TamperedChef
TamperedChef, also referred to as EvilAI and in some reporting aligned with BaoLoader naming, is a long-running malware/campaign cluster active since at least early 2023 that uses trojanized productivity software as lures. Reported fake applications include PDF editors, calendar apps, ZIP/compression tools, GIF makers, and utilities such as Calendaromatic, AppSuite PDF Editor, DocuFlex, CrystalPDF, OneZip, PDF-Ezy, RapiDoc, JustAskJacky, GoCookMate, RocketPDFPro, ManualReaderPro, Recipe Lister, and AllManualsReader. The malware is commonly distributed through malvertising, sponsored search results, SEO poisoning, and malicious Google and YouTube ads, often via polished download sites and look-alike domains. Multiple reports state operators used valid code-signing certificates, including EV certificates, obtained through shell companies in countries including the United States, Ukraine, Malaysia, Israel, Panama, the United Kingdom, Estonia, and Singapore, to increase trust and bypass protections such as Windows SmartScreen; some later activity suggests portions of the ecosystem may be moving away from signing.
Across reporting, TamperedChef-style malware typically installs software that appears to function normally, then delays malicious activity for weeks or months to evade detection. Observed behaviors include persistence via scheduled tasks and Run/registry keys, command-and-control beacons, host reconnaissance, encrypted/Base64-encoded JSON metadata exfiltration, retrieval of second-stage payloads, browser hijacking, adware delivery, proxy functionality, remote access Trojan behavior, and information stealing. Specific theft capabilities directly reported include harvesting browser credentials, cookies, session data, and autofill data; some variants also support arbitrary command execution and file-system interaction. In one documented Windows AppSuite PDF campaign beginning in June 2025, victims downloaded Appsuite-PDF.msi from deceptive sites such as fullpdf.com and pdftraining.com; the installer dropped PDFEditorSetup.exe, an obfuscated JavaScript component, and a PDF Editor.exe infostealer, established persistence, and the infostealer activated roughly 56 days later to steal browser credentials, cookies, and autofill data. Acronis also reported installers dropping an XML file that creates a scheduled task to launch an obfuscated JavaScript backdoor over HTTPS.
The activity has been tracked by multiple vendors under clusters including CL-CRI-1089, CL-UNK-1090, and CL-UNK-1110. Unit 42 reported more than 4,000 samples across more than 100 variants and global victimization with no strong sector-specific targeting, though infections were observed broadly in enterprise environments and some reporting noted concentrations in the United States, Germany, the United Kingdom, France, Israel, Spain, India, and Ireland. Industries mentioned as affected include healthcare, construction, and manufacturing, with lures often aimed at users searching for PDF tools or specialized equipment manuals. High-confidence infrastructure and IOC examples mentioned in the content include onezipapp.com, crystalpdf.com, calendaromatic.com, meetrapidocapp.com, visitrapidoc.com, nesefurtherebe.com, fullpdf.com, and pdftraining.com.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Groups observed using it
1 distinct threat actor attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
Operations attributed to CL-CRI-1089 also include Recipe Lister and Calendaromatic, both of which fall under a broader designation known as TamperedChef (aka EvilAI), an ongoing series of campaigns that involve using trojanized versions of productivity software to deliver potentially unwanted programs (PUPs) and adware.
Techniques & procedures
18 distinct techniques documented for this family, organized by ATT&CK tactic.
Resource Development
3 techniquesThese campaigns typically employ malicious ads that direct users to sites hosting the applications.
"GPUGate Malware Uses Google Ads"; "TamperedChef ... malvertising tricks"; "Fake ... extensions ... malvertising campaign"; "bypass ... X's malvertising protections"
"Silver Fox... search engine optimization (SEO) poisoning campaign... Teams lures... download a malicious setup file"; "TamperedChef... bogus installers... malvertising"
Execution
2 techniquesImplementing a robust persistence mechanism, almost always through scheduled tasks or registry Run keys
However, TamperedChef-style programs execute commands remotely, exfiltrate users' credentials and deploy malware without consent.
Persistence
3 techniquesImplementing a robust persistence mechanism, almost always through scheduled tasks or registry Run keys
Installing a new adversary-controlled default search engine in the user’s primary browser
Privilege Escalation
2 techniquesStealth
3 techniquesMost of the campaigns we observed used some form of obfuscation or defense evasion techniques for their loader or stealer components.
TamperedChef-style malware is trojanized productivity software, such as PDF editors or calendars, that deliver malicious payloads.
Defense Impairment
2 techniquesInstalling a new adversary-controlled default search engine in the user’s primary browser
One unique attribute of the TamperedChef-style malware is that almost all the first-stage binaries are signed with legitimate code-signing certificates. Attackers used code-signing to add stealth to these payloads.
Credential Access
1 technique“TamperedChef… activating its payload to harvest browser credentials…”
Discovery
2 techniquesInitial information gathering and exfiltration typically occurring on install. This usually involves simple data collection, like system version, hostname and active browsers.
Collection
1 techniqueBoth these methods enable adversaries to control the content searched, ads displayed to victims and, in the case of the browser installation, full control over user cookies and credentials.
Command and Control
3 techniquesThis includes continuous command and control (C2) methods enabling adversaries to retrieve additional payloads, such as information stealers, proxy tooling or remote access Trojans (RATs).
This diversification includes deploying infostealers, establishing residential proxies and exhibiting behavior that resembles access brokers.
Upon activation, they trigger the next stage, which typically involves downloading and executing an additional payload delivered via an upstream API.
Exfiltration
1 techniqueHowever, TamperedChef-style programs execute commands remotely, exfiltrate users' credentials and deploy malware without consent.
IOCs tracked for this family
20 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.
IPs, domains, and DNS infrastructure linked to this family.
File hashes (MD5, SHA-1, SHA-256) from samples and reports.
Other indicator types observed in public reporting.
Recent activity
17 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
A broader campaign/malware designation covering operations such as Recipe Lister and Calendaromatic. It involves trojanized productivity applications used to deliver PUPs and adware to macOS users.
Malware distributed via trojanized productivity applications such as PDF editors, calendar apps, ZIP tools, and GIF makers. It uses signed apps and legitimate-looking download sites, often delays second-stage execution for weeks, and delivers payloads including adware/browser hijackers, information stealers, remote access trojans, and in some cases proxy-style malware.
Trojanized productivity software family/style that masquerades as legitimate tools such as PDF editors, calendars, ZIP extractors, and converters. It remains dormant for weeks to months, maintains persistence, communicates with C2, and retrieves second-stage payloads including information stealers, proxy tooling, browser hijackers, adware, and RATs.
Malvertising-driven campaign using fake installers to establish persistence and deliver JavaScript malware enabling remote access/control.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.