What happened
Security researchers at Acronis Threat Research Unit (TRU) uncovered an ongoing global campaign dubbed “TamperedChef” in which cyber-actors distribute fake software installers laced with a backdoor and “information-stealer” malware.
The installers masquerade as legitimate utilities and are signed using abused code-signing certificates issued to shell companies, allowing them to appear trustworthy and bypass security detection.
Who is affected
- End-users globally who download applications such as PDF editors or product manual software via search results or via advertised/poisoned URLs.
- Organizations in sectors including healthcare, construction, and manufacturing are particularly affected, according to telemetry data showing higher infection rates in those industries.
- Geographic regions with notable infection telemetry include the U.S., Israel, Spain, Germany, India, and Ireland.
Why CISOs should care
- The campaign uses social engineering via SEO and malvertising to trick users into downloading malicious software that may bypass traditional perimeter defenses.
- Once installed, the malware establishes persistence via scheduled tasks and obfuscated JavaScript.
- Compromised devices may exfiltrate system metadata or enable remote access, posing a risk of data breaches, fraud, or the deployment of additional malicious payloads.
3 Practical Actions for CISOs
- Validate software installers and certificate chains. Enforce code-signing verification policies and ensure that installers originate from trusted sources. Implement allow-listing where feasible.
- Educate users on risks of malvertising and fake downloads. Run awareness campaigns highlighting the dangers of downloading tools from search ads or unverified sites, especially for specialized software.
- Monitor endpoints for signs of scheduled task creation and unusual JavaScript execution. Deploy endpoint detection & response (EDR) tools and regularly review executed tasks/scripts for anomalies.