{ "name": "Tracking TamperedChef Clusters via Certificate and Code Reuse", "slug": "tracking-tamperedchef-clusters-via-certificate-and-code-reuse", "description": "Multiple threat clusters designated as CL-CRI-1089, CL-UNK-1090, and CL-UNK-1110 have been distributing trojanized productivity software through malicious advertising campaigns since 2023. These applications, including PDF editors, calendars, and compression tools, appear legitimate but contain remote access capabilities enabling deployment of information stealers, proxy tooling, and RATs. The campaigns leverage code-signing certificates, remain dormant for weeks to months before activation, and affect organizations globally with over 4,000 samples identified across 100 variants. CL-CRI-1089 operations utilize Ukrainian, Malaysian, and British infrastructure with 34 unique code-signing entities, while CL-UNK-1090 demonstrates vertical integration between advertising agencies and malware creation using primarily Israeli infrastructure with 39 corporations involved. Distribution occurs through sophisticated malvertising employing professional websites, CDN delivery, and search engine optimization techniques.", "published": "2026-05-20T10:51:13+00:00", "created_at": "2026-05-20T10:51:13+00:00", "modified_at": "2026-05-21T14:49:46+00:00", "created_at_opencti": "2026-05-20T10:51:13+00:00", "author": "", "confidence": null, "report_types": [], "labels": [], "tags": [ "2026-05-20", "appsuite pdf", "calendaromatic", "cl-cri-1089", "cl-unk-1090", "code-signing-abuse", "crystalpdf", "docuflex", "evilai", "fileease", "gifsmakerpro", "gocookmate", "information stealers", "justaskjacky", "justconvertfiles", "malvertising campaigns", "manualreaderpro", "manualzpdf", "onezip", "pdfpilot", "pdfprime", "rapidoc", "rocketpdfpro", "screensrecorder", "shinypdf", "swiftnav", "tamperedchef", "trojanized productivity software", "zipmakerpro" ], "related_entities": { "observables": [ { "id": "", "name": "www.crystalpdf.com" }, { "id": "", "name": "2231bfa7c7bd4a8ff12568074f83de8e4ec95c226230cccc6616a1a4416de268" }, { "id": "", "name": "248de1470771904462c91f146074e49b3d7416844ec143ade53f4ac0487fdb44" } ], "malware": [ { "id": "f0d8d48e-53ee-40c6-b339-dba4664e8930", "name": "ScreensRecorder", "slug": "screensrecorder" }, { "id": "eca2531e-f8c9-469f-8c99-1e3c55eeb2c0", "name": "Calendaromatic", "slug": "calendaromatic" }, { "id": "e529df34-f014-4f1a-9f4c-ca0ae27a7c8e", "name": "PDFPrime", "slug": "pdfprime" }, { "id": "legacy:malware:4be6b2f1cf57d14a", "name": "FileEase", "slug": "fileease" }, { "id": "legacy:malware:74794c070afa07e8", "name": "ShinyPDF", "slug": "shinypdf" }, { "id": "legacy:malware:80c4bd4068447a62", "name": "OneZip", "slug": "onezip" }, { "id": "legacy:malware:698e7310010363af", "name": "DocuFlex", "slug": "docuflex" }, { "id": "legacy:malware:8cc070a9ce69f003", "name": "RapiDoc", "slug": "rapidoc" }, { "id": "legacy:malware:80d2c0a04064c559", "name": "AppSuite PDF", "slug": "appsuite-pdf" }, { "id": "legacy:malware:b571b4acca436ab6", "name": "EvilAI", "slug": "evilai" }, { "id": "legacy:malware:8d1cb2d7b9bc395f", "name": "RocketPDFPro", "slug": "rocketpdfpro" }, { "id": "legacy:malware:b10c073689f7d596", "name": "ManualzPDF", "slug": "manualzpdf" }, { "id": "legacy:malware:d0c1f2fb4a7911ba", "name": "ManualReaderPro", "slug": "manualreaderpro" }, { "id": "legacy:malware:f1660af38a859411", "name": "JustConvertFiles", "slug": "justconvertfiles" }, { "id": "legacy:malware:c02e942e993167fb", "name": "SwiftNav", "slug": "swiftnav" }, { "id": "legacy:malware:fff3680e6d296edd", "name": "GifsMakerPro", "slug": "gifsmakerpro" }, { "id": "legacy:malware:e771a43e34f1729d", "name": "TamperedChef", "slug": "tamperedchef" }, { "id": "legacy:malware:ebbf2f233e65174a", "name": "ZipMakerPro", "slug": "zipmakerpro" }, { "id": "legacy:malware:8fec6e5410b327e8", "name": "GoCookMate", "slug": "gocookmate" }, { "id": "legacy:malware:688e4fc0202d7395", "name": "JustAskJacky", "slug": "justaskjacky" }, { "id": "legacy:malware:3849e10699a51e7a", "name": "PDFPilot", "slug": "pdfpilot" }, { "id": "legacy:malware:7c6d82ab23233da9", "name": "CrystalPDF", "slug": "crystalpdf" } ], "attack_patterns": [ { "id": "c473a756-355a-42ad-a0df-cd3a8fa006d1", "name": "T1057" }, { "id": "cf746a02-00ea-419e-912d-7b03f969c491", "name": "T1518.001" }, { "id": "a58c2bff-7d90-4816-93fd-aa0b6beca12e", "name": "T1124" }, { "id": "b7ba0db0-7d4f-436f-8d5f-c431d690b048", "name": "T1555.003" }, { "id": "c9ee9b30-ba84-4c24-95e9-e8242d42af3f", "name": "T1071.001" }, { "id": "dc17cbbd-40d8-43cf-b3cf-50d1276db2c7", "name": "T1016" }, { "id": "196f2a64-c55b-47a6-8e38-beb76ba700b6", "name": "T1204.002" }, { "id": "40f0d8e3-bcd7-4b97-a958-f55815698fc5", "name": "T1053.005" }, { "id": "0c836307-129e-4ff7-a532-180c633cacba", "name": "T1027" }, { "id": "cbd87c8c-3bed-461a-acef-56ffc8b87571", "name": "T1105" }, { "id": "b7c6c1ad-f183-4128-8427-3891029c73dc", "name": "T1539" }, { "id": "5999052b-e9ae-49e8-9235-d9bf975c22af", "name": "T1547.001" }, { "id": "52b92395-d3d3-4e05-976a-0fccccfce8d2", "name": "T1566.002" }, { "id": "5b7c66d1-0466-4ba7-af6f-eb82c2f9d05b", "name": "T1033" }, { "id": "870bd958-53a3-4d25-9f23-00aa8bd6674d", "name": "T1102" }, { "id": "c22b5073-f426-4294-98bb-219d17345158", "name": "T1553.002" }, { "id": "0156fcda-e385-4662-b388-086c3e16feec", "name": "T1140" }, { "id": "e1b18ecf-d74e-4fe6-9bd4-ca6a62e7d818", "name": "T1027.002" }, { "id": "45082a8e-9c79-470e-ad1b-decac7188e8f", "name": "T1083" }, { "id": "8e0fea81-4d54-4e88-a7dd-3aa8b26558ed", "name": "T1113" }, { "id": "70616b2f-4019-4963-b758-5d9f6f20e201", "name": "T1082" } ], "vulnerabilities": [ { "id": "", "name": "CVE-2026-1731" } ], "others": [ { "id": "", "name": "onezipapp.com" } ] }, "external_refs": [ "https://unit42.paloaltonetworks.com/tracking-tampered-chef-clusters/", "https://otx.alienvault.com/pulse/6a0dae41682ec38e55d1aa12" ] }