{ "type": "Domain", "indicator": "onezipapp.com", "general": { "sections": [ "general", "geo", "url_list", "passive_dns", "malware", "whois", "http_scans" ], "whois": "http://whois.domaintools.com/onezipapp.com", "alexa": "http://www.alexa.com/siteinfo/onezipapp.com", "indicator": "onezipapp.com", "type": "domain", "type_title": "Domain", "validation": [], "base_indicator": { "id": 4180285368, "indicator": "onezipapp.com", "type": "domain", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 6, "pulses": [ { "id": "6a0dae41682ec38e55d1aa12", "name": "Tracking TamperedChef Clusters via Certificate and Code Reuse", "description": "Multiple threat clusters designated as CL-CRI-1089, CL-UNK-1090, and CL-UNK-1110 have been distributing trojanized productivity software through malicious advertising campaigns since 2023. These applications, including PDF editors, calendars, and compression tools, appear legitimate but contain remote access capabilities enabling deployment of information stealers, proxy tooling, and RATs. The campaigns leverage code-signing certificates, remain dormant for weeks to months before activation, and affect organizations globally with over 4,000 samples identified across 100 variants. CL-CRI-1089 operations utilize Ukrainian, Malaysian, and British infrastructure with 34 unique code-signing entities, while CL-UNK-1090 demonstrates vertical integration between advertising agencies and malware creation using primarily Israeli infrastructure with 39 corporations involved. Distribution occurs through sophisticated malvertising employing professional websites, CDN delivery, and search engine optimization techniques.", "modified": "2026-05-21T16:28:27.224000", "created": "2026-05-20T12:51:13.592000", "tags": [ "gocookmate", "cl-cri-1089", "swiftnav", "cl-unk-1090", "docuflex", "tamperedchef", "pdfpilot", "information stealers", "trojanized productivity software", "zipmakerpro", "appsuite pdf", "justaskjacky", "shinypdf", "pdfprime", "screensrecorder", "code-signing abuse", "rocketpdfpro", "rapidoc", "manualzpdf", "evilai", "justconvertfiles", "crystalpdf", "gifsmakerpro", "manualreaderpro", "onezip", "fileease", "malvertising campaigns", "calendaromatic" ], "references": [ "https://unit42.paloaltonetworks.com/tracking-tampered-chef-clusters/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "TamperedChef", "display_name": "TamperedChef", "target": null }, { "id": "EvilAI", "display_name": "EvilAI", "target": null }, { "id": "DocuFlex", "display_name": "DocuFlex", "target": null }, { "id": "AppSuite PDF", "display_name": "AppSuite PDF", "target": null }, { "id": "Calendaromatic", "display_name": "Calendaromatic", "target": null }, { "id": "CrystalPDF", "display_name": "CrystalPDF", "target": null }, { "id": "JustAskJacky", "display_name": "JustAskJacky", "target": null }, { "id": "GoCookMate", "display_name": "GoCookMate", "target": null }, { "id": "RocketPDFPro", "display_name": "RocketPDFPro", "target": null }, { "id": "ManualReaderPro", "display_name": "ManualReaderPro", "target": null }, { "id": "PDFPrime", "display_name": "PDFPrime", "target": null }, { "id": "ManualzPDF", "display_name": "ManualzPDF", "target": null }, { "id": "OneZip", "display_name": "OneZip", "target": null }, { "id": "JustConvertFiles", "display_name": "JustConvertFiles", "target": null }, { "id": "PDFPilot", "display_name": "PDFPilot", "target": null }, { "id": "SwiftNav", "display_name": "SwiftNav", "target": null }, { "id": "ShinyPDF", "display_name": "ShinyPDF", "target": null }, { "id": "FileEase", "display_name": "FileEase", "target": null }, { "id": "ZipMakerPro", "display_name": "ZipMakerPro", "target": null }, { "id": "GifsMakerPro", "display_name": "GifsMakerPro", "target": null }, { "id": "ScreensRecorder", "display_name": "ScreensRecorder", "target": null }, { "id": "RapiDoc", "display_name": "RapiDoc", "target": null } ], "attack_ids": [ { "id": "T1053.005", "name": "Scheduled Task", "display_name": "T1053.005 - Scheduled Task" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1033", "name": "System Owner/User Discovery", "display_name": "T1033 - System Owner/User Discovery" }, { "id": "T1539", "name": "Steal Web Session Cookie", "display_name": "T1539 - Steal Web Session Cookie" }, { "id": "T1204.002", "name": "Malicious File", "display_name": "T1204.002 - Malicious File" }, { "id": "T1566.002", "name": "Spearphishing Link", "display_name": "T1566.002 - Spearphishing Link" }, { "id": "T1553.002", "name": "Code Signing", "display_name": "T1553.002 - Code Signing" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1555.003", "name": "Credentials from Web Browsers", "display_name": "T1555.003 - Credentials from Web Browsers" }, { "id": "T1016", "name": "System Network Configuration Discovery", "display_name": "T1016 - System Network Configuration Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1547.001", "name": "Registry Run Keys / Startup Folder", "display_name": "T1547.001 - Registry Run Keys / Startup Folder" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1518.001", "name": "Security Software Discovery", "display_name": "T1518.001 - Security Software Discovery" }, { "id": "T1027.002", "name": "Software Packing", "display_name": "T1027.002 - Software Packing" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1124", "name": "System Time Discovery", "display_name": "T1124 - System Time Discovery" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 9, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "CVE": 1, "FileHash-SHA256": 2, "domain": 1, "hostname": 1 }, "indicator_count": 5, "is_author": false, "is_subscribing": null, "subscriber_count": 386463, "modified_text": "9 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6a12fc685c724f6f873953e6", "name": "EbeeMay2026 Pt4", "description": "Multiple APT/threat actors, Malware and Campaigns", "modified": "2026-05-24T13:26:00.146000", "created": "2026-05-24T13:26:00.146000", "tags": [ "filehashsha256", "filehashmd5", "filehashsha1", "cve20232868 cve", "cve20231389 cve", "cve20214034 cve", "cve20213493 cve" ], "references": [ "IOCs-MAY2.csv" ], "public": 1, "adversary": "Deploy Shai-Hulud Clones, Banana RAT, P2Pinfect Kubernetes Compromise, TamperedChef", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "IMEBEEIMFINE", "id": "343873", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "IPv4": 71, "URL": 59, "FileHash-MD5": 169, "FileHash-SHA1": 153, "FileHash-SHA256": 225, "CIDR": 1, "CVE": 29, "domain": 128, "hostname": 111 }, "indicator_count": 946, "is_author": false, "is_subscribing": null, "subscriber_count": 39, "modified_text": "6 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6a12840b01103dcb9890ab25", "name": "Tracking TamperedChef Clusters via Certificate and Code Reuse", "description": "", "modified": "2026-05-24T04:52:27.130000", "created": "2026-05-24T04:52:27.130000", "tags": [ "gocookmate", "cl-cri-1089", "swiftnav", "cl-unk-1090", "docuflex", "tamperedchef", "pdfpilot", "information stealers", "trojanized productivity software", "zipmakerpro", "appsuite pdf", "justaskjacky", "shinypdf", "pdfprime", "screensrecorder", "code-signing abuse", "rocketpdfpro", "rapidoc", "manualzpdf", "evilai", "justconvertfiles", "crystalpdf", "gifsmakerpro", "manualreaderpro", "onezip", "fileease", "malvertising campaigns", "calendaromatic" ], "references": [ "https://unit42.paloaltonetworks.com/tracking-tampered-chef-clusters/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "TamperedChef", "display_name": "TamperedChef", "target": null }, { "id": "EvilAI", "display_name": "EvilAI", "target": null }, { "id": "DocuFlex", "display_name": "DocuFlex", "target": null }, { "id": "AppSuite PDF", "display_name": "AppSuite PDF", "target": null }, { "id": "Calendaromatic", "display_name": "Calendaromatic", "target": null }, { "id": "CrystalPDF", "display_name": "CrystalPDF", "target": null }, { "id": "JustAskJacky", "display_name": "JustAskJacky", "target": null }, { "id": "GoCookMate", "display_name": "GoCookMate", "target": null }, { "id": "RocketPDFPro", "display_name": "RocketPDFPro", "target": null }, { "id": "ManualReaderPro", "display_name": "ManualReaderPro", "target": null }, { "id": "PDFPrime", "display_name": "PDFPrime", "target": null }, { "id": "ManualzPDF", "display_name": "ManualzPDF", "target": null }, { "id": "OneZip", "display_name": "OneZip", "target": null }, { "id": "JustConvertFiles", "display_name": "JustConvertFiles", "target": null }, { "id": "PDFPilot", "display_name": "PDFPilot", "target": null }, { "id": "SwiftNav", "display_name": "SwiftNav", "target": null }, { "id": "ShinyPDF", "display_name": "ShinyPDF", "target": null }, { "id": "FileEase", "display_name": "FileEase", "target": null }, { "id": "ZipMakerPro", "display_name": "ZipMakerPro", "target": null }, { "id": "GifsMakerPro", "display_name": "GifsMakerPro", "target": null }, { "id": "ScreensRecorder", "display_name": "ScreensRecorder", "target": null }, { "id": "RapiDoc", "display_name": "RapiDoc", "target": null } ], "attack_ids": [ { "id": "T1053.005", "name": "Scheduled Task", "display_name": "T1053.005 - Scheduled Task" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1033", "name": "System Owner/User Discovery", "display_name": "T1033 - System Owner/User Discovery" }, { "id": "T1539", "name": "Steal Web Session Cookie", "display_name": "T1539 - Steal Web Session Cookie" }, { "id": "T1204.002", "name": "Malicious File", "display_name": "T1204.002 - Malicious File" }, { "id": "T1566.002", "name": "Spearphishing Link", "display_name": "T1566.002 - Spearphishing Link" }, { "id": "T1553.002", "name": "Code Signing", "display_name": "T1553.002 - Code Signing" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1555.003", "name": "Credentials from Web Browsers", "display_name": "T1555.003 - Credentials from Web Browsers" }, { "id": "T1016", "name": "System Network Configuration Discovery", "display_name": "T1016 - System Network Configuration Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1547.001", "name": "Registry Run Keys / Startup Folder", "display_name": "T1547.001 - Registry Run Keys / Startup Folder" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1518.001", "name": "Security Software Discovery", "display_name": "T1518.001 - Security Software Discovery" }, { "id": "T1027.002", "name": "Software Packing", "display_name": "T1027.002 - Software Packing" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1124", "name": "System Time Discovery", "display_name": "T1124 - System Time Discovery" } ], "industries": [], "TLP": "white", "cloned_from": "6a0dae41682ec38e55d1aa12", "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Tr1sa111", "id": "192483", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 1, "FileHash-SHA256": 2, "domain": 1, "hostname": 1 }, "indicator_count": 5, "is_author": false, "is_subscribing": null, "subscriber_count": 278, "modified_text": "6 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6a0ee0a3ed0a602a65fff3e5", "name": "Tracking TamperedChef Clusters via Certificate and Code Reuse", "description": "The TamperedChef malware, also known as EvilAI, represents a significant cyber threat primarily characterized by its distribution through trojanized productivity applications such as PDF editors and calendars. These applications often lead users to malicious payloads via ads, targeting users unaware of the underlying risks. Notably, this malware type demonstrates similarities with potentially unwanted programs (PUPs) and adware, incorporating robust mechanisms for persistence and utilizing deceptive end-user licensing agreements. However, its stealthiness is a notable differentiator, often remaining dormant for extended periods before executing its malicious components.", "modified": "2026-05-21T10:38:27.588000", "created": "2026-05-21T10:38:27.588000", "tags": [ "ltd clunk1090", "clunk1090", "candy tech", "tamperedchef", "clcri1089", "llc clcri1089", "adware", "rats", "palo alto", "fairark", "malware", "june", "alliance", "february", "model", "apollo", "code", "onezip", "rapidoc" ], "references": [ "https://unit42.paloaltonetworks.com/tracking-tampered-chef-clusters/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1033", "name": "System Owner/User Discovery", "display_name": "T1033 - System Owner/User Discovery" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1053.005", "name": "Scheduled Task", "display_name": "T1053.005 - Scheduled Task" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1090", "name": "Proxy", "display_name": "T1090 - Proxy" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1204.002", "name": "Malicious File", "display_name": "T1204.002 - Malicious File" } ], "industries": [ "Education", "Media", "Government", "Healthcare" ], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "PetrP.73", "id": "154605", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 1, "FileHash-SHA256": 2, "domain": 1, "hostname": 1 }, "indicator_count": 5, "is_author": false, "is_subscribing": null, "subscriber_count": 540, "modified_text": "9 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6971edc93289862931ffe60b", "name": "EbeeJan2026 Pt4", "description": "Multiple APT/threat actors, Malware and Campaigns", "modified": "2026-02-21T09:02:54.440000", "created": "2026-01-22T09:28:41.694000", "tags": [ "filehashsha256", "filehashsha1", "filehashmd5", "cve202553690" ], "references": [ "week3-ioc-pt2.csv" ], "public": 1, "adversary": "Sicarii Ransomware, APT41, Kimwolf, RALord, Campaign abusing ahost.exe, DeadLock Ransomware, VoidLin", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "IMEBEEIMFINE", "id": "343873", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 6, "FileHash-MD5": 177, "FileHash-SHA1": 175, "FileHash-SHA256": 280, "URL": 18, "domain": 55, "hostname": 12 }, "indicator_count": 723, "is_author": false, "is_subscribing": null, "subscriber_count": 39, "modified_text": "98 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6969f54f65e29ff596a508a6", "name": "Free Converter Software - Convert Any System from Clean to Infected in Seconds", "description": "The article discusses various malware campaigns typically involving remote access trojans (RATs) and their distribution methods, primarily through malicious advertisements. It describes how users can inadvertently download malware by clicking on ads that lead to fake converter applications. These applications often masquerade as legitimate software, using code signing certificates to appear trustworthy even though many of these certificates have been revoked.\n\nThe malware, once downloaded, generally functions as a dropper, deploying additional payloads that establish communication with a command-and-control server while remaining inconspicuous to the user. The article outlines a specific example, ConvertMate.exe, indicating that it is distributed through the http://conmateapp.com domain and ultimately ends up in the user's local application data.", "modified": "2026-01-16T08:22:39.178000", "created": "2026-01-16T08:22:39.178000", "tags": [ "thor", "thumbprint", "event id", "c2 server", "task", "sysmon", "applocker", "google ad", "google", "below", "rats", "code", "updater", "weird", "first", "next", "droppers blue", "takin ltd", "tau centauri", "sparrow tide", "technodenis ltd", "black indigo", "long sound", "or kahol", "astro bright" ], "references": [ "https://www.nextron-systems.com/2026/01/14/free-converter-software-convert-any-system-from-clean-to-infected-in-seconds/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1036.005", "name": "Match Legitimate Name or Location", "display_name": "T1036.005 - Match Legitimate Name or Location" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1053.005", "name": "Scheduled Task", "display_name": "T1053.005 - Scheduled Task" }, { "id": "T1583.001", "name": "Domains", "display_name": "T1583.001 - Domains" }, { "id": "T1608.005", "name": "Link Target", "display_name": "T1608.005 - Link Target" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 4, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "PetrP.73", "id": "154605", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 71, "FileHash-SHA1": 81, "FileHash-SHA256": 154, "URL": 3, "domain": 18 }, "indicator_count": 327, "is_author": false, "is_subscribing": null, "subscriber_count": 540, "modified_text": "134 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "references": [ "https://www.nextron-systems.com/2026/01/14/free-converter-software-convert-any-system-from-clean-to-infected-in-seconds/", "https://unit42.paloaltonetworks.com/tracking-tampered-chef-clusters/", "IOCs-MAY2.csv", "week3-ioc-pt2.csv" ], "related": { "alienvault": { "adversary": [], "malware_families": [ "Gocookmate", "Docuflex", "Pdfprime", "Justconvertfiles", "Appsuite pdf", "Fileease", "Crystalpdf", "Rapidoc", "Justaskjacky", "Screensrecorder", "Rocketpdfpro", "Evilai", "Gifsmakerpro", "Manualreaderpro", "Shinypdf", "Swiftnav", "Pdfpilot", "Tamperedchef", "Calendaromatic", "Zipmakerpro", "Onezip", "Manualzpdf" ], "industries": [] }, "other": { "adversary": [ "Sicarii Ransomware, APT41, Kimwolf, RALord, Campaign abusing ahost.exe, DeadLock Ransomware, VoidLin", "Deploy Shai-Hulud Clones, Banana RAT, P2Pinfect Kubernetes Compromise, TamperedChef" ], "malware_families": [ "Gocookmate", "Docuflex", "Pdfprime", "Justconvertfiles", "Appsuite pdf", "Fileease", "Crystalpdf", "Rapidoc", "Justaskjacky", "Screensrecorder", "Rocketpdfpro", "Evilai", "Gifsmakerpro", "Manualreaderpro", "Shinypdf", "Swiftnav", "Pdfpilot", "Tamperedchef", "Calendaromatic", "Zipmakerpro", "Onezip", "Manualzpdf" ], "industries": [ "Government", "Education", "Healthcare", "Media" ] } } }, "false_positive": [] }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 6, "pulses": [ { "id": "6a0dae41682ec38e55d1aa12", "name": "Tracking TamperedChef Clusters via Certificate and Code Reuse", "description": "Multiple threat clusters designated as CL-CRI-1089, CL-UNK-1090, and CL-UNK-1110 have been distributing trojanized productivity software through malicious advertising campaigns since 2023. These applications, including PDF editors, calendars, and compression tools, appear legitimate but contain remote access capabilities enabling deployment of information stealers, proxy tooling, and RATs. The campaigns leverage code-signing certificates, remain dormant for weeks to months before activation, and affect organizations globally with over 4,000 samples identified across 100 variants. CL-CRI-1089 operations utilize Ukrainian, Malaysian, and British infrastructure with 34 unique code-signing entities, while CL-UNK-1090 demonstrates vertical integration between advertising agencies and malware creation using primarily Israeli infrastructure with 39 corporations involved. Distribution occurs through sophisticated malvertising employing professional websites, CDN delivery, and search engine optimization techniques.", "modified": "2026-05-21T16:28:27.224000", "created": "2026-05-20T12:51:13.592000", "tags": [ "gocookmate", "cl-cri-1089", "swiftnav", "cl-unk-1090", "docuflex", "tamperedchef", "pdfpilot", "information stealers", "trojanized productivity software", "zipmakerpro", "appsuite pdf", "justaskjacky", "shinypdf", "pdfprime", "screensrecorder", "code-signing abuse", "rocketpdfpro", "rapidoc", "manualzpdf", "evilai", "justconvertfiles", "crystalpdf", "gifsmakerpro", "manualreaderpro", "onezip", "fileease", "malvertising campaigns", "calendaromatic" ], "references": [ "https://unit42.paloaltonetworks.com/tracking-tampered-chef-clusters/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "TamperedChef", "display_name": "TamperedChef", "target": null }, { "id": "EvilAI", "display_name": "EvilAI", "target": null }, { "id": "DocuFlex", "display_name": "DocuFlex", "target": null }, { "id": "AppSuite PDF", "display_name": "AppSuite PDF", "target": null }, { "id": "Calendaromatic", "display_name": "Calendaromatic", "target": null }, { "id": "CrystalPDF", "display_name": "CrystalPDF", "target": null }, { "id": "JustAskJacky", "display_name": "JustAskJacky", "target": null }, { "id": "GoCookMate", "display_name": "GoCookMate", "target": null }, { "id": "RocketPDFPro", "display_name": "RocketPDFPro", "target": null }, { "id": "ManualReaderPro", "display_name": "ManualReaderPro", "target": null }, { "id": "PDFPrime", "display_name": "PDFPrime", "target": null }, { "id": "ManualzPDF", "display_name": "ManualzPDF", "target": null }, { "id": "OneZip", "display_name": "OneZip", "target": null }, { "id": "JustConvertFiles", "display_name": "JustConvertFiles", "target": null }, { "id": "PDFPilot", "display_name": "PDFPilot", "target": null }, { "id": "SwiftNav", "display_name": "SwiftNav", "target": null }, { "id": "ShinyPDF", "display_name": "ShinyPDF", "target": null }, { "id": "FileEase", "display_name": "FileEase", "target": null }, { "id": "ZipMakerPro", "display_name": "ZipMakerPro", "target": null }, { "id": "GifsMakerPro", "display_name": "GifsMakerPro", "target": null }, { "id": "ScreensRecorder", "display_name": "ScreensRecorder", "target": null }, { "id": "RapiDoc", "display_name": "RapiDoc", "target": null } ], "attack_ids": [ { "id": "T1053.005", "name": "Scheduled Task", "display_name": "T1053.005 - Scheduled Task" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1033", "name": "System Owner/User Discovery", "display_name": "T1033 - System Owner/User Discovery" }, { "id": "T1539", "name": "Steal Web Session Cookie", "display_name": "T1539 - Steal Web Session Cookie" }, { "id": "T1204.002", "name": "Malicious File", "display_name": "T1204.002 - Malicious File" }, { "id": "T1566.002", "name": "Spearphishing Link", "display_name": "T1566.002 - Spearphishing Link" }, { "id": "T1553.002", "name": "Code Signing", "display_name": "T1553.002 - Code Signing" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1555.003", "name": "Credentials from Web Browsers", "display_name": "T1555.003 - Credentials from Web Browsers" }, { "id": "T1016", "name": "System Network Configuration Discovery", "display_name": "T1016 - System Network Configuration Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1547.001", "name": "Registry Run Keys / Startup Folder", "display_name": "T1547.001 - Registry Run Keys / Startup Folder" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1518.001", "name": "Security Software Discovery", "display_name": "T1518.001 - Security Software Discovery" }, { "id": "T1027.002", "name": "Software Packing", "display_name": "T1027.002 - Software Packing" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1124", "name": "System Time Discovery", "display_name": "T1124 - System Time Discovery" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 9, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "CVE": 1, "FileHash-SHA256": 2, "domain": 1, "hostname": 1 }, "indicator_count": 5, "is_author": false, "is_subscribing": null, "subscriber_count": 386463, "modified_text": "9 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6a12fc685c724f6f873953e6", "name": "EbeeMay2026 Pt4", "description": "Multiple APT/threat actors, Malware and Campaigns", "modified": "2026-05-24T13:26:00.146000", "created": "2026-05-24T13:26:00.146000", "tags": [ "filehashsha256", "filehashmd5", "filehashsha1", "cve20232868 cve", "cve20231389 cve", "cve20214034 cve", "cve20213493 cve" ], "references": [ "IOCs-MAY2.csv" ], "public": 1, "adversary": "Deploy Shai-Hulud Clones, Banana RAT, P2Pinfect Kubernetes Compromise, TamperedChef", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "IMEBEEIMFINE", "id": "343873", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "IPv4": 71, "URL": 59, "FileHash-MD5": 169, "FileHash-SHA1": 153, "FileHash-SHA256": 225, "CIDR": 1, "CVE": 29, "domain": 128, "hostname": 111 }, "indicator_count": 946, "is_author": false, "is_subscribing": null, "subscriber_count": 39, "modified_text": "6 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6a12840b01103dcb9890ab25", "name": "Tracking TamperedChef Clusters via Certificate and Code Reuse", "description": "", "modified": "2026-05-24T04:52:27.130000", "created": "2026-05-24T04:52:27.130000", "tags": [ "gocookmate", "cl-cri-1089", "swiftnav", "cl-unk-1090", "docuflex", "tamperedchef", "pdfpilot", "information stealers", "trojanized productivity software", "zipmakerpro", "appsuite pdf", "justaskjacky", "shinypdf", "pdfprime", "screensrecorder", "code-signing abuse", "rocketpdfpro", "rapidoc", "manualzpdf", "evilai", "justconvertfiles", "crystalpdf", "gifsmakerpro", "manualreaderpro", "onezip", "fileease", "malvertising campaigns", "calendaromatic" ], "references": [ "https://unit42.paloaltonetworks.com/tracking-tampered-chef-clusters/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "TamperedChef", "display_name": "TamperedChef", "target": null }, { "id": "EvilAI", "display_name": "EvilAI", "target": null }, { "id": "DocuFlex", "display_name": "DocuFlex", "target": null }, { "id": "AppSuite PDF", "display_name": "AppSuite PDF", "target": null }, { "id": "Calendaromatic", "display_name": "Calendaromatic", "target": null }, { "id": "CrystalPDF", "display_name": "CrystalPDF", "target": null }, { "id": "JustAskJacky", "display_name": "JustAskJacky", "target": null }, { "id": "GoCookMate", "display_name": "GoCookMate", "target": null }, { "id": "RocketPDFPro", "display_name": "RocketPDFPro", "target": null }, { "id": "ManualReaderPro", "display_name": "ManualReaderPro", "target": null }, { "id": "PDFPrime", "display_name": "PDFPrime", "target": null }, { "id": "ManualzPDF", "display_name": "ManualzPDF", "target": null }, { "id": "OneZip", "display_name": "OneZip", "target": null }, { "id": "JustConvertFiles", "display_name": "JustConvertFiles", "target": null }, { "id": "PDFPilot", "display_name": "PDFPilot", "target": null }, { "id": "SwiftNav", "display_name": "SwiftNav", "target": null }, { "id": "ShinyPDF", "display_name": "ShinyPDF", "target": null }, { "id": "FileEase", "display_name": "FileEase", "target": null }, { "id": "ZipMakerPro", "display_name": "ZipMakerPro", "target": null }, { "id": "GifsMakerPro", "display_name": "GifsMakerPro", "target": null }, { "id": "ScreensRecorder", "display_name": "ScreensRecorder", "target": null }, { "id": "RapiDoc", "display_name": "RapiDoc", "target": null } ], "attack_ids": [ { "id": "T1053.005", "name": "Scheduled Task", "display_name": "T1053.005 - Scheduled Task" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1033", "name": "System Owner/User Discovery", "display_name": "T1033 - System Owner/User Discovery" }, { "id": "T1539", "name": "Steal Web Session Cookie", "display_name": "T1539 - Steal Web Session Cookie" }, { "id": "T1204.002", "name": "Malicious File", "display_name": "T1204.002 - Malicious File" }, { "id": "T1566.002", "name": "Spearphishing Link", "display_name": "T1566.002 - Spearphishing Link" }, { "id": "T1553.002", "name": "Code Signing", "display_name": "T1553.002 - Code Signing" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1555.003", "name": "Credentials from Web Browsers", "display_name": "T1555.003 - Credentials from Web Browsers" }, { "id": "T1016", "name": "System Network Configuration Discovery", "display_name": "T1016 - System Network Configuration Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1547.001", "name": "Registry Run Keys / Startup Folder", "display_name": "T1547.001 - Registry Run Keys / Startup Folder" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1518.001", "name": "Security Software Discovery", "display_name": "T1518.001 - Security Software Discovery" }, { "id": "T1027.002", "name": "Software Packing", "display_name": "T1027.002 - Software Packing" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1124", "name": "System Time Discovery", "display_name": "T1124 - System Time Discovery" } ], "industries": [], "TLP": "white", "cloned_from": "6a0dae41682ec38e55d1aa12", "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Tr1sa111", "id": "192483", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 1, "FileHash-SHA256": 2, "domain": 1, "hostname": 1 }, "indicator_count": 5, "is_author": false, "is_subscribing": null, "subscriber_count": 278, "modified_text": "6 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6a0ee0a3ed0a602a65fff3e5", "name": "Tracking TamperedChef Clusters via Certificate and Code Reuse", "description": "The TamperedChef malware, also known as EvilAI, represents a significant cyber threat primarily characterized by its distribution through trojanized productivity applications such as PDF editors and calendars. These applications often lead users to malicious payloads via ads, targeting users unaware of the underlying risks. Notably, this malware type demonstrates similarities with potentially unwanted programs (PUPs) and adware, incorporating robust mechanisms for persistence and utilizing deceptive end-user licensing agreements. However, its stealthiness is a notable differentiator, often remaining dormant for extended periods before executing its malicious components.", "modified": "2026-05-21T10:38:27.588000", "created": "2026-05-21T10:38:27.588000", "tags": [ "ltd clunk1090", "clunk1090", "candy tech", "tamperedchef", "clcri1089", "llc clcri1089", "adware", "rats", "palo alto", "fairark", "malware", "june", "alliance", "february", "model", "apollo", "code", "onezip", "rapidoc" ], "references": [ "https://unit42.paloaltonetworks.com/tracking-tampered-chef-clusters/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1033", "name": "System Owner/User Discovery", "display_name": "T1033 - System Owner/User Discovery" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1053.005", "name": "Scheduled Task", "display_name": "T1053.005 - Scheduled Task" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1090", "name": "Proxy", "display_name": "T1090 - Proxy" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1204.002", "name": "Malicious File", "display_name": "T1204.002 - Malicious File" } ], "industries": [ "Education", "Media", "Government", "Healthcare" ], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "PetrP.73", "id": "154605", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 1, "FileHash-SHA256": 2, "domain": 1, "hostname": 1 }, "indicator_count": 5, "is_author": false, "is_subscribing": null, "subscriber_count": 540, "modified_text": "9 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6971edc93289862931ffe60b", "name": "EbeeJan2026 Pt4", "description": "Multiple APT/threat actors, Malware and Campaigns", "modified": "2026-02-21T09:02:54.440000", "created": "2026-01-22T09:28:41.694000", "tags": [ "filehashsha256", "filehashsha1", "filehashmd5", "cve202553690" ], "references": [ "week3-ioc-pt2.csv" ], "public": 1, "adversary": "Sicarii Ransomware, APT41, Kimwolf, RALord, Campaign abusing ahost.exe, DeadLock Ransomware, VoidLin", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "IMEBEEIMFINE", "id": "343873", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 6, "FileHash-MD5": 177, "FileHash-SHA1": 175, "FileHash-SHA256": 280, "URL": 18, "domain": 55, "hostname": 12 }, "indicator_count": 723, "is_author": false, "is_subscribing": null, "subscriber_count": 39, "modified_text": "98 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6969f54f65e29ff596a508a6", "name": "Free Converter Software - Convert Any System from Clean to Infected in Seconds", "description": "The article discusses various malware campaigns typically involving remote access trojans (RATs) and their distribution methods, primarily through malicious advertisements. It describes how users can inadvertently download malware by clicking on ads that lead to fake converter applications. These applications often masquerade as legitimate software, using code signing certificates to appear trustworthy even though many of these certificates have been revoked.\n\nThe malware, once downloaded, generally functions as a dropper, deploying additional payloads that establish communication with a command-and-control server while remaining inconspicuous to the user. The article outlines a specific example, ConvertMate.exe, indicating that it is distributed through the http://conmateapp.com domain and ultimately ends up in the user's local application data.", "modified": "2026-01-16T08:22:39.178000", "created": "2026-01-16T08:22:39.178000", "tags": [ "thor", "thumbprint", "event id", "c2 server", "task", "sysmon", "applocker", "google ad", "google", "below", "rats", "code", "updater", "weird", "first", "next", "droppers blue", "takin ltd", "tau centauri", "sparrow tide", "technodenis ltd", "black indigo", "long sound", "or kahol", "astro bright" ], "references": [ "https://www.nextron-systems.com/2026/01/14/free-converter-software-convert-any-system-from-clean-to-infected-in-seconds/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1036.005", "name": "Match Legitimate Name or Location", "display_name": "T1036.005 - Match Legitimate Name or Location" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1053.005", "name": "Scheduled Task", "display_name": "T1053.005 - Scheduled Task" }, { "id": "T1583.001", "name": "Domains", "display_name": "T1583.001 - Domains" }, { "id": "T1608.005", "name": "Link Target", "display_name": "T1608.005 - Link Target" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 4, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "PetrP.73", "id": "154605", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 71, "FileHash-SHA1": 81, "FileHash-SHA256": 154, "URL": 3, "domain": 18 }, "indicator_count": 327, "is_author": false, "is_subscribing": null, "subscriber_count": 540, "modified_text": "134 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "onezipapp.com", "type": "Domain" }, "abuseipdb": null, "urlhaus": { "indicator": "onezipapp.com", "found": false, "verdict": "clean", "urls": [], "error": null }, "from_cache": true, "_cached_at": 1780192220.336156 }