This article describes multiple TamperedChef-style campaigns that distribute trojanized productivity apps such as PDF editors, calendars, and file tools, with activity clustered under CL-CRI-1089, CL-UNK-1090, and CL-UNK-1110. The campaigns use malvertising, code signing, delayed activation, and persistent C2 to deliver second-stage payloads like RATs, infostealers, proxy tooling, and browser hijackers. #TamperedChef #EvilAI #CL-CRI-1089 #CL-UNK-1090 #CL-UNK-1110
Keypoints
- Multiple TamperedChef-style activity clusters overlap with the publicly described threat TamperedChef (aka EvilAI), but the article does not attribute them to one author or group.
- The campaigns use fake productivity software, including PDF editors, calendars, ZIP tools, GIF makers, and file converters, to deliver malicious payloads.
- The researchers tracked more than 4,000 samples across 100 unique variants and observed over 12,000 unique instances in their customer base.
- Two major clusters, CL-CRI-1089 and CL-UNK-1090, were mapped through code-signing reuse, advertising overlaps, corporate structures, and OSINT.
- Malicious activity often remains dormant for weeks or months before activation, then downloads second-stage payloads such as RATs, infostealers, proxy tools, and adware.
- The operators rely heavily on malvertising, sponsored results, and search engine marketing, with some groups showing vertical integration between ad creation and malware signing.
- The article highlights prevention and response steps such as EDR/XDR, browser hardening, token revocation, credential resets, and removal of persistence mechanisms.
MITRE Techniques
- [T1583.001 ] Acquire Infrastructure: Domains â Attackers used legitimate-looking websites and unique campaign domains to host and distribute fake productivity apps (âdistributing via well-built, legitimate-looking websitesâ and âleveraging unique and contextually relevant domains for each campaignâ).
- [T1071.001 ] Application Layer Protocol: Web Protocols â Campaigns used continuous C2 methods and upstream APIs to retrieve and run additional payloads (âcontinuous command and control (C2) methodsâ and âtrigger the next stage⌠delivered via an upstream APIâ).
- [T1204.002 ] User Execution: Malicious File â Victims were lured into downloading and running trojanized productivity software from ads and search results (âmalicious ads that direct users to sites hosting the applicationsâ).
- [T1112 ] Modify Registry â Persistence was often implemented through registry Run keys (âimplementing a robust persistence mechanism, almost always through scheduled tasks or registry Run keysâ).
- [T1053.005 ] Scheduled Task/Job: Scheduled Task â The malware established persistence by creating scheduled tasks (âimplementing a robust persistence mechanism, almost always through scheduled tasksâ).
- [T1027 ] Obfuscated Files or Information â Samples used obfuscation to hide malicious components and command strings (âobfuscating the malicious componentsâ and âhomoglyphs to obfuscate the incoming command stringsâ).
- [T1036 ] Masquerading â Malware pretended to be legitimate productivity applications and used legitimate-looking branding, pages, and licensing terms (âfake productivity applicationsâ and âappearing modern and credibleâ).
- [T1587.001 ] Develop Capabilities: Malware â The actors created many custom variants and codebases for productivity-app malware (âover 100 unique variantsâ and ânew codebase for each campaignâ).
- [T1113 ] Screen Capture â Some payloads gathered screen-related details from victims (âscreen sizeâ).
- [T1005 ] Data from Local System â Initial information gathering collected system and host details from infected machines (âsystem version, hostname and active browsersâ).
- [T1016 ] System Network Configuration Discovery â Some campaigns collected geolocation and domain information from the environment (âdomain information, geolocationâ).
- [T1041 ] Exfiltration Over C2 Channel â Data and credentials were exfiltrated through malicious command-and-control infrastructure (âexfiltrate usersâ credentialsâ and âcontinuous command and controlâ).
- [T1219 ] Remote Access Software â The second stage often included RATs or access-broker-like behavior (âdeploying⌠remote access Trojans (RATs)â and âbehavior that resembles access brokersâ).
- [T1021 ] Remote Services â The malware enabled remote command execution and control over victim systems (âexecute commands remotelyâ).
Indicators of Compromise
- [SHA256 ] PDB-bearing RapiDoc binaries identified in the article â 248de1470771904462c91f146074e49b3d7416844ec143ade53f4ac0487fdb44, 2231bfa7c7bd4a8ff12568074f83de8e4ec95c226230cccc6616a1a4416de268
- [File name / archive component ] Calendaromatic sample structure â calendaromatic-win_x64.exe, resources.neu, and 7zSFX
- [Domain ] Malicious infrastructure and landing pages mentioned in the article â onezipapp[.]com, pixel.toolname[.]com
- [Website / URL ] Distribution and conditions pages referenced for malicious productivity software â hxxps[:]//www.crystalpdf[.]com/conditions
- [Signer / organization names ] Code-signing entities associated with TamperedChef-style samples â CANDY TECH LTD, TAU CENTAURI LTD, MARKET FUSION INNOVATIONS LLC, CROWN SKY LLC, and 2 more items
Read more: https://unit42.paloaltonetworks.com/tracking-tampered-chef-clusters/