The TamperedChef malvertising campaign evolved from testing benign applications to widespread credential theft, exploiting ad networks and SEO poisoning. Despite detection efforts, the threat actors continue to evolve and operate covertly across various systems. #TamperedChef #Infostealer
Keypoints
- The campaign began with the use of seemingly harmless PUAs like OneStart and Epibrowser to test delivery strategies.
- The full operation launched in June 2025, using fake PDF websites and Google Ads to lure victims.
- Malware remained dormant for about 56 days before being remotely activated to steal sensitive data.
- Over 300 hosts across more than 100 organizations were affected, prompting active response from Sophos MDR.
- The threat actors continue to operate covertly, with ongoing discovery of new domains and certificates indicating persistence.
Read More: https://www.sophos.com/en-us/blog/tamperedchef-serves-bad-ads-with-infostealers-as-the-main-course