← Back to Pulse Feed
PULSE DETAIL
PULSE NAME
Tracking TamperedChef Clusters via Certificate and Code Reuse
WHITE AlienVault 2026-05-20 Modified: 2026-05-21
5
IOCs
LOW VOLUME
Multiple threat clusters designated as CL-CRI-1089, CL-UNK-1090, and CL-UNK-1110 have been distributing trojanized productivity software through malicious advertising campaigns since 2023. These applications, including PDF editors, calendars, and compression tools, appear legitimate but contain remote access capabilities enabling deployment of information stealers, proxy tooling, and RATs. The campaigns leverage code-signing certificates, remain dormant for weeks to months before activation, and affect organizations globally with over 4,000 samples identified across 100 variants. CL-CRI-1089 operations utilize Ukrainian, Malaysian, and British infrastructure with 34 unique code-signing entities, while CL-UNK-1090 demonstrates vertical integration between advertising agencies and malware creation using primarily Israeli infrastructure with 39 corporations involved. Distribution occurs through sophisticated malvertising employing professional websites, CDN delivery, and search engine optimization techniques.
gocookmatecl-cri-1089swiftnavcl-unk-1090docuflextamperedchefpdfpilotinformation stealerstrojanized productivity softwarezipmakerproappsuite pdfjustaskjackyshinypdfpdfprimescreensrecordercode-signing abuserocketpdfprorapidocmanualzpdfevilaijustconvertfilescrystalpdfgifsmakerpromanualreaderproonezipfileeasemalvertising campaignscalendaromatic
MITRE ATT&CK & Malware Families
ATT&CK TECHNIQUES
MALWARE FAMILIES
TamperedChef EvilAI DocuFlex AppSuite PDF Calendaromatic CrystalPDF JustAskJacky GoCookMate RocketPDFPro ManualReaderPro PDFPrime ManualzPDF OneZip JustConvertFiles PDFPilot SwiftNav ShinyPDF FileEase ZipMakerPro GifsMakerPro ScreensRecorder RapiDoc
Indicators of Compromise (5)
All CVE FileHash-SHA256 domain hostname
TYPEINDICATORDESCRIPTIONCREATED
CVE CVE-2026-1731 2026-05-20
FileHash-SHA256 2231bfa7c7bd4a8ff12568074f83de8e4ec95c226230cccc6616a1a4416de268 2026-05-20
FileHash-SHA256 248de1470771904462c91f146074e49b3d7416844ec143ade53f4ac0487fdb44 2026-05-20
domain onezipapp.com 2026-05-20
hostname www.crystalpdf.com 2026-05-20
References (1)
↗ https://unit42.paloaltonetworks.com/tracking-tampered-chef-clusters/