TamperedChef-style productivity malware clusters

Summary

Unit 42's May 2026 reporting describes several TamperedChef-style malware clusters built around trojanized productivity applications such as PDF editors, calendars, ZIP tools, and image utilities. The campaigns use polished websites, malvertising, code signing, frequent rebuilds, and long dormancy to look like legitimate software before activating C2 and delivering infostealers, proxy tooling, or RATs.

Unit 42 tracks three distinct clusters in this activity set — CL-CRI-1089, CL-UNK-1090, and CL-UNK-1110 — and reports more than 4,000 samples across over 100 variants and 81 code-signing organizations. The activity overlaps the publicly described TamperedChef / EvilAI ecosystem, but Unit 42 does not attribute all clusters to one author or group.

Tags

• ops
• operations
• malware
• TamperedChef
• EvilAI
• malvertising
• code signing
• adware
• infostealer
• RAT
• proxy
• persistence
• Windows

Why this matters

• These applications sit in the gray zone defenders may dismiss as PUP/adware, yet Unit 42 reports remote command execution, credential theft, malware delivery, and proxy behavior.
• Long dormancy — weeks to months before activation — weakens sandbox verdicts and one-time install reviews.
• Polished websites, legal pages, EULAs, code signing, and functional applications create legitimacy signals for users and security tools.
• Frequent rebuilds and many signing organizations reduce the value of static hashes alone.

Common chain

1. Users are routed through ads or legitimate-looking download pages for productivity software.
2. The installer provides real functionality while embedding a component capable of remote module load or binary delivery.
3. The application remains quiet long enough to avoid immediate suspicion.
4. The operator activates C2 and retrieves follow-on payloads such as stealers, proxies, or RATs.
5. Rebuilt binaries, varied brands, and fresh certificates keep the campaign resilient.

Defender heuristics

• Treat newly installed productivity utilities from ads as higher-risk than direct vendor or managed-software installs.
• Inventory software signed by low-reputation or recently created organizations; correlate certificate reuse across unrelated brands.
• Monitor delayed first-beacon behavior from desktop utilities, especially after weeks of dormancy.
• Hunt for fake PDF/calendar/archive/image-tool brands that install persistence, browser changes, proxy components, or remote module loaders.
• Prefer behavior, signing graph, and distribution-channel analytics over hash-only detection.

Related pages

• Fox Tempest

Sources

• Unit 42: https://unit42.paloaltonetworks.com/tracking-tampered-chef-clusters/