ISLAMABAD: The National Computer Emergency Response Team (NCERT) has released a high-priority cybersecurity advisory cautioning public and private sector organizations from a recently identified malware campaign using a trojanized variant of AppSuite PDF Editor.
The malware, known as TamperedChef, has been spreading on the internet since August 21, 2025, in the form of genuine PDF editing software. NCERT has stated that this malware uses remote JavaScript-based update mechanisms that allow hackers to steal sensitive information, set up command-and-control (C2) communications, and inject secondary payloads such as spyware and ransomware.
The campaign makes use of social engineering strategies to deceive users into downloading the corrupted installer from phishing messages, cracked software packages, or malicious ads. Upon execution, TamperedChef obtains access to system credentials, cookies, and documents, and has registry settings modification capability to ensure persistence.
NCERT cautioned that the malware is a high threat to enterprise and government networks since it can serve as an initial access vector for APTs, allowing for large-scale intrusions and theft of data.
The agency identified several effects of the infection, such as confidentiality violations by means of data theft, unauthorized PDF file modifications, and disruption of systems because of possible ransomware distribution. The threat mostly attacks Windows systems—particularly unpatched devices or devices without good antivirus or endpoint detection and response (EDR) solutions.
The malware interacts with malicious domains like editor-update[.]com and pdfsuite-sync[.]net, which have been observed as C2 servers managing infected hosts.
The alert exhaustively collected Indicators of Attack (IOAs) and Compromise (IOCs) and suggested that organizations watch for abnormal file activity from AppData directories, unauthorized registry entries, or network connections to malware hosts 185.92.223[.]14 and 103.89.77[.]6.
Indications of infection also involve silent alteration of PDF files, browser crashes, and occasional encrypted data transfers to remote servers. NCERT noted that the malware campaign is ongoing in the wild and propagating extensively via malvertising and phishing campaigns.
Its mitigation advisory suggested immediate containment measures like blocking known IOCs at firewalls and intrusion prevention systems, implementing AppLocker or Group Policy to block execution by unauthorized sources from temporary directories, and using the most recent operating system and library patches.
The advisory also called for organizations to enhance their security posture through implementing multi-factor authentication (MFA), providing phishing awareness training, and installing updated endpoint protection software.
The alert ended with a call to action for all organizations to include this risk in their enterprise threat models and supply-chain security practices. NCERT advised system admins to quarantine impacted endpoints, reset compromised credentials, and contribute indicators to trusted cybersecurity networks.
Early detection and rapid containment, the team emphasized, are critical to avoiding widespread data breaches and ransomware attacks associated with the TamperedChef malware campaign.
