Cooking up trouble: How TamperedChef uses signed apps to deliver stealthy payloads
Essential information
- Published
- 26/11/2025 07:45
- Modified
- 21/12/2025 18:03
- Tags
- 2025-11-20 2025-11-26 code-signing code-signing certificates javascript javascript payload malvertising persistence remote access scheduled tasks seo shell companies signed applications social engineering
- Related entities
- 132 observables, 1 intrusion sets (apt), 9 techniques (mitre), 63 others
Description
The TamperedChef campaign is a global malvertising and SEO operation that distributes seemingly legitimate software with valid code signing to trick users into executing malicious installers. These fake applications mimic common software and establish persistence through scheduled tasks, delivering obfuscated JavaScript payloads for remote access. The campaign uses a network of U.S.-registered shell companies to acquire and rotate code-signing certificates, maintaining trust exploitation. Victims are primarily in the Americas, with a focus on healthcare, construction, and manufacturing industries. The campaign's infrastructure is designed for quick rebuilding after takedowns, using short-term domain registrations and certificate rotations. The attackers' motivations may include selling initial access, credential theft, ransomware staging, or opportunistic espionage.