TamperedChef Infostealer Hides in Fake PDF Editors via Google Ads

Researchers at Sophos and Truesec have documented an active malvertising campaign dubbed TamperedChef that distributes infostealer malware through fake PDF editing software promoted via Google Ads. The campaign ran fraudulent advertisements across at least five separate Google Ads campaign IDs, driving traffic to more than 50 malicious domains.

What makes TamperedChef notable isn't just its scale—it's the patience. The malware remained dormant for up to 56 days before activating its credential-theft capabilities, a tactic designed to outlast behavioral analysis windows and evade detection.

The Attack Chain

Users searching for PDF software encounter Google Ads promoting "AppSuite PDF Editor." The ads link to professional-looking download pages that appear legitimate. Each fraudulent application was signed with code-signing certificates issued by at least four different companies, adding another layer of apparent trustworthiness.

Once installed, the software actually works as a basic PDF tool—but it includes TamperedChef as a silent passenger. The malware sits idle, doing nothing malicious while security sandboxes monitor for suspicious behavior.

The campaign kicked off around June 26, 2025, when many of the fake PDF sites went live. But TamperedChef's payload didn't activate until August 21, when it received a special update command ("–fullupdate") that flipped on its infostealing features.

56 Days of Dormancy

The extended dormancy period is calculated. Most automated analysis systems monitor new software for a limited window—typically 30 to 60 days. By waiting 56 days before activating, TamperedChef slips past behavioral detection systems and aligns with the typical 60-day lifecycle of Google Ads campaigns.

By the time the malware turns malicious, it's already been running on victim machines for weeks without incident. Users have grown accustomed to it; security tools have classified it as benign.

What TamperedChef Steals

Once active, the malware harvests:

• Browser cookies and saved credentials
• Session tokens for logged-in accounts
• Data protected by Windows DPAPI (Data Protection Application Programming Interface)

GDATA researchers classify AppSuite PDF Editor as a backdoor because the malware allows threat actors to execute arbitrary commands on compromised systems. It's not just stealing data—it's maintaining persistent access.

IOCs and Campaign Infrastructure

Truesec identified at least five Google Ads campaign IDs associated with the operation, suggesting coordination rather than opportunistic abuse. The infrastructure includes over 50 domains mimicking legitimate PDF and document software vendors.

Blocking these domains requires ongoing updates as the attackers register new ones. Organizations should focus on behavioral indicators: unexpected PDF software installations, network traffic to recently registered domains, and processes with signed but suspicious certificates.

Recommendations

1. Download software from official vendor sites - Navigate directly rather than clicking ads
2. Review installed applications - Remove any PDF editors that weren't sourced from known vendors
3. Monitor for DPAPI abuse - Credential access through DPAPI is a common infostealer technique
4. Block ad-delivered installers - Consider policies that prevent software installation from ad-clicked links

For security teams, the dormancy tactic deserves attention. Point-in-time sandboxing isn't sufficient when malware is designed to wait. Continuous monitoring and anomaly detection on production endpoints becomes the backstop.

The Malvertising Problem

Google Ads malvertising has become a reliable initial access vector. Attackers pay for visibility, their ads pass moderation checks (at least initially), and users trust search results more than unsolicited emails.

We've covered similar campaigns—Black Cat's SEO poisoning operation used comparable tactics to infect hundreds of thousands of hosts. The pattern is consistent: meet users where they're searching, provide what appears to be legitimate software, and exploit that trust.

For enterprises, this means ad-blocking and download controls aren't just productivity measures—they're security controls. The attack surface extends beyond email into every search query employees make.