ISLAMABAD (Kashmir English): The National Computer Emergency Response Team (NCERT) has released a high-priority cyber alert alerting government and private sector organizations of a new malware campaign comprising a trojanized version of AppSuite PDF Editor.
Malware, known as TamperedChef, has been spreading on the internet from 21 August 2025, posing as a genuine PDF editor tool.
NCERT reports that the malware includes remote JavaScript-based update mechanisms that allow attackers to exfiltrate sensitive information, initiate command-and-control (C2) communications, and deliver secondary payloads such as spyware and ransomware.
As per the advisory, the campaign uses social engineering techniques to deceive users into downloading the tainted installer from phishing emails, cracked application packages, or malicious adverts.
After execution, TamperedChef obtains access to system credentials, cookies, and documents, and can modify registry settings for persistence.
NCERT cautioned that the malware can pose a high threat to enterprise and government networks since it can be used as an initial access vector for APTs, which can facilitate large-scale intrusions and data exfiltration.
The agency indicated several effects of the infection, such as confidentiality breaches through data theft, unauthorized PDF file modification, and system disruption from possible ransomware deployment.
The threat chiefly attacks Windows systems, particularly unpatched systems or ones without working antivirus or endpoint detection and response (EDR) software.
The malware talks to bad domains like editor-update[.]com and pdfsuite-sync[.]net, which were recognized as C2 servers managing infected hosts.
The advisory contained a complete list of Indicators of Compromise (IOCs) and Indicators of Attack (IOAs), calling on organizations to watch for suspicious file activity from AppData directories, illegal registry entries, or network connections to objectionable IP addresses (185.92.223[.]14 and 103.89.77[.]6).
The symptoms of infection are also silent alteration of PDF files, browser crashes, and occasional encrypted data exfiltration to third-party servers.
NCERT highlighted that the malware campaign is in the wild and widely propagating through malvertising and phishing campaigns.
How to Protect Yourself
In its guidelines for mitigation, NCERT suggested taking immediate containment measures, such as blocking known IOCs at firewalls and intrusion prevention systems, enforcing AppLocker or Group Policy rules to keep unauthorized execution out of temporary directories, and installing the latest operating system and library patches.
The advisory further urged organizations to enhance their security posture by mandating multi-factor authentication (MFA), organizing phishing awareness sessions, and installing updated endpoint protection solutions.
The advisory ended with a call to action on all organizations to add this risk to their enterprise threat models and supply-chain security controls.
NCERT called on system administrators to quarantine the endpoints that had been affected, reinitializing compromised credentials and reporting indicators to trusted cybersecurity communities.
Early detection and rapid containment, the team emphasized, is key to blocking large-scale data breaches and ransomware attacks attributed to the TamperedChef malware campaign.
