Calendaromatic
Calendaromatic is a backdoor malware family that masquerades as a legitimate calendar download. It has been distributed via malvertising campaigns and SEO poisoning, and MS-ISAC also lists malvertisement as its observed initial infection vector. Reporting links Calendaromatic to the CL-CRI-1089 cybercrime cluster and to the broader TamperedChef campaign set, also known as EvilAI, which uses trojanized productivity software to deliver potentially unwanted programs (PUPs) and adware. Unit 42 linked Calendaromatic to other CL-CRI-1089 activity, including the Windows malware strain RecipeLister and the macOS FlutterShell/JSCoreRunner/FileRipple activity, based on shared infrastructure, malvertising tradecraft, and related campaign characteristics. The available content does not provide specific Calendaromatic command-and-control domains, hashes, or detailed post-infection functionality beyond its classification as a backdoor and its use of fake calendar-themed software as a lure.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Groups observed using it
1 distinct threat actor attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
Operations attributed to CL-CRI-1089 also include Recipe Lister and Calendaromatic, both of which fall under a broader designation known as TamperedChef (aka EvilAI), an ongoing series of campaigns that involve using trojanized versions of productivity software to deliver potentially unwanted programs (PUPs) and adware.
Techniques & procedures
9 distinct techniques documented for this family, organized by ATT&CK tactic.
Resource Development
1 techniqueThese campaigns distribute malicious Google and YouTube advertisements using a network of Google-verified shell companies, with the ads acting as a lure to trick targets into deploying malware that masquerades as legitimate desktop applications.
Execution
2 techniquesHowever, TamperedChef-style programs execute commands remotely, exfiltrate users' credentials and deploy malware without consent.
TamperedChef (aka EvilAI), an ongoing series of campaigns that involve using trojanized versions of productivity software to deliver potentially unwanted programs (PUPs) and adware.
Stealth
2 techniquesMost of the campaigns we observed used some form of obfuscation or defense evasion techniques for their loader or stealer components.
TamperedChef-style malware is trojanized productivity software, such as PDF editors or calendars, that deliver malicious payloads.
Defense Impairment
1 techniqueOne unique attribute of the TamperedChef-style malware is that almost all the first-stage binaries are signed with legitimate code-signing certificates. Attackers used code-signing to add stealth to these payloads.
Collection
1 techniqueUpon installation, FlutterShell fingerprints the machine... Next, the malware targets the Google Chrome “Secure Preferences” file... changing the url and new_tab_url values to the attacker-controlled domain.
Command and Control
2 techniquesWhat makes FlutterShell noteworthy is that it implements a WebView-based architecture that utilizes a JavaScript-to-native bridge, thereby allowing the adversary to host malicious logic on an external website, rather than embedding it into the binary.
Upon activation, they trigger the next stage, which typically involves downloading and executing an additional payload delivered via an upstream API.
Recent activity
5 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
A malware/application family associated with CL-CRI-1089 and the TamperedChef campaign, distributed through trojanized productivity software to deliver PUPs and adware. It shares technical similarities with FlutterShell, especially a WebView-based code architecture enabling dynamic payload changes.
A Windows malware strain in the CL-CRI-1089 cluster distributed via malvertising. It shares technical similarities with FlutterShell, including WebView-based architecture for dynamic payload changes, and performs browser hijacking via similarly structured ad-filled redirect sites.
Backdoor masquerading as a legitimate calendar download; distributed via malvertising and SEO poisoning and tied to the TamperedChef malvertising campaign (per MalwareBazaar).
Backdoor distributed via malvertising and SEO poisoning, masquerading as a legitimate calendar download; tied to the TamperedChef malvertising campaign per MalwareBazaar research.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.