Potentially Unwanted Applications (PUAs) weaponized for covert delivery
Essential information
- Published
- 29/09/2025 08:02
- Modified
- 29/09/2025 09:01
- Tags
- 2025-09-29 7-zip CVE-2025-0411 browser-hijacker calendaromatic code-signing-abuse digital-signing imagelooker malvertising neutralinojs pua seo poisoning trojanized-productivity-tools
- Related entities
- 1 vulnerabilities (cve), 6 observables, 1 intrusion sets (apt), 16 techniques (mitre), 2 malware
Description
A malware distribution campaign leveraging digitally signed binaries, deceptive packaging, and browser hijackers has been uncovered. The campaign centers around two malicious applications, ImageLooker.exe and Calendaromatic.exe, delivered via self-extracting 7-Zip archives. These artifacts align with the TamperedChef malware campaign, which uses trojanized productivity tools for initial access and data exfiltration. The malware employs NeutralinoJS framework, Unicode homoglyphs, and multiple digital signers to bypass detection. The campaign exploits user behavior through SEO poisoning and malvertising, masquerading as legitimate software. This sophisticated approach highlights the evolving tactics of threat actors in weaponizing PUAs and abusing digital code signing to evade security measures.