRI-1089, CL-UNK-1090, and CL-UNK-1110; the TamperedChef alias is noted as most commonly associated with CL-UNK-1110, while CL-CRI-1089 includes Calendaromatic, DocuFlex, and AppSuite PDF. The operation has been active since at least early 2023 and has been observed globally, with no strong sector-specific targeting. Distribution relies heavily on malvertising, sponsored search results, poisoned search engine results, and malicious Google and YouTube ads leading to polished download sites with legal terms, contact pages, and contextually relevant domains. The malware commonly uses valid code-signing certificates obtained through shell companies in multiple countries, including Ukraine, Malaysia, Israel, the United Kingdom, the United States, Panama, Estonia, Singapore, and Malta, although reporting also notes some operators appear to be moving away from signing. Researchers described the operation as unusually large-scale and well-funded, with thousands of samples and extensive advertising infrastructure. TamperedChef malware typically functions as advertised at first, then delays malicious activity for weeks or months. Common behaviors described in the content include persistence via scheduled tasks or Run keys, initial reconnaissance and exfiltration, continuous command-and-control for delayed second-stage delivery, and deployment of payloads including adware, browser hijackers, information stealers, remote access Trojans, proxy malware, and backdoors. Reported capabilities across associated malware include credential theft, browser session theft, remote command execution, browser hijacking, system fingerprinting, file system interaction, and environment variable exfiltration. Specific reporting in the content links TamperedChef to macOS-focused Operation FlutterBridge, attributed to CL-CRI-1089, which distributed the FlutterShell backdoor via malicious desktop applications signed with valid Apple Developer IDs and notarized by Apple at the time of submission. FlutterShell is described as a Flutter-based malware family combining adware and backdoor functionality, using a WebView and JavaScript-to-native bridge to dynamically alter behavior from remote infrastructure. Variants named PodcastsLounge, PDF-Brain, and PDF-Ninja were identified. The content also highlights Calendaromatic as a backdoor spread through malvertisements and SEO poisoning and tied to the TamperedChef malvertising campaign. Additional reporting cited in the content states TamperedChef has used Google Ads to distribute infostealers and has used U.S. shell companies to sign trojanized apps with valid certificates to deploy a stealth backdoor.