Sophos is warning users about a new cyber threat called the TamperedChef malvertising campaign. The attack uses Google Ads to push a fake PDF editor that secretly installs an infostealer on Windows devices.
The campaign is linked to a wider operation known as EvilAI that began on June 26, 2025. Attackers promoted a trojanized app called AppSuite PDF Editor through paid ads. At first glance, the software looked legitimate. But once installed, it silently deployed malware designed to steal browser credentials and other sensitive data.
According to Sophos telemetry, more than 100 systems were compromised before detection. Victims were found in 19 countries, with Germany, the United Kingdom, and France showing the highest numbers.
Industries that rely on technical equipment were hit hardest, likely because workers often search online for product manuals, a behavior exploited by the attackers.
Sophos warns that TamperedChef used advanced tactics to stay hidden. These included delayed activation, staged payload delivery, decoy apps, and abuse of code‑signing certificates. While some domains tied to the campaign are now inactive, researchers say the infrastructure remains live, and new components are still being uncovered.
Also Read: Experts warn Filipinos of silent cybersecurity surveillance
The company advises users to avoid downloading software from ads and stick to official vendor sites. Organizations should enforce strict application controls, disable browser password storage, and require multi‑factor authentication.
For those already affected, immediate credential resets and endpoint scans are recommended.
