What happened
Threat actors used Google Ads malvertising to distribute a counterfeit Appsuite PDF Editor installer bundled with the TamperedChef infostealer. Beginning in mid-2025, malicious ads targeting users searching for appliance manuals and PDF tools redirected victims to deceptive sites hosting the trojanized installer. Once executed, the installer created persistence via registry entries and scheduled tasks, and then deployed a stealthy infostealing component that harvested browser credentials, cookies, and autofill data. The actors also abused legitimate code-signing certificates to evade Windows SmartScreen protections, increasing the installer’s perceived legitimacy. Sophos researchers identified over 100 infected systems across at least 19 countries, including Germany, the UK, and France. S
Who is affected
Windows users worldwide who download software promoted through search ads, especially in sectors where manual and PDF tools are frequently sought, face indirect exposure via deceptive advertising channels.
Why CISOs should care
Malvertising campaigns leveraging trusted platforms can bypass perimeter controls and deliver malware through familiar user flows, elevating the risk of credential theft and unauthorized access.
3 practical actions
- Review advertising exposure: Assess and block malicious third-party ad campaigns affecting your user base.
- Educate staff on download sources: Discourage installing software from unverified sites or ads.
- Harden endpoint protections: Detect persistence mechanisms and credential theft indicators early.