Tracking TamperedChef Clusters via Certificate and Code Reuse

Summary

Unit 42 has identified multiple TamperedChef-style malware clusters (CL-CRI-1089, CL-UNK-1090, CL-UNK-1110) that distribute over 4,000 samples across 100 unique variants. These trojaned productivity applications (PDF editors, calendars, ZIP extractors) use malvertising to deliver stealthy payloads and remain dormant for weeks or months before activating C2 communication. The malware shares code-signing certificates and overlapping code, enabling tracking via certificate analysis, code reuse patterns, and advertising platform intelligence.

Full text

Threat Research CenterThreat ResearchMalware Malware Tracking TamperedChef Clusters via Certificate and Code Reuse 21 min read Related ProductsCortexCortex XDRCortex XSIAMPrisma BrowserPrisma SASESecure Access Service Edge (SASE)Unit 42 Incident Response By:Joseph Ganter Published:May 20, 2026 Categories:MalwareThreat Research Tags:AdwareAppsuite PDFCertificatesCL-CRI-1089CL-UNK-1090DocuFlexEvilAIMalvertisingRATsRemote Access TrojanTamperedChef Share Executive Summary This article documents novel activity clusters that have significant overlap with the publicly described threat known as TamperedChef (aka EvilAI). TamperedChef-style malware is trojanized productivity software, such as PDF editors or calendars, that deliver malicious payloads. These campaigns typically employ malicious ads that direct users to sites hosting the applications. While this style of malware shares many similarities in technical operation, installation lures and distribution methods, we do not attribute it to a single author or group. TamperedChef-style malware samples share characteristics with potentially unwanted programs (PUPs) and adware. These include robust mechanisms to remain persistent, and end-user licensing agreements (EULAs) that attempt to legally cover the software's questionable actions. However, TamperedChef-style malware is far more stealthy than PUPs or adware, remaining dormant for weeks to months before activating. This includes continuous command and control (C2) methods enabling adversaries to retrieve additional payloads, such as information stealers, proxy tooling or remote access Trojans (RATs). We have been tracking several campaigns of TamperedChef-style activity starting in 2024, with three distinct clusters: CL-CRI-1089, CL-UNK-1090 and CL-UNK-1110. Between the three clusters of activity, we have identified over 4,000 samples across 100 unique variants. Palo Alto Networks customers are better protected from TamperedChef activity discussed in this article through the following products and services: Cortex XDR and XSIAM Prisma Browser If you think you might have been compromised or have an urgent matter, contact the Unit 42 Incident Response team. Related Unit 42 Topics AI, Malware, Adware, RATs, Malvertising The Rise of Malicious Productivity Applications Since early 2024, we have observed a sharp increase in information stealer-style incidents originating from software mimicking legitimate productivity tools (e.g., PDF editors, ZIP file extractors, GIF image makers). Upon deeper inspection, these applications generally contain code that enables the delivery of arbitrary binaries. These features are typically used to deploy stealer malware. In 2025, our telemetry revealed over 100 unique variants of malware masquerading as productivity software. They all contained a malicious component, such as basic RAT capabilities, or delivering adware and infostealers. Due to their legitimate functionality and tendency to remain dormant for long periods of time, these applications often go unnoticed by the victim. They are also commonly downplayed or miscategorized by defenders and security researchers as potentially unwanted programs (PUPs). Because these applications can execute arbitrary code on victims' machines, either directly or indirectly through module loads, these threats are more significant than mere background annoyances or adware. We have been able to track over 4,000 file hashes and 81 unique code signing organisations through several methods, including: Reviewing code-signing certificates of the binaries Analyzing code reuse among the binaries Open-source intelligence (OSINT) on corporate structures for organizations distributing the binaries Leveraging ad transparency platforms to hunt for advertising overlaps that can identify additional organizations distributing the binaries We have identified TamperedChef-style malware campaigns starting in 2023. These malicious productivity application campaigns include AppSuite PDF, Calendaromatic, JustAskJacky and CrystalPDF. Masquerading in Plain Sight The actors behind these campaigns take steps not commonly observed with other adware groups to remain undetected. In some cases, these attackers appear to diversify their revenue streams through more aggressive and malicious activities. This diversification includes deploying infostealers, establishing residential proxies and exhibiting behavior that resembles access brokers. These applications avoid many of the common indicators that users are trained to associate with downloading malicious software, such as: Distributing via well-built, legitimate-looking websites Without ads (as shown in Figure 1) Appearing modern and credible Containing common elements like descriptions, legal terms and contact pages Leveraging unique and contextually relevant domains for each campaign One-click download buttons distributed by large content distribution networks (CDNs) to minimize friction Providing promised functionality with minimal bloat, meaning victims are not likely to suspect anything is amiss Figure 1. Examples of download pages for TamperedChef-style fake productivity applications. Attackers also employ several tricks to avoid detection. These tricks include: Using code signing to increase the apparent legitimacy of the binaries Rebuilding binaries with only minor changes on a frequent basis to minimize the effectiveness of static or hash-based detection The exact frequency varies, but is typically between one week and one month per rebuild Remaining dormant for periods of weeks to months before retrieving or running malicious components This combination of technical and social masquerading enables these applications to remain undiscovered, unreported and free to operate without resistance for months — if not years — at a time. What Is Adware vs. Malware? Adware is a class of software designed to increase the number of ads a user observes. The more ads they observe, the more money for the distributor. This is typically done with some form of browser manipulation or additional free tooling bundled alongside downloads. Adware sits in a middle zone between malware and legitimate software, often employing malware-like tactics to maintain persistence or display more ads to users. The distinction between malware and adware can be so fine that they are indistinguishable from each other when statically analyzed, only becoming clear after misuse occurs. Adware and malware are also often interlinked, with many seemingly legitimate adware developers overstepping into malware territory, either naively or intentionally. Modern adware also walks the line between legal and illegal behavior. EULAs are ways that the groups behind adware and TamperedChef-style malware attempt to protect themselves legally. Examples of this are found on websites distributing TamperedChef-style software, such as one from hxxps[:]//www.crystalpdf[.]com/conditions: “The Additional Services offer users enhanced, tailored features. Be aware that using these services may modify your browser’s new tab settings or installed features, possibly altering your browser configuration.” However, TamperedChef-style programs execute commands remotely, exfiltrate users' credentials and deploy malware without consent. These actions firmly place them in the malware category. A Historical Review of TamperedChef (Aka EvilAI) The name TamperedChef was initially given to a cluster of activity that included several malicious recipe applications, PDF editors, manuals and search assistant applications. It started to see widespread installation in June 2025, with some evidence suggesting these applications have been in the wild since February 2025. As reporting on malicious productivity apps within the cybersecurity community grew, TamperedChef became a broad, informal term for several productivity software campaigns. These campaigns are likely not all operated by the same group. The confusion in previous reporting i

Indicators of Compromise

• malware — TamperedChef
• malware — EvilAI

Entities