A major malvertising operation known as TamperedChef is tricking users worldwide into installing malware disguised as legitimate software installers. According to Acronis Threat Research Unit (TRU), attackers are deploying fake versions of common tools to establish persistent access and deliver a JavaScript-based backdoor for remote control. The campaign remains active, supported by search engine manipulation, fake ads, and abused digital certificates—all intended to boost credibility and evade security detection.

TamperedChef is linked to a broader threat group called EvilAI, which distributes malware by impersonating artificial intelligence tools and everyday applications. To make their counterfeit installers appear authentic, the threat actors use code-signing certificates tied to shell companies registered in countries such as the U.S., Panama, and Malaysia. Acronis describes the campaign’s infrastructure as industrialized, enabling criminals to consistently acquire new certificates and publish fresh installers that pass as trusted software.

Victims are often targeted while searching online for PDF editors or product manuals, especially on search engines like Bing. Once a malicious installer is opened, it displays a convincing installation process but secretly schedules a task to deploy an obfuscated JavaScript backdoor. The malware communicates with remote servers, exfiltrating machine identifiers and metadata, potentially for financial gain, advertising fraud, or resale to other cybercriminals. Current telemetry shows the largest impact in the U.S., particularly among healthcare, construction, and manufacturing organizations—industries that frequently seek device manuals online, making them prime targets for TamperedChef’s deceptive tactics.