What happened?
On 27 August 2025, cybersecurity researchers at Truesec uncovered a malvertising campaign abusing Google Ads to promote fraudulent websites. These sites lured victims into downloading a fake PDF utility named “AppSuite PDF Editor”, which delivered an information-stealing malware dubbed TamperedChef.1
TamperedChef is designed to harvest sensitive data such as browser cookies and stored credentials. It also abuses Windows DPAPI (Data Protection Application Programming Interface), a Windows feature that encrypts sensitive data for privacy. Truesec observed that the malware can remain dormant for up to 56 days before activating, a tactic designed to bypass behavioural detection systems and align with the typical 60-day lifecycle of Google Ads campaign.2
Truesec identified at least five separate Google Ads campaign IDs, suggesting this was part of a coordinated and widespread operation.
Figure 2: PDF Editor Setup (Source: Truesec)
Further investigation revealed that different versions of AppSuite PDF Editor were digitally signed with certificates from at least four separate companies, giving the application a false sense of legitimacy and helping it bypass security controls. Researchers noted that these companies may have been AI-generated shell entities, highlighting a novel abuse of trust mechanisms in the software supply chain.5
The threat actor behind the campaign has been active since at least August 2024, previously promoting other tools flagged as Potentially Unwanted Programs (PUPs) such as adware. Recent reporting indicates that organisations in Europe have already been affected, as employees were tricked into downloading the malicious application.
So what?
Although the fraudulent certificates have now been revoked, existing installations of the malicious PDF Editor remain a threat. The TamperedChef campaign demonstrates an evolution in malware distribution tactics, combining:
- Abuse of digital certificates to bypass security controls.
- Strategic dormancy (up to 56 days) to evade detection.
- Targeting of browser-stored credentials, a frequent weak point in both personal and enterprise environments.
- Malvertising as a scalable delivery vector, capable of reaching victims across regions and sectors.
Truesec has also released a set of Indicators of Compromise (IOCs)6, including malicious domains, hashes, and certificate details associated with the campaign. Security teams should ensure these are ingested into detection systems and threat intelligence platforms to identify and contain infections early.
This campaign underscores the need for both users and organisations to carefully vet software sources, reduce reliance on browser-stored credentials, and implement technical controls capable of detecting suspicious behaviour even after long dormancy periods.
Immediate actions for users
- Verify software sources - download only from official vendor sites or reputable app stores.
- Check digital signatures - ensure software certificates are issued to legitimate, recognised publishers.
- Audit browser-stored credentials - remove unnecessary saved logins.
- Enable multi-factor authentication (MFA) - mitigate the impact of stolen credentials.
- Use dedicated password managers - replace browser-stored passwords with secure, dedicated tools.
Organisational recommendations
- Implement application allow listing: Block unauthorised or unverified applications.
- Deploy advanced behavioural monitoring: Detect malware that remains dormant for extended periods.
- Restrict unverified downloads: Enforce policies against installing free or untrusted software.
- Raise user awareness: Train staff on risks of malvertising and fraudulent software.