SecurityBrief Australia - Technology news for CISOs & cybersecurity decision-makers
Australia

Guides

#
cloud security
#
cybersecurity
#
endpoint protection
#
firewalls
#
ransomware

Search

Photorealistic laptop warning screen digital threats construction healthcare manufacturing
#
Malware
#
Ransomware
#
Endpoint Protection

TamperedChef malware uses fake installers to target key sectors

Fri, 21st Nov 2025
Author image
By Catherine Knowles, News Editor

Security researchers have detailed a campaign referred to as "TamperedChef" which has targeted organisations across multiple sectors by distributing malicious software disguised as familiar applications. The campaign leverages search engine optimisation (SEO) and online advertising to lure victims into downloading compromised installers.

Target sectors

Most recorded victims come from healthcare, construction, and manufacturing industries. These sectors often search online for manuals and technical guides related to specialist equipment. The attack exploits this behaviour, using fake applications labelled as manual readers and similar tools to prompt installation from convincing websites.

Analysis indicates that approximately 80% of victims are based in the United States, with the remaining 20% scattered globally. The geographic footprint suggests broad, indiscriminate targeting rather than a focus on any specific region.

Malware delivery

TamperedChef uses SEO tactics and paid online ads to promote malicious websites. These sites host installers that imitate common tools such as PDF editors, browsers, and game software. Upon installation, victims receive what appears to be legitimate, functional software. This social engineering approach is designed to take advantage of users' trust in well-known application names.

Once executed, the fake installer drops an XML file which is used to create a scheduled task. This allows the malware to persist on the affected system. The installer then displays typical installation messages, like a license agreement and 'thank you' page, further hiding its true purpose.

Technical infrastructure

The campaign uses domains registered with NameCheap and cloaked with privacy services. These are configured to appear legitimate and are registered for short periods to allow rapid re-establishment in case of takedown. The early command and control servers used generated, random-looking domains, but more recent infrastructure employs more conventional names to blend in with usual network traffic.

Code-signing plays a central part in evading detection. Attackers acquire certificates via a network of shell companies registered in the United States, generally using generic business names. When a certificate is revoked, a new shell company is quickly established and a replacement certificate purchased, enabling malicious installers to maintain a façade of legitimacy.

Malware features

Researchers noted two variants of obfuscated JavaScript backdoors delivered as payloads. The obfuscation techniques make analysing the malware more challenging and allow malicious functions to remain hidden from detection tools. These backdoors are capable of granting remote access and performing other post-infection actions with delayed execution to avoid early identification.

Attacker motivation

There is evidence that the attackers are pursuing a mix of financial and strategic goals. These include selling remote access to infected systems, exfiltrating sensitive healthcare and business information for profit, and staging for future ransomware deployment. Opportunistic espionage is also possible if high-value environments are encountered during the campaign.

Industry experts caution that even fully signed and apparently legitimate applications can be malicious, highlighting ongoing challenges in distinguishing genuine software from threats. TamperedChef's method of exploiting digital signatures underscores the need for layered defences and more stringent verification of application sources.

Protective measures

Recommended defences include the deployment of managed detection and response (MDR) services for 24/7 monitoring, restriction of installation rights to prevent unverified applications, and user training to help staff recognise suspicious downloads. Maintaining up-to-date endpoint protections and operating system patches is also advised.

"TamperedChef illustrates a critical security lesson: Even software bearing valid digital signatures can be malicious. Attackers can exploit the inherent trust that users place in signed applications to distribute stealthy malware, bypass traditional defenses and gain persistence on systems. This underscores that digital signatures alone are not a guarantee of safety, and organizations must implement additional layers of security, vigilance and user awareness to detect and mitigate threats effectively," said Darrel Virtusio, Senior Malware Researcher, Acronis.
Related stories
AI-driven ransomware attacks surge, most go unreported
OPSWAT names Jan Miller CTO to lead new Technology Centre
eBPF report shows efficiency, security gains at scale
Securing the digital classroom: A layered cybersecurity approach for K-12 schools
LummaStealer returns post-takedown with ClickFix ruse

Top stories

Xiid & Cytex link AI governance with zero trust access
Sue Ryder to roll out AI scribe across UK hospices
UK CIOs struggle to govern surge in business AI agents
AI romance scams surge on UK dating apps, says study
Cyber premiums fall as Lockton flags 2027 volatility risk