- Threat actors use fake installers disguised as popular software in a global malvertising campaign called TamperedChef.
- The campaign employs social engineering, SEO, and code-signing certificates from shell companies to evade detection and build user trust.
- The Malware delivers a JavaScript backdoor to enable remote access, with infection concentrated mainly in the U.S. and affecting healthcare, construction, and manufacturing sectors.
- TamperedChef is part of a wider set of attacks codenamed EvilAI, which leverages AI-related lures for malware distribution.
- The malware family is also known as BaoLoader by some vendors but is primarily referred to as TamperedChef for consistency among Cybersecurity communities.
TamperedChef is a persistent global malvertising campaign where threat actors distribute malware through fake installers posing as commonly used software. This ongoing campaign, examined by Acronis Threat Research Unit (TRU), tricks users into downloading malicious files by exploiting popular search terms and deceptive ads. The main objective is to establish a foothold and deliver JavaScript malware that provides remote access and control.
The attackers use everyday application names and Search Engine Optimization (SEO) along with malicious advertising to lure victims. They also abuse digital code-signing certificates issued to shell companies from countries including the U.S., Panama, and Malaysia. These certificates enhance trust and help the malware evade security filters by making the fake applications seem legitimate. New certificates are frequently obtained under different company names once older ones are revoked, creating what Acronis describes as an “industrialized and business-like” infrastructure.
This malware family is part of a broader set of exploits called EvilAI, which targets users with AI-related software lures to spread threats. While some firms call this malware BaoLoader, Acronis uses the name TamperedChef to maintain uniformity in reporting due to its widespread adoption in cybersecurity.
In a typical attack, users seeking PDF editors or product manuals find malicious ads or poisoned URLs in search engines. Clicking these links leads to fake websites that prompt users to download a harmful installer. After installation, the malware launches a scheduled task via an XML file, which triggers an obfuscated JavaScript backdoor. This backdoor communicates with an external server, sending encrypted system information such as session and machine IDs in Base64-encoded JSON format via HTTPS.
The ultimate aims of these attacks remain unclear. Evidence suggests some variants facilitate advertising fraud, signaling financial motives. The threat actors may also monetize access by selling stolen data to other criminals in underground markets.
Infection rates are highest in the United States, with notable cases in Israel, Spain, Germany, India, and Ireland. The healthcare, construction, and manufacturing industries face the greatest impact, likely due to their frequent need for technical manuals and specialized equipment, which this campaign exploits.
Further details on this operation can be found in the full Acronis report.
✅ Follow BITNEWSBOT on Telegram, Facebook, LinkedIn, X.com, and Google News for instant updates.
Previous Articles:
- Dave Portnoy Buys $2M Crypto, $1M in XRP Amid Market Dip
- Michael Burry Warns of AI Bubble, Questions Nvidia’s Accounting
- Ether Falls to Lowest Level Since July Amid Bearish Market Fears
- Trump Eyes Federal AI Rules to Override State Laws, Block Funding
- Musk: SpaceX Starship to Launch 300 GW AI Satellites Yearly
