{
	"id": "57deb1ac-1df0-42d0-bdae-369b8015fff9",
	"created_at": "2026-04-06T00:11:32.807547Z",
	"updated_at": "2026-04-10T03:21:54.36005Z",
	"deleted_at": null,
	"sha1_hash": "45fa33dccdbe7cbf17a92f1ed6d68b25860026d5",
	"title": "Malicious Appsuite PDF Editor Spreads Tamperedchef Malware",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 6085246,
	"plain_text": "Malicious Appsuite PDF Editor Spreads Tamperedchef Malware\r\nBy Simon Hertzberg\r\nPublished: 2025-08-27 · Archived: 2026-04-05 20:10:58 UTC\r\nThreat Insight\r\nTruesec has observed what appears to be a large cybercrime campaign, involving multiple fraudulent\r\nwebsites promoted through a Google advertising campaign. The objective is to lure victims into downloading and\r\ninstalling a trojanized PDF editor, which includes an information-stealing malware dubbed TamperedChef. The\r\nmalware is designed to harvest sensitive data, including credentials and web cookies.\r\nAppSuite PDF Editor\r\nTruesec has observed what appears to be a large campaign aiming to spread the use of a malicious pdf editor. The\r\ncampaign involved multiple sites promoting a free pdf editor called “AppSuite PDF Editor”. This activity overlaps\r\nwith the findings reported by researchers at Expel.\r\nThe file PDF Editor was heavily obfuscated, and the malicious code might be generated by AI/LLM.\r\nThe file installed, PDF Editor.exe had the following properties:\r\nFilename: PDF Editor.exe\r\nMD5: 6fd6c053f8fcf345efaa04f16ac0bffe\r\nSHA1: 2ecd25269173890e04fe00ea23a585e4f0a206ad\r\nSHA256: cb15e1ec1a472631c53378d54f2043ba57586e3a28329c9dbf40cb69d7c10d2c\r\nWhen the user executes the installation file, a EULA is first prompted.\r\nhttps://www.truesec.com/hub/blog/tamperedchef-the-bad-pdf-editor\r\nPage 1 of 19\n\nIt then makes a HTTP GET request to indicate that the starting process is initiated to the following URL:\r\nhxxp[://]inst[.]productivity-tools[.]ai/status/InstallStart?v=1[.]0[.]28[.]0\u0026p=PDFEditor\u0026code=EN-US\r\nIt then continues to download the executable file that is the program that turns into a malware from the following\r\nURL: hxxp[://]vault[.]appsuites[.]ai/AppSuites-PDF-1[.]0[.]28[.]exe\r\nWhen the installation is complete it makes two additional GET requests to confirm that all is set.\r\nhxxp[://]inst[.]productivity-tools[.]ai/status/Download%20Complete?v=1[.]0[.]28[.]0\u0026p=PDFEditor\u0026code=\r\nhxxp[://]inst[.]productivity-tools[.]ai/status/InstallDownloadComplete?v=1[.]0[.]28[.]0\u0026p=PDFEditor\u0026code\r\nThe following installation flow was also recorded in a network capture.\r\nThe Setup also adds a registry key for persistence that is executed on start-up. It contains a --cm arguments that\r\ngives the executable instructions how to behave.\r\nhttps://www.truesec.com/hub/blog/tamperedchef-the-bad-pdf-editor\r\nPage 2 of 19\n\nInternet records suggests that this campaign begun on June 26, 2025, when a lot of the sites linked to the\r\ncampaign were either first registered or first known to have promoted the AppSuites PDF Editor.\r\nAt first the pdf-editor appears to have behaved mostly harmless, but the code included instructions to regularly\r\ncheck back for potential updates in a .js file that includes the --cm arguments.\r\nRecords shows that PDF Editor has first been submitted to Virustotal on May 15th.\r\nFrom August 21, 2025, machines that called back received instructions that activated the malicious capabilities, an\r\ninformation stealer, referred to as “Tamperedchef”.\r\nWhen these malicious capabilities are activated, the following registry key is added:\r\nComputer\\HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\\PDFEditorUpdater\r\nWith the arguments PDF Editor.exe --cm=--fullupdate\r\nWhen the argument –fullupdate is set the executable loads an obfuscated file that is downloaded into\r\n/resources/app/w-electron/bun/releases/pdfeditor.js\r\nThe –cm have the following different arguments.\r\n--install\r\n--enableupdate\r\n--disableupdate\r\n--fullupdate\r\n--partialupdate\r\n--backupupdate\r\n--check\r\nhttps://www.truesec.com/hub/blog/tamperedchef-the-bad-pdf-editor\r\nPage 3 of 19\n\n--ping\r\n--reboot\r\nWhen initialized, Tamperedchef starts to query the web browsers database using DPAPI.\r\nUpon starting it starts to query the system for different security products.\r\nThen it terminates different browsers, likely to be able to accesses within them data that is locked if running.\r\nhttps://www.truesec.com/hub/blog/tamperedchef-the-bad-pdf-editor\r\nPage 4 of 19\n\nData traffic with the sites that distributes AppSuites PDF Editor includes referrers to google ads campaign codes,\r\nsuggesting that the threat actor behind this campaign used Google advertising to promote this pdf editor. Truesec\r\nhas observed at least 5 different google campaign IDs which suggests a widespread campaign. The length from the\r\nstart of the campaign until the malicious update was also 56 days, which is close to the 60 days length of a typical\r\nGoogle advertising campaign, suggesting the threat actor let the ad campaign run its course, maximizing\r\ndownloads, before activating the malicious features.\r\nBad certificates\r\nThe threat actor has had different versions of the Appsuite PDF-editor app signed by certificates from to at least\r\nfour different companies. The companies are:\r\nECHO Infini SDN BHD\r\nGLINT By J SDN. BHD\r\nSUMMIT NEXUS Holdings LLC, BHD\r\nBelow is the digital certificate of ECHO Infini:\r\nhttps://www.truesec.com/hub/blog/tamperedchef-the-bad-pdf-editor\r\nPage 5 of 19\n\nThe web page of ECHO Infini SDN appears highly generic and possibly AI generated.\r\nhttps://www.truesec.com/hub/blog/tamperedchef-the-bad-pdf-editor\r\nPage 6 of 19\n\nSearching for more information regarding the company reveals that there are several companies located at the\r\nsame address.\r\nhttps://www.truesec.com/hub/blog/tamperedchef-the-bad-pdf-editor\r\nPage 7 of 19\n\nhttps://www.truesec.com/hub/blog/tamperedchef-the-bad-pdf-editor\r\nPage 8 of 19\n\nLooking at the information on their website it also tells they all work with digital transformation.\r\nhttps://www.truesec.com/hub/blog/tamperedchef-the-bad-pdf-editor\r\nPage 9 of 19\n\nFor the company BYTE Media there are also digital certificates used for to sign malware, but another one called\r\nEpibrowser.\r\nhttps://www.truesec.com/hub/blog/tamperedchef-the-bad-pdf-editor\r\nPage 10 of 19\n\nVirustotal\r\nFurther investigation has revealed that the threat actor behind this campaign has been active at least as early as\r\nAugust 2024, and possibly earlier, promoting a plethora of tools including the OneStart and Epibrowser browsers,\r\nthat both have been distributed as a potentially unwanted program (PUP) in code bundles.\r\nSamples of the OneStart browser has also contacted the same C2 domains as the Tamperedchef malware\r\nassociated with the AppSuites PDF-editor, suggesting it exhibits malicious behaviour too.\r\nOther binaries\r\nIn several cases we have observed a file called elevate.exe being installed together with the PDF Editor bundle.\r\nThis file is also signed by Echo Infini but looking at the company name this file is created by Johannes Passing.\r\nhttps://www.truesec.com/hub/blog/tamperedchef-the-bad-pdf-editor\r\nPage 11 of 19\n\nElevate is an open source project that can be used to give a program higher privileges upon running, but is has\r\nbeen recompiled and digitally signed.\r\nComparing it to the open source it is identical and have the same functionality.\r\nWe have not seen any sign of Elevate has been executed, so might be a file that is dropped to be used at a later\r\nstage for privilege escalation.\r\nSummary\r\nThe threat actor behind this malicious activity apparently has a long record of distributing malicious code\r\ndisguised as free utility tools. Our findings suggest, however, that the threat actor may have elevated this activity\r\nwith the latest ad campaign.\r\nhttps://www.truesec.com/hub/blog/tamperedchef-the-bad-pdf-editor\r\nPage 12 of 19\n\nWe have observed several organizations in Europe being affected as employees have downloaded the malicious\r\napp, suggesting this latest campaign has been highly successful in tricking individuals to download the app.\r\nThis activity highlights the importance of vetting any software introduced into your environment. Seemingly\r\nharmless utility tools from unknown sources can overnight transform into a security nightmare.\r\nWhen alerted about this activity, Google has apparently been very helpful, so we encourage anyone to report\r\nsimilar activity to both their local CERT and to Google, if and when such activity is observed in the future.\r\nDetection and prevention of weaponized software\r\nWhen creating a detection the Truesec Detection Engineering strategy revolves around the TTP layer, avoiding\r\nstatic patterns and IOCs whenever possible. \r\nThis ensures that instead of detecting a specific attack that might change its static values at any time, our\r\nDetections trigger on holistic behaviors.\r\nIn this case we’ll try to break down the software into Points of Detection by considering what telemetry is\r\navailable and the signal value of said telemetry.\r\nThe first clearly detectable event through an EDR-perspective comes when the software adds a registry key for\r\npersistence, the purpose of which is to execute a command on startup indicating that the software is checking for\r\nupdates.\r\nThis is not entirely uncommon among PUAs (Potentially Unwanted Applications) and similar software and will\r\nlikely be difficult to alert on without creating too much noise, likely drowning out any True Positives and creating\r\nalert fatigue for any analysts investigating such alerts.\r\nAs such the Signal Value of these events are low and can likely not be used without further context, but for\r\nexample the RegistryKey Value Data might however indicate an execution from an unprotected folder which is of\r\nmore interest as a starting block for building a solid foundation of a detection rule.\r\nSimilar behavior with PUAs adding scheduled tasks relating to their own execution is not entirely uncommon\r\neither and would likely produce similar results of alert fatigue and therefore as a standalone indicator serves no\r\npurpose.\r\nThe second identified Point of Detection where signal value is high comes at the point where the software is\r\nweaponized. At this stage the software touches the web data and kills the browsers for further enumeration. While\r\nthe signal value of these events are high the telemetry is often lacking relating to File Reads, and the attack is\r\nalready underway. \r\nWith this in mind there are detections that might be employed at the earlier stages when the malware (at this stage\r\nidentified as PUA) is establishing persistence by querying for Registry keys under */Run with a value pointing\r\ntowards *:/Users/* and similar unprotected folders, but this does require a certain control of the environment in\r\norder to strengthen the Signal Value of the detection to mitigate the risk of alert fatigue.\r\nAt this point we’ve established that creating detections for weaponized malware utilizing the telemetry available\r\nto most EDRs will be difficult on it’s own, so what measures can be taken to enable these types of detection as to\r\nprevent similar attacks in the future?\r\nhttps://www.truesec.com/hub/blog/tamperedchef-the-bad-pdf-editor\r\nPage 13 of 19\n\nA few key prevention tools come to mind off the bat; AppLocker and AdBlockers. \r\nAppLocker and similar solutions are key to gaining control of your organizations endpoints and creates an\r\nenvironment where it’s easily discernable what applications are supposed to exist where, which in turn enables\r\ndetections as described above. \r\nAdBlockers on the other hand will help mitigate the rising threat of malicious ads, an attack vector that Truesec\r\nDetect has seen being employed increasingly during the last few years.\r\nWith these measures in place the Signal Value of the Detection Points described above is greatly increased,\r\nenabling detections that more easily stops evasive threats such as the trojanized software of TamperedChef.\r\nThe file hashes are not all inclusive and new versions of PDF Editor appears continuously.\r\nIOC\r\nHosting Domains\r\napdft[.]net\r\nmypdfonestart[.]com\r\nltdpdf[.]com\r\npdfreplace[.]com\r\npdf-tool[.]appsuites[.]ai7\r\npdfsmartkit[.]com\r\nfastonestartpdf[.]com\r\npdfhubspot[.]com\r\npdfhubspot[.]com\r\nbusinesspdf[.]com\r\npdfdoccentral[.]com\r\npdffilehub[.]net\r\npdfonestarthub[.]com\r\npdfonestartlive[.]com\r\ndownload04[.]pdfgj[.]com\r\npdfappsuite[.]com\r\npdffacts[.]net\r\npdftraining[.]com\r\nsmarteasypdf[.]com\r\npdffacts[.]com\r\npdfonestart[.]com\r\npdf-kiosk[.]net\r\npdfmeta[.]com\r\ndownload04[.]internetdownloadhub[.]biz\r\ndownload05[.]masterlifemastermind[.]net\r\npdf-kiosk[.]com\r\neasyonestartpdf[.]com\r\nhttps://www.truesec.com/hub/blog/tamperedchef-the-bad-pdf-editor\r\nPage 14 of 19\n\nltdpdf[.]net\r\nfileconverterdownload[.]com\r\ndownload02[.]pdfgj[.]com\r\npdfworker[.]com\r\ngetsmartpdf[.]com\r\nproonestartpdf[.]com\r\ncdasynergy[.]net\r\npdfscraper[.]com\r\nappsuites[.]ai\r\npdfts[.]site\r\nmicromacrotechbase[.]com\r\npdfartisan[.]com\r\napdft[.]com\r\nitpdf[.]net\r\n9mdp5f[.]com\r\nproonestarthub[.]com\r\nadvancedtransmitart[.]net\r\nclick4pdf[.]com\r\nconvertpdfplus[.]com\r\nonestartbrowser[.]com\r\nvault[.]appsuites[.]ai\r\ndownload02[.]apdft[.]online\r\ndownload04[.]masterlifemastermind[.]net\r\nitpdf[.]com\r\ntransmitcdnzion[.]com\r\nsmartmanualspdf[.]com\r\npdfonestarttoday[.]com\r\nC2 Domains\r\ny2iax5[.]com\r\nabf26u[.]com\r\nmka3e8[.]com\r\n5b7crp[.]com\r\nSHA256\r\nHash Application / Library\r\nda3c6ec20a006ec4b289a90488f824f0f72098a2f5c2d3f37d7a2d4a83b344a0 PDF Editor\r\n956f7e8e156205b8cbf9b9f16bae0e43404641ad8feaaf5f59f8ba7c54f15e24 PDF Editor\r\nf97c7edb0d8d9b65bf23df76412b6d2bbfbab6e3614e035789e4e1a30e40b7f1 PDF Editor\r\nhttps://www.truesec.com/hub/blog/tamperedchef-the-bad-pdf-editor\r\nPage 15 of 19\n\nHash Application / Library\r\ncf5194e7f63de52903b5d61109fd0d898b73dd3a07512e151077fba23cdf4800 PDF Editor\r\n189b0ba8c61740d5ad1c802649718958a86f5b7a8c8e795dc2e990909a9ab88a Elevate Application\r\n57c92ed1e87dda6091903e1360c065e594576e2125f5d45f159269b0bef47f32 PDF Editor\r\ncb15e1ec1a472631c53378d54f2043ba57586e3a28329c9dbf40cb69d7c10d2c PDF Editor\r\n71edb9f9f757616fe62a49f2d5b55441f91618904517337abd9d0725b07c2a51 ManualFinder\r\nce0019424497040351c9054aa2ee6b07fc610024cc2cb2cc810de80f838c7a14 PDF Editor\r\n7e0d909c934620140db7d53e2caefdd58866484cb049f876f8a8428e6334618a Elevate Application\r\nabbb3e96b910c9d1e2074dc05fd51e78984941f03bcb7d443714838849a7a928 PDF Editor\r\na3fc5447a9638a3469bab591d6f94ee2bc9c61fc12fd367317eec60f46955859 PDF Editor\r\n13698b05960edbda52fa8f4836526f27e8fc519ca0f4a7bc776990568523113e PDF Editor\r\nbdb0e1f2582547fdc64a656a813b0e67f8819f96918050f6114b159d7ca7fd69 Elevate Application\r\n10640dcc67b3e2e4a6dbbfdb2fab981de4676d57f9f093af3cfb6f4f8351baf6 PDF Editor\r\n2e4de114ad10967f1807f317f476290dc0045bdfa9395553d1b443ef9f905018 EpiBrowser\r\n9e3334afa4a951c7e6eacc2ce16637919eb113ac1ca5527ece7140ae1f364e76 EpiBrowser\r\n2e06a801c4bdfca8061c04dea3a43b0fd3b883b96f32dd901a076be786d466e6 EpiBrowser\r\n3b32696ebac176a898f277bb662099deebecf7216dae942e610dc8b7b3dd4c48 EpiBrowser\r\nce1a6009f013eafecbe13d72bee044c546654dad3805b7d2744d453e6544ecc8\r\nANGLE libGLESv2\r\nDynamic Link Library\r\n3a2b1f97a47e63d48f8955311f18664aa2c5e5a865ec6f43d8943b81eefd5a65\r\nANGLE libEGL Dynamic\r\nLink Library\r\nab376fbec6ca90c8cac2fd4ec92c564638bde0e6737a48f687b5367c51f49a0b\r\nSwiftShader Vulkan\r\nDynamic Link Library\r\n5c839e560530a7a4077baa16294cc9dc404f98a42c004f2013903543383af669\r\nMicrosoft(r) DirectX for\r\nWindows(r) – Google\r\nDawn Custom Build\r\n458ef97817fa4537ff9a4b73844260e4a9951ec4e7e4b4d3c13240bb8675764b EpiBrowser\r\n9bbe83ec13fc6397ddb69c47a3266ae39b3204d68674b529170bc6b56bcbdfcc EpiBrowser\r\nhttps://www.truesec.com/hub/blog/tamperedchef-the-bad-pdf-editor\r\nPage 16 of 19\n\nHash Application / Library\r\n9fa4d8a68d6f231577d62d560d110a66fd3f311cc8dcb1b4b10a50632d03ad1d EpiBrowser\r\n987a94fbe252da32dfb83daeb52d5636bd61d4b88fb45e9a97b79df3c03edcb8\r\nANGLE libGLESv2\r\nDynamic Link Library\r\n76cf960146bf07ad8b459ceb401a35ed37c98cb4e84ace329595b5b0f3955d3a\r\nANGLE libEGL Dynamic\r\nLink Library\r\n2f66690072dae1ca203e8c93330fccb8b5ccf8b8c9cce747250a11096d551794\r\nSwiftShader Vulkan\r\nDynamic Link Library\r\n5adc11546db45ab8e57f9bc2808b46898dc7eef179ccbf963552b694f0ec61b6\r\nMicrosoft(r) DirectX for\r\nWindows(r) – Google\r\nDawn Custom Build\r\nf4bc13b8b76656e4e4b7306d2dc6a5be4e19e752b015bcefbfdcc885a8bb122f EpiBrowser Installer\r\nb0c321d6e2fc5d4e819cb871319c70d253c3bf6f9a9966a5d0f95600a19c0983 PDF Editor\r\n42222692739edf910e1e25310923ddfbbea465a69b6d9e5ec01091c5aa0aee0f EpiBrowser\r\n031682d2f69322a68cd13d0e380cf149199b20755c6e08f4fb7b41d27a5378f0 EpiBrowser\r\n5cbd51bbd10008b92fe490a6fa87339dd3d0f57fce82d10dc4fa0566133ac94d\r\nANGLE libGLESv2\r\nDynamic Link Library\r\nb07ffbd8eed8dc989db1c58d84d3f8b9d57fb6a7b5f30af6d982e2bd4da0e696\r\nANGLE libEGL Dynamic\r\nLink Library\r\n232006ef149a2dcc150d765a3b330317d5e62f21391c1f355fba4a833a9dd49f\r\nSwiftShader Vulkan\r\nDynamic Link Library\r\nb7f63771d24f07f5ce30f2a9f8895b815e47ab01a1e3c09322f55c16f140e041\r\nMicrosoft(r) DirectX for\r\nWindows(r) – Google\r\nDawn Custom Build\r\n3c702aa9c7e0f2e6557f3f4ac129afd2ad4cfa2b027d6f4a357c02d4185359c4 PDF Editor\r\n14fb07941492c7f014435633a02bf14761d91d1df3023fa0dd4c3210e80554b7 PDF Editor\r\nf6e323d4741baf047445a13bb9587acfb79cc2b16737b91df18a8a9bf5b307f4 PDF Editor\r\n3b32696ebac176a898f277bb662099deebecf7216dae942e610dc8b7b3dd4c48 EpiBrowser\r\n0a15e90c062bf6137336beba0ec480af8f370ceaedca3e1ff76cd131f2e54927 EpiBrowser Installer\r\n0faaec07a598784fc76caa5254307a01383b229397e271020f319be84c7b8bf9 EpiBrowser\r\nhttps://www.truesec.com/hub/blog/tamperedchef-the-bad-pdf-editor\r\nPage 17 of 19\n\nHash Application / Library\r\n2ce20ceb2aaa24de8d3d7714bf87cef90b9cc90a21234d0b7cc78f22d9d5d5c1 Elevate Application\r\ncebe0ce89e4622118371f60cd82a9d0a7659e0916edf522cacba6b308bded8de Vulkan Runtime\r\nbd21360149904ce42c6927d9c3fb482316f2537a4a7bce8b64990428e27a54ac PDF Editor\r\ne08cc90e738e7e5f275d220b3914c2860a388e7ada67ed34fda1a01a23bf42bc PDF Editor\r\n69b373084e47cbb54a9003ae2435adb49f184bfa11989a2800700da22a153dff PDF Editor\r\n5485bafd43f2f3865f18e74a14a00a433971cdc5b50c357bd0307179e0187e3d PDF Editor\r\n5964e5c15ea512ea3208109d7175e6b43c5f85a77de95f44d3dc81e1940f94e3 Elevate Application\r\n5c21b5d1eb58367cb1ac189d383a7f0eb1e8d00d6722712897eb2efdbc670d1d PDF Editor\r\n6ec07c1d2dc566d59a7576cc4a89c605bcfc8abd414c77338c940fb8e3ed5f1a EpiBrowser Installer\r\naaf6e40848b904e664cdfbefa1e42870c3e42387471a03361e4fd0781943a032 Elevate Application\r\n5d3a41e2c6b854d12b70cea9000cafe1f3877bbccc51ca20f29da2e47f79a088 EpiBrowser\r\n2221b218ad03b615683941d11bd8085ca87b7b576bc5d1a6c720a0eb223d4405\r\nANGLE libGLESv2\r\nDynamic Link Library\r\naefab9c1959c5cb86fd656d9ea2148c584cae543ac203dd2ae4467a36382586a\r\nANGLE libEGL Dynamic\r\nLink Library\r\n8f1960939eee8d0689cc07613189f27054beff96e8740045de88fa1b6764b5b5\r\nSwiftShader Vulkan\r\nDynamic Link Library\r\n95176fc574f3d707e68965690826759260c5867e865b19a000bebb20a01a2e0a\r\nMicrosoft(r) DirectX for\r\nWindows(r) – Google\r\nDawn Custom Build\r\nfc4d1107958f70bd553d824224fc74b3b5ad2365f3599bfda795e0b718f3c76a EpiBrowser\r\n6aa61426d77da6674efdf6f7d139b4ccd9eebf4afb86831b79da0b8913ba89d8 EpiBrowser\r\n88450ae2c0c19d2a3a54e7b2c029998ed3daf68e78fbd664aea50c7ed582f544 EpiBrowser Installer\r\n2fe2d16e51488337de25bb02c7ca4a06e2b7e3229cd2af9903db7c9efdf88e31 EpiBrowser\r\n6ec7acd0ff0980b88801d5eed7dfe69d6349f2044bd5e1768f6d1ed7f403e43e EpiBrowser\r\ne6286f5f4c7cdde39c9300d1204ff504499c760bbffa56fc7e3830796537f71b EpiBrowser\r\n6c6cde420ea1b48c2f070ae139a71294b3c4c6c768da4279e4fe3bd2a9ff1885\r\nANGLE libGLESv2\r\nDynamic Link Library\r\nhttps://www.truesec.com/hub/blog/tamperedchef-the-bad-pdf-editor\r\nPage 18 of 19\n\nHash Application / Library\r\nd7315bbccff2899c1751c7f7e0e0b48d561366771699f48c90d9b448418856c2\r\nANGLE libEGL Dynamic\r\nLink Library\r\n25d1fd2706c39edeb453a30fbca7561142978468d3e94efa0982504d60b06757\r\nSwiftShader Vulkan\r\nDynamic Link Library\r\n5f52dc64c6d56287abcdd16d1e2a42db1a4bccc43263cbc259d881fc709242b9\r\nMicrosoft(r) DirectX for\r\nWindows(r) – Google\r\nDawn Custom Build\r\nEdit 1, 2025-08-29, added recommendations for detecting and preventing weaponized software.\r\nSource: https://www.truesec.com/hub/blog/tamperedchef-the-bad-pdf-editor\r\nhttps://www.truesec.com/hub/blog/tamperedchef-the-bad-pdf-editor\r\nPage 19 of 19",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://www.truesec.com/hub/blog/tamperedchef-the-bad-pdf-editor"
	],
	"report_names": [
		"tamperedchef-the-bad-pdf-editor"
	],
	"threat_actors": [],
	"ts_created_at": 1775434292,
	"ts_updated_at": 1775791314,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/45fa33dccdbe7cbf17a92f1ed6d68b25860026d5.pdf",
		"text": "https://archive.orkl.eu/45fa33dccdbe7cbf17a92f1ed6d68b25860026d5.txt",
		"img": "https://archive.orkl.eu/45fa33dccdbe7cbf17a92f1ed6d68b25860026d5.jpg"
	}
}