SOPHOS, a global leader of innovative security solutions for defeating cyberattacks, recently identified a malvertising campaign distributing an infostealer dubbed TamperedChef – believed to be part of a wider campaign known as EvilAI.
Previous coverage of this campaign suggests it began on June 26, 2025, with many of the associated websites being registered or first identified on that date. The sites were promoting a trojanized PDF editing application called AppSuite PDF Editor via Google Ads. This application appeared legitimate to users, but silently deployed an infostealer upon installation, targeting Windows devices.
Through telemetry analysis and threat hunting, Sophos MDR confirmed that over 100 customer systems were affected before our detection and response efforts began.
According to Sophos telemetry, the majority of victims affected by this campaign are in Germany (~15%), the United Kingdom (~14%), and France (~9%). Although the data highlights a significant concentration in Germany and the UK, it likely reflects the campaign’s widespread global reach, rather than any deliberate targeting of specific regions; we identified 19 countries affected in total.
Victims of this campaign span a variety of industries, particularly those where operations rely heavily on specialized technical equipment – possibly because users in those industries frequently search online for product manuals, a behavior that the TamperedChef campaign exploits to distribute malicious software.
Further investigation revealed that this large, multi-layered distribution network featured multiple advanced tactics, including a delayed activation/dormancy period, decoy software, staged payload delivery, staged payload delivery, abuse of code-signing certificates, and efforts to evade endpoint protection mechanisms.
According to other researchers, the campaign appears to still be active, with new components still being uncovered and supporting infrastructure continuing to operate (although the domains we observed in our investigations now seem to be inactive).
Conclusions and recommendations
The threat actors behind the TamperedChef campaign crafted convincing malicious applications, leveraged targeted advertising to achieve large-scale distribution, and secured code-signing certificates. The consequences are severe; users who have installed AppSuite PDF Editor should consider any credentials stored in their browsers to be compromised.
Threat actors are well aware that malvertising can be a fruitful and effective infection vector. It’s very possible that the adversaries behind TamperedChef, and others, will cook from a similar recipe in the future.
