Skip to main content
Emerging ThreatsMalware & Ransomware

Malvertisers Exploit Code Signing in TamperedChef Malware Campaigns

Devices and equipment in a brightly-lit tech facility with a laptop screen displaying blurred code.

“Between the three clusters of activity, we have identified over 4,000 samples across 100 unique variants.” That blunt tally, reported by Palo Alto Networks Unit 42, frames an operation that blends polished marketing with quietly malicious code and an unusually disciplined use of code signing and advertising pipelines.

Three clusters, many faces: CL-CRI-1089, CL-UNK-1090, CL-UNK-1110

Unit 42 maps TamperedChef-style activity into three distinct clusters: CL-CRI-1089, CL-UNK-1090 and CL-UNK-1110. CL-UNK-1110 is the cluster most commonly associated with the TamperedChef alias and includes campaigns such as JustAskJacky and RocketPDFPro. Unit 42’s primary focus in this report is CL-CRI-1089 and CL-UNK-1090.

CL-CRI-1089, active since early 2023, covers Calendaromatic, DocuFlex and AppSuite PDF and shows the broadest variation in techniques and infrastructure. Unit 42 identified roughly 3,300 samples tied to this cluster. CL-UNK-1090 demonstrates clear vertical integration between advertising and malware creation, is tied to campaigns such as CrystalPDF and PDF-Ezy, and accounts for roughly 750 samples; Unit 42 also observed about 12,000 unique instances of fake productivity software across its customer base.

How these apps hide: code signing, rebuilding, and dormancy

A defining technical trait is the near-universal use of legitimate code-signing certificates on first-stage binaries. Unit 42 tracked over 4,000 file hashes and 81 unique code-signing organizations by following certificates and code reuse. Code signing increases apparent legitimacy and, in several cases, allowed researchers to pivot from one sample to many through certificate overlap.

Operators frequently rebuild binaries with only minor changes—typically every one week to one month—to blunt static and hash-based detection. Many samples remain dormant for weeks or months before retrieving a second-stage payload, a delay that helps them avoid early discovery. Persistence is robust and typically implemented via scheduled tasks or registry Run keys. Obfuscation is used for loader and stealer components, primarily to de-obfuscate incoming payloads rather than to protect legitimate intellectual property.

Advertising as distribution: CANDY TECH LTD and ad transparency pivots

Distribution is distribution-first: malvertisements, sponsored results and search-engine marketing drive installs. Unit 42 emphasizes that ad transparency platforms provide a potent investigative lever because they expose advertiser and ad data; many major platforms publish that data as part of regulatory or platform-specific transparency tools.

CL-UNK-1090 illustrates vertical integration. OneZip, a malicious compression tool signed by TAU CENTAURI LTD and hosted at onezipapp[.]com, was promoted by ads tied to a single advertiser, CANDY TECH LTD, which Unit 42 reports distributed approximately 4,000 related ads starting in June 2024. CANDY TECH LTD is also linked to binaries and campaigns beyond advertising—several binaries bore either direct signatures or internal artefacts tied to the same name.

Corporate trails, certificate hygiene, and the economics of signing

Unit 42’s OSINT work mapped corporate structures used to acquire certificates. CL-UNK-1090 relied heavily on Israeli entities; Unit 42 found 39 Israeli corporations used for certificate generation in that cluster, often via company renames and shared ownership structures. In CL-CRI-1089, Unit 42 attributed 34 unique code-signing entities to the Calendaromatic operators and estimates the operators spent upward of $10,000 on certificates—an expense that the report suggests is tolerable for actors that treat advertising and logistics as the core competency.

Examples of signer names uncovered include CROWN SKY LLC, MARKET FUSION INNOVATIONS LLC, ADVANTAGE WEB MARKETING LLC and others. In at least one campaign, RapiDoc, developers left a program database (PDB) path in the binary and two SHA256 hashes were recorded: 248de1470771904462c91f146074e49b3d7416844ec143ade53f4ac0487fdb44 and 2231bfa7c7bd4a8ff12568074f83de8e4ec95c226230cccc6616a1a4416de268—small, concrete slips that enabled additional linkage.

What this means for security teams, regulators, and users

  • Technologists and security teams: Unit 42 recommends updated EDR/XDR, continuous hunting, enterprise browser protections and device hardening. Detection should focus beyond static signatures to persistence mechanisms, delayed activation behavior and unusual certificate usage patterns.
  • Policymakers and regulators: ad transparency systems are an operational lever—regulation requiring ad platforms to publish advertiser data underpins the pivots Unit 42 used. Those datasets can reveal vertical integration between ad sellers and malware creators.
  • End users and procurement leaders: seemingly legitimate productivity software distributed through polished landing pages and one-click CDNs can deliver stealers, RATs or browser-hijacking adware; awareness and procurement controls on where software is sourced matter.

Unit 42’s reporting underscores a recurring truth: these operators prioritize reach and advertising infrastructure above technical subtlety. Their next step—shifting away from code signing—will force defenders to rely less on certificate pivots and more on behavioral detection, ad-path analysis and corporate-ownership OSINT. For now, the combination of malvertising discipline, certificate-backed first-stage binaries, and delayed second-stage payloads makes TamperedChef-style campaigns a stealthy and large-scale threat.

https://unit42.paloaltonetworks.com/tracking-tampered-chef-clusters/