TamperedChef Malware Campaign Exploits Fake Installers for Persistent Access

TamperedChef Malware Spreads via Fake Software Installers in Ongoing Global Campaign

Threat actors are distributing the TamperedChef malware through counterfeit installers and SEO abuse, achieving persistence via JavaScript backdoors. The campaign, active since 2025, has infected systems across healthcare, construction, and manufacturing sectors.

Why This Matters

The attack leverages code-signing certificates from shell companies to bypass trust mechanisms, highlighting a gap between ideal secure software distribution models and real-world exploitation. The malware’s persistence mechanism—scheduled tasks launching obfuscated JavaScript—evades detection, with telemetry showing over 100,000 infections globally. The financial and operational risks to targeted industries, including data exfiltration and advertising fraud, underscore the scale of the threat.

Key Insights

• “Fake installers signed with stolen certificates, 2025”: Attackers use revoked certificates from U.S., Panama, and Malaysia-based shell companies to mimic legitimacy.
• “Scheduled tasks for persistence, used in TamperedChef”: Malware creates Windows tasks to execute a JavaScript backdoor post-installation.
• “BaoLoader also known as TamperedChef, per Acronis 2025”: The malware family is tracked under multiple names, complicating detection.

Practical Applications

• Use Case: Healthcare sector targeted via fake PDF editors, leading to data exfiltration.
• Pitfall: Trusting code-signed apps without verification, leading to malware persistence.

References:

• https://thehackernews.com/2025/11/tamperedchef-malware-spreads-via-fake.html