European Organizations Hit by Sophisticated PDF Editor Malware Campaign

TamperedChef malware disguised as free productivity software infected 35 endpoints across multiple countries using advanced obfuscation techniques

Heimdal’s Discovery

Heimdal Security’s Managed Extended Detection and Response (MXDR) team has identified 35 confirmed infections linked to a malware campaign dubbed TamperedChef.

The campaign, first observed in late June 2025, spread through a fake PDF editing tool and remained dormant until August 21, when it activated across compromised systems.

“It’s simple,” explains Marian, Heimdal’s threat intel security analyst.

“A user needs a specific tool not available in their standard software suite, like Adobe Pro which requires an expensive license, so they search online for free alternatives.”

This behavior allowed attackers to blend malicious activity with legitimate productivity software use, exploiting everyday user habits.

How the Attack Works

The malware masquerades as AppSuite PDF Editor, a convincing PDF editing tool promoted via Google advertising campaigns and compromised websites.

Heimdal confirmed infections across multiple European organizations, with the fake editor functioning normally for nearly two months before switching into malicious mode.

Research by Truesec supports Heimdal’s findings, showing that the malware’s activation after a 56-day dormancy period mirrors Google’s advertising cycles.

Researchers suggest this timing was deliberate to maximize exposure while minimizing detection risks.

Technical Sophistication

Heimdal telemetry shows the malware’s core component, pdfeditor.js, is heavily obfuscated and was flagged by its NGAV behavioral engine (!msr). 

According to Truesec and G DATA, the obfuscation may be AI or LLM generated, producing unique code variants that evade signature-based antivirus solutions.

The malware operates with a multi-component architecture that includes:

• Registry modifications for persistence
• Scheduled tasks that maintain backdoor access
• Command-line arguments enabling different operational modes

Commands such as –install, –fullupdate, and –check allow attackers to create tasks, activate payloads, and contact command servers.

Infrastructure and Distribution

Heimdal’s investigation revealed infections traced back to domains including inst.productivity-tools.ai and vault.appsuites.ai.

Broader infrastructure analysis from Truesec identified more than 40 distribution domains, with professional-sounding names such as:

• businesspdf.com
• smarteasypdf.com
• pdf-tool.appsuites.ai

The malware was also digitally signed. According to Truesec, the signatures came from four suspicious companies in Malaysia:

• ECHO Infini SDN BHD
• GLINT By J SDN BHD
• SUMMIT NEXUS Holdings LLC BHD
• BYTE Media (also seen signing related Epibrowser malware)

All of these appear to operate AI-generated websites.

On the command-and-control side, Heimdal has tracked activity linked to mka3e8.com.

Expel research also points to 5b7crp.com and y2iax5.com as part of the same infrastructure. Other servers have been reported in community feeds but remain unconfirmed.

Links to Earlier Campaigns

The TamperedChef operation is not isolated. Expel has linked it to earlier unwanted software campaigns including ManualFinder.

Truesec notes overlaps with OneStart Browser and Epibrowser, which used similar infrastructure and digital certificates.

Together, the evidence points to a professional operation with continuity stretching back to at least August 2024.

Detection and Response

Traditional antivirus solutions failed to flag the malware during its dormancy period.

Heimdal’s behavioral detection, however, identified suspicious activity and led to the rapid development of a custom detection rule:

“PDFEditor – Persistence/Update activity detected.”

This rule uncovered additional infections, including dormant installations that had not yet activated.

Impact on Infected Systems

Once active, the malware exfiltrates sensitive data including:

• Browser-stored credentials
• Cookies
• Session tokens

Persistence is maintained through registry keys and scheduled tasks, making removal unreliable without full system reimaging.

Heimdal recommends complete reimaging combined with credential resets for all affected users.

Observed Indicators of Compromise (IoCs)

Security teams can use the following indicators to detect infections related to TamperedChef:

• Persistence Registry Key: HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\PDFEditorUpdater
• Registry Value:
  “C:\Users\[username]\AppData\Local\Programs\PDFEditor\PDF Editor.exe” –cm=–fullupdate
• Associated File/Installation Paths:
  • C:\Users\[username]\AppData\Local\Programs\PDFEditor\
  • C:\Users\[username]\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\PDF Editor.lnk
  • C:\Users\[username]\Desktop\PDF Editor.lnk

Broader Security Implications

The campaign illustrates two converging trends:

• AI-assisted obfuscation that, according to Truesec and G DATA, enables attackers to rapidly scale malware production
• Abuse of trusted infrastructure, including certificates, advertising networks, and free software downloads

As Marian notes: “The golden rule in cybersecurity is that if something is free, then you are the product, or at least you will become one.”

Recommendations for Organizations

Heimdal advises organizations to:

• Scan systems for known indicators of compromise
• Reimage affected devices and reset credentials
• Deploy advanced behavioral monitoring tools
• Restrict installation of unverified software
• Train employees on the risks of downloading free tools

Attribution note: This article is based on Heimdal MXDR’s direct threat intelligence and detection telemetry, supported by external reporting from Truesec, G DATA, and Expel.

Danny Mitchell