TamperedChef Malware Clusters Leverage Reused Certificates and Code to Target Productivity‑Software Users
What Happened — Unit 42 identified three active TamperedChef‑style malware clusters (CL‑CRI‑1089, CL‑UNK‑1090, CL‑UNK‑1110) that reuse TLS certificates and code snippets across >4,000 samples and 100 variants. The payloads masquerade as legitimate productivity tools (PDF editors, ZIP extractors, calendar apps) and remain dormant for weeks before delivering RATs, stealer modules, or proxy tools.
Why It Matters for TPRM —
- Supply‑chain risk: Malicious code is embedded in third‑party software distributed via ad‑networks, exposing downstream customers.
- Persistence & stealth: Dormant periods evade typical endpoint detection, increasing the chance of successful compromise.
- Credential & data theft: Delivered RATs can harvest credentials and exfiltrate sensitive corporate data.
Who Is Affected — Enterprises across all sectors that allow end‑users to install productivity utilities from unvetted sources (e.g., finance, healthcare, education, SaaS providers).
Recommended Actions —
- Block download of unsigned or unsigned‑by‑unknown‑publisher productivity apps.
- Enforce application allow‑list policies and sandbox execution of new utilities.
- Deploy advanced endpoint detection (e.g., Cortex XDR) with TLS‑certificate inspection.
Technical Notes —
- Attack vector: Malvertising campaigns redirect victims to compromised download sites; the malware uses reused TLS certificates to evade network‑based SSL inspection.
- Persistence: Registry and scheduled‑task tricks combined with dormant sleeper logic (weeks‑months).
- Payloads: Remote Access Trojans, information stealers, proxy tools; code reuse indicates a shared development kit.
- Indicators: Shared SHA‑256 hashes, common C2 domains, and identical certificate fingerprints across clusters.
Source: Palo Alto Unit 42 – Tracking TamperedChef Clusters via Certificate and Code Reuse