Tracking TamperedChef Clusters via Certificate and Code Reuse
Essential information
- Published
- 20/05/2026 12:51
- Modified
- 21/05/2026 16:49
- Tags
- 2026-05-20 appsuite pdf calendaromatic cl-cri-1089 cl-unk-1090 code-signing-abuse crystalpdf docuflex evilai fileease gifsmakerpro gocookmate information stealers justaskjacky justconvertfiles malvertising campaigns manualreaderpro manualzpdf onezip pdfpilot pdfprime rapidoc rocketpdfpro screensrecorder shinypdf swiftnav tamperedchef trojanized productivity software zipmakerpro
- Related entities
- 1 vulnerabilities (cve), 3 observables, 21 techniques (mitre), 22 malware, 1 others
Description
Multiple threat clusters designated as CL-CRI-1089, CL-UNK-1090, and CL-UNK-1110 have been distributing trojanized productivity software through malicious advertising campaigns since 2023. These applications, including PDF editors, calendars, and compression tools, appear legitimate but contain remote access capabilities enabling deployment of information stealers, proxy tooling, and RATs. The campaigns leverage code-signing certificates, remain dormant for weeks to months before activation, and affect organizations globally with over 4,000 samples identified across 100 variants. CL-CRI-1089 operations utilize Ukrainian, Malaysian, and British infrastructure with 34 unique code-signing entities, while CL-UNK-1090 demonstrates vertical integration between advertising agencies and malware creation using primarily Israeli infrastructure with 39 corporations involved. Distribution occurs through sophisticated malvertising employing professional websites, CDN delivery, and search engine optimization techniques.