{
	"id": "33a9306f-bf6f-45f5-ac16-d577de217d9e",
	"created_at": "2026-04-06T01:29:13.002753Z",
	"updated_at": "2026-04-10T03:21:21.180157Z",
	"deleted_at": null,
	"sha1_hash": "47622096847fa072deec307c90e0f374951dd8d0",
	"title": "Hunting For TamperedChef Infostealer",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 805733,
	"plain_text": "Hunting For TamperedChef Infostealer\r\nBy Ameer Mane\r\nPublished: 2025-09-21 · Archived: 2026-04-06 01:03:40 UTC\r\n4 min read\r\nSep 21, 2025\r\nPress enter or click to view image in full size\r\nWhat if that innocent-looking “free PDF editor” you downloaded wasn’t really what it claimed to be? What if,\r\nweeks later, it quietly reached back to the attacker, stole your passwords, and set up camp on your system?\r\nhttps://medium.com/@Mr.AnyThink/hunting-for-tamperedchef-infostealer-825dc94cee00\r\nPage 1 of 5\n\nThat’s the story of TamperedChef — a recently observed infostealer that dresses up as helpful software, only to\r\nreveal its true colors later.\r\nSecurity researchers found TamperedChef bundled in malicious installers (like fake PDF editors), spread through\r\nmalvertising campaigns and poisoned download sites. The clever twist? It often sleeps for weeks before going\r\nlive, letting it spread silently and then activate when no one’s watching.\r\nIn further investigation, I observed that it’s not limited to PDF tools, but extended to applications such as:\r\ntotalusermanuals , manualreaderpro , allmanualsreader , justaskjacky , AllManualsReader , etc.\r\nHow Does It Work?\r\nTamperedChef is delivered via user-initiated downloads. It comes bundled with seemingly legitimate software\r\nlike PDF editors or manual readers.\r\nOnce executed, it silently triggers Node.js (node.exe) via the Windows command line. Node.js executes a\r\nJavaScript payload dropped in the user’s temporary folder.\r\n“C:\\Windows\\System32\\cmd.exe” /C start “” /min “C:\\Users\\\r\n\u003cuser_name\u003e\\AppData\\Local\\Programs\\AllManualsReader\\node\\node.exe” “C:\\Users\\\r\n\u003cuser_name\u003e\\AppData\\Local\\Programs\\AllManualsReader\\2d4d7602–8032–4207-a03f-be08e68d1094.js”\r\nBreaking it Down\r\ncmd.exe /c start \"\" /min – Runs a minimized command prompt silently.\r\nnode.exe – Node.js runtime executes the JavaScript payload.\r\nPayload Location — The [GUID]of.js file in %TEMP% contains routines to harvest data and\r\ncommunicate with the attacker.\r\nPayload Naming Convention\r\nTypically named with a GUID suffix ending with “or”, “ro”, or “of”.\r\nConsistently observed in internal investigations and public malware samples, making it a useful hunting\r\nindicator.\r\nPersistence\r\nTamperedChef creates a scheduled task to remain active across reboots:\r\nC:\\windows\\system32\\cmd.exe /d /s /c “schtasks /Create /TN “sys_component_health_{UID}” /TR\r\n“\\”C:\\Windows\\system32\\cmd.exe\\” /c start \\”\\” /min\r\n\\”%^LOCALAPPDATA^%\\Programs\\AllManualsReader\\2d4d7602–8032–4207-a03f-be08e68d1094.js\\”” /SC DAILY /ST\r\n10:51 /RI 240 /DU 24:00 /F”\r\nBreaking it down:\r\nhttps://medium.com/@Mr.AnyThink/hunting-for-tamperedchef-infostealer-825dc94cee00\r\nPage 2 of 5\n\n/TN \"sys_component_health_{UID}\" – Uses a legitimate-sounding task name.\r\n/TR – Runs Node.js to execute the payload in minimized mode.\r\n/SC DAILY /ST 10:51 /RI 240 /DU 24:00 – Executes daily with a repetition interval of 240 minutes.\r\n/F – Overwrites existing tasks with the same name.\r\nThis ensures TamperedChef maintains stealthy persistence, enabling long-term data exfiltration.\r\nReconnaissance\r\nTamperedChef actively surveys the system to identify browsers and security software.\r\n1. WMI for Process Enumeration\r\nThe malware uses Windows Management Instrumentation (WMI) to check if browsers like Chrome or Edge\r\nare running:\r\nC:\\windows\\system32\\cmd.exe /d /s /c “powershell.exe “Get-WmiObject Win32_Process | Where-Object {\r\n$_.Name -eq ‘chrome.exe’ }””\r\nC:\\windows\\system32\\cmd.exe /d /s /c “powershell.exe “Get-WmiObject Win32_Process | Where-Object {\r\n$_.Name -eq ‘msedge.exe’ }””\r\nThis helps target credentials and active sessions.\r\n2. Software Enumeration via Registry\r\nIt queries the registry to enumerate installed security and antivirus software, often searching for uninstall strings\r\nor configuration keys:\r\nGet Ameer Mane’s stories in your inbox\r\nJoin Medium for free to get updates from this writer.\r\nRemember me for faster sign in\r\nreg query “hkcu\\software\\microsoft\\windows\\currentversion\\uninstall\\episoftware epibrowser” /v\r\n“uninstallstring”\r\nreg query “hkcu\\software\\zillya\\zillya antivirus”\r\nreg query “hkcu\\software\\kasperskylabsetup”\r\nreg query “hklm\\software\\fortinet”\r\nreg query “hkcu\\software\\checkpoint\\zang”\r\nreg query “hklm\\software\\classes\\g data antivirus”\r\nreg query “hklm\\software\\wow6432node\\microsoft\\windows\\currentversion\\uninstall\\g data antivirus” /v\r\n“uninstallstring”\r\nreg query “hklm\\software\\wow6432node\\microsoft\\windows\\currentversion\\uninstall\\{4073cd02–7996–48d7-\r\nb68e-297676c27ca6}” /v “uninstallstring”\r\nhttps://medium.com/@Mr.AnyThink/hunting-for-tamperedchef-infostealer-825dc94cee00\r\nPage 3 of 5\n\nreg query “hklm\\software\\wow6432node\\microsoft\\windows\\currentversion\\uninstall\\rec” /v\r\n“uninstallstring”\r\nreg query “hklm\\software\\microsoft\\windows\\currentversion\\uninstall\\bitdefender” /v\r\n“uninstallstring”\r\nreg query “hklm\\software\\microsoft\\windows\\currentversion\\run\\bitdefender” /v “uninstallstring”\r\nreg query “hklm\\software\\microsoft\\windows\\currentversion\\uninstall\\{96a251bd-7532–4cf9-b87d-158fc685dbc4}” /v “uninstallstring”\r\nBy gathering this information, TamperedChef maps the system’s security landscape, allowing it to avoid or\r\ndisable defenses.\r\nCredential Harvesting\r\nTargets include:\r\nBrowser SQLite databases — Login Data and Web Data from Chrome and Edge.\r\nWindows DPAPI secrets — Local system-level encrypted data.\r\nLocal password managers — Any stored credentials accessible to the user context.\r\nTo facilitate extraction, the malware may forcibly terminate browser processes:\r\ntaskkill /F /IM msedge.exe\r\ntaskkill /IM msedge.exe\r\ntaskkill /F /IM chrome.exe\r\ntaskkill /IM chrome.exe\r\nFile Duplication for Credential Extraction:\r\nCopies of key browser files are created with \"Sync\" appended:\r\nC:\\Users\\\u003cuser_name\u003e\\AppData\\Local\\Microsoft\\Edge\\User Data\\Default\\Web Data Sync\r\nC:\\Users\\\u003cuser_name\u003e\\AppData\\Local\\Microsoft\\Edge\\User Data\\Default\\Preferences Sync\r\nC:\\Users\\\u003cuser_name\u003e\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Preferences Sync\r\nThis allows attackers to extract credentials without corrupting original files.\r\nCommand \u0026 Control (C2)\r\nTamperedChef communicates with attacker-controlled servers:\r\nDomains: api.[random18].com\r\nPorts: 8080, 443 (uncommon for typical apps)\r\nThis traffic delivers harvested credentials and may receive updated payloads or instructions.\r\nMITRE ATT\u0026CK Mapping\r\nhttps://medium.com/@Mr.AnyThink/hunting-for-tamperedchef-infostealer-825dc94cee00\r\nPage 4 of 5\n\nExecution: T1059 — Command \u0026 Scripting Interpreter\r\nCredential Access: T1555 — Credentials from Password Stores, T1003 — OS Credential Dumping\r\nDefense Evasion: T1218 — Signed Binary Proxy Execution, T1036 — Masquerading\r\nPersistence: T1053 — Scheduled Task/Job\r\nDiscovery: T1082 — System Information Discovery, T1012 — Query Registry\r\nHunting Queries\r\n1. Execution of javascript through node.exe executed by cmd.exe processCmd:node.exe AND eventId: 1\r\nAND processCmd:cmd.exe AND ProcessCmd:start\r\n2. Registry Enumeration:\r\ncommandline:\"*reg query*\" AND commandline:(\"*kasperskylabsetup*\" OR \"*bitdefender*\" OR\r\n\"*cryptography*\" OR \"*antivirus*\")\r\n3. Browser Termination:\r\ncommandline:\"*taskkill*\" AND commandline:(\"*msedge.exe*\" OR \"*chrome.exe*\")\r\n4. File Access (Web Data / Login Data in temp folder)\r\n5. Outbound Traffic:\r\nlogs\r\n| where tostring(url) matches regex @\"api\\.[a-zA-Z0–9]{18}\\.com\"\r\n| extend Domain = extract(@\"api\\.([a-zA-Z0–9]{18})\\.com\", 1, tostring(url))\r\n| where Domain matches regex @\".*\\d.*\"\r\n| project tostring(url)\r\nIoCs:\r\nC2 Domains:\r\napi[.]cjby76nlcynrc4jvrb[.]com\r\napi[.]j6vmldsufhwx8zn69z[.]com\r\napi[.]k2ioeasm874fnacr9x[.]com\r\napi[.]pyej17uw09d1bqlndg[.]com\r\napi[.]vtqgo0729ilnmyxs9q[.]com\r\nReferences:\r\nSource: https://medium.com/@Mr.AnyThink/hunting-for-tamperedchef-infostealer-825dc94cee00\r\nhttps://medium.com/@Mr.AnyThink/hunting-for-tamperedchef-infostealer-825dc94cee00\r\nPage 5 of 5",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://medium.com/@Mr.AnyThink/hunting-for-tamperedchef-infostealer-825dc94cee00"
	],
	"report_names": [
		"hunting-for-tamperedchef-infostealer-825dc94cee00"
	],
	"threat_actors": [],
	"ts_created_at": 1775438953,
	"ts_updated_at": 1775791281,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/47622096847fa072deec307c90e0f374951dd8d0.pdf",
		"text": "https://archive.orkl.eu/47622096847fa072deec307c90e0f374951dd8d0.txt",
		"img": "https://archive.orkl.eu/47622096847fa072deec307c90e0f374951dd8d0.jpg"
	}
}