TamperedChef Malware: Global Malvertising Campaign Explained

In this video, we dive deep into the ongoing global malvertising campaign known as TamperedChef, which has been exploiting fake software installers to spread malware. Published on November 20, 2025, this report from Acronis Threat Research Unit reveals how threat actors are using social engineering tactics to trick users into downloading malicious software disguised as legitimate applications. We'll explore the methods employed by these cybercriminals, the industries most affected, and what organizations and individuals can do to protect themselves.

What you’ll learn:
The mechanics of the TamperedChef malware campaign and how it operates.
The sectors that are most vulnerable and the potential consequences of these attacks.
Practical steps that organizations can take to safeguard against such threats.

The TamperedChef campaign leverages bogus software installers that masquerade as popular applications, aiming to establish persistence on infected systems. The primary goal is to deliver JavaScript malware that enables remote access and control. This campaign is part of a broader set of attacks codenamed EvilAI, which uses artificial intelligence-related lures for malware propagation.

Researchers from Acronis have identified that the attackers employ social engineering tactics, utilizing everyday application names and malvertising techniques to increase user trust. They also abuse digital certificates issued for shell companies in various countries, including the U.S., Panama, and Malaysia, to lend legitimacy to their counterfeit applications. This industrialized approach allows them to continuously produce new certificates and evade security detection.

The malware identified as TamperedChef, also known as BaoLoader by some cybersecurity firms, is designed to steal information and potentially facilitate advertising fraud. The campaign has shown a significant concentration of infections in the U.S., with other affected regions including Israel, Spain, Germany, India, and Ireland. Industries such as healthcare, construction, and manufacturing are particularly vulnerable due to their reliance on specialized equipment, which often leads users to search for product manuals online—one of the primary behaviors exploited by this campaign.

As the campaign continues, organizations must remain vigilant. Users should be cautious when downloading software and ensure they are obtaining applications from trusted sources. Regularly updating security protocols and educating employees about the risks of malvertising can also help mitigate potential threats. By understanding the tactics used by cybercriminals, individuals and organizations can better protect themselves against the evolving landscape of cybersecurity threats.

Stay informed about the latest in cybersecurity by following our channel for more insights and analysis on current threats and best practices.