Unit 42 Tracks TamperedChef Malware Clusters Using Certificate and Code Reuse
Unit 42 has identified over 4,000 samples across three TamperedChef malware clusters that deliver stealthy payloads via trojanized productivity apps and malvertising.
Unit 42 researchers have published a detailed analysis of TamperedChef malware clusters, tracking over 4,000 samples across 100 unique variants since 2024. The campaign, also known as EvilAI, distributes trojanized productivity software such as PDF editors and calendar apps through malicious advertisements. These apps appear legitimate but remain dormant for weeks or months before deploying information stealers, proxy tooling, or remote access Trojans.
The three identified clusters—CL-CRI-1089, CL-UNK-1090, and CL-UNK-1110—share significant technical overlap in code signing certificates and code reuse. Unit 42 tracked 81 unique code-signing organizations and used ad transparency platforms to identify distribution networks. The malware avoids detection by using well-built websites, one-click downloads via CDNs, and frequent binary rebuilds (every one to four weeks) to evade hash-based detection.
TamperedChef-style malware is more stealthy than typical adware or PUPs. It employs robust persistence mechanisms and end-user licensing agreements that attempt to legally justify questionable behavior. The attackers diversify revenue streams by deploying infostealers, establishing residential proxies, and acting as access brokers. Campaigns dating back to 2023 include AppSuite PDF, Calendaromatic, JustAskJacky, and CrystalPDF.
The analysis highlights the challenge of distinguishing these threats from adware, as they often go unreported for months. Palo Alto Networks customers are protected via Cortex XDR, XSIAM, and Prisma Browser. The report provides indicators of compromise and emphasizes the need for defenders to treat such applications as significant threats rather than mere annoyances.