The National Computer Emergency Response Team (NCERT) has released a high-priority advisory warning organizations and users about a new malware campaign that disguises itself as a legitimate PDF editing application. The threat, identified as TamperedChef, is being distributed through a trojanized version of AppSuite PDF Editor that has been circulating online since August 21, 2025. According to NCERT, this malware uses remote JavaScript-based update mechanisms, enabling cybercriminals to steal data, establish command-and-control (C2) links, and deploy secondary payloads such as spyware and ransomware across infected systems.
The campaign relies heavily on social engineering techniques to deceive victims into downloading the compromised installer from phishing emails, cracked software bundles, and malicious advertisements. Once executed, TamperedChef silently infiltrates the system, capturing credentials, browser cookies, and sensitive documents. It can also alter Windows registry settings to maintain persistence and evade detection. NCERT has classified this threat as high-risk, particularly for enterprise and government networks, since it can serve as an initial access point for advanced persistent threat (APT) groups, paving the way for data breaches, lateral movement, and large-scale intrusions.
Investigations by NCERT have revealed that the malware primarily targets Windows-based systems, with unpatched or poorly protected devices at the highest risk. The infected machines communicate with malicious domains such as editor-update[.]com and pdfsuite-sync[.]net, which serve as C2 servers controlling compromised hosts. The agency noted that the infection could result in significant confidentiality and availability issues, including unauthorized modification of PDF files, data exfiltration, and potential deployment of ransomware that disrupts operations. Common signs of infection include unexplained changes in PDF documents, browser instability, and intermittent encrypted data transfers to unknown servers.
NCERT’s advisory provided a detailed list of Indicators of Compromise (IOCs) and Indicators of Attack (IOAs) to help system administrators detect and contain the threat. It recommended that organizations monitor unusual file activity in AppData directories, inspect unauthorized registry entries, and identify network connections to suspicious IP addresses such as 185.92.223[.]14 and 103.89.77[.]6. The agency further advised immediate containment actions, including blocking identified IOCs at firewalls and intrusion prevention systems, restricting unauthorized program execution through AppLocker or Group Policy, and applying all critical system and library updates.
To reduce exposure, NCERT urged entities to strengthen their cybersecurity posture by implementing multi-factor authentication (MFA), conducting regular phishing awareness sessions, and ensuring all endpoint protection tools are up to date. System administrators were also advised to isolate compromised devices, reset affected credentials, and share relevant indicators with trusted cybersecurity networks to limit the spread of infections. The team emphasized that early detection and coordinated response are essential to minimizing the impact of the TamperedChef campaign, which continues to spread rapidly through phishing and malvertising channels targeting both public and private sector networks.
Follow the SPIN IDG WhatsApp Channel for updates across the Smart Pakistan Insights Network covering all of Pakistan’s technology ecosystem.
