TamperedChef Malware Clusters Tracked via Certificate and Code Reuse
Palo Alto Networks Unit 42 documents three distinct TamperedChef-style malware clusters (CL-CRI-1089, CL-UNK-1090, CL-UNK-1110) distributing trojanized productivity software with 4,000+ samples across 100 unique variants since 2024.
Attack Brief
TargetEnd users via trojanized productivity applications (PDF editors, calendars, file extractors, image makers)VectorMalicious advertisements directing users to legitimate-appearing download sites hosting trojanized software; one-click downloads via CDNsAttributionunattributed
Technical Details
MITRE ATT&CKT1547T1071T1041T1005IoCshxxps://www.crystalpdf.com/conditionsAffectedOver 100 unique variants identified in 2025; campaigns active since early 2024; 4,000+ file hashes tracked; 81 unique code signing organizations identified
Impact
Affected OrganisationsunattributedConfirmed DamageCredential exfiltration; arbitrary code execution; deployment of information stealers, remote access trojans (RATs), residential proxy tooling; access broker activity
Mitigation
DetectionMonitor for code-signing certificate reuse; track binary rebuilds with minor changes (typical frequency: weekly to monthly); identify dormancy periods of weeks to months before malicious payload activation; hunt for C2 communication patterns enabling arbitrary payload retrieval
Context
Similar AttacksTamperedChef-style malware campaigns identified include AppSuite PDF, Calendaromatic, JustAskJacky, and CrystalPDF; activity clusters CL-CRI-1089, CL-UNK-1090, and CL-UNK-1110 share technical overlap but are not attributed to single author or group