The National Computer Emergency Response Team (NCERT) has issued a high-priority cybersecurity advisory, warning public and private sector organizations about a malware campaign exploiting a trojanized version of AppSuite PDF Editor circulating online.
The malware, dubbed “TamperedChef,” has been active since August 21, 2025, posing as legitimate PDF editing software.
According to NCERT, the malware employs remote JavaScript-based update mechanisms to allow attackers to steal sensitive data, establish command-and-control (C2) links, and deploy secondary payloads such as spyware and ransomware.
The campaign relies heavily on social engineering tactics, deceiving users into downloading the infected installer via phishing emails, cracked software bundles, or malicious online ads. Once executed, TamperedChef can extract system credentials, browser cookies, and user documents, while modifying Windows registry settings to maintain persistence.
NCERT warned that the malware poses a severe threat to government and enterprise networks, as it could provide initial access for advanced persistent threats (APTs), leading to large-scale data theft and network compromise.
The advisory detailed several potential impacts, including:
Data theft and confidentiality breaches.
Unauthorized modifications of PDF files.
Disruption of systems through ransomware deployment.
The threat specifically targets Windows-based systems, particularly those lacking recent security patches or endpoint protection tools such as antivirus or EDR solutions.
NCERT also identified two malicious domains — editor-update[.]com and pdfsuite-sync[.]net — functioning as C2 servers managing infected hosts. Other network indicators include connections to 185.92.223[.]14 and 103.89.77[.]6.
Signs of infection may include silent tampering of PDF files, browser crashes, and unexplained encrypted data transfers to unknown servers.
The agency’s mitigation advisory recommends:
Blocking known Indicators of Compromise (IOCs) at firewalls and intrusion prevention systems.
Restricting unauthorized executable files using AppLocker or Group Policy.
Applying the latest operating system and software patches.
Implementing multi-factor authentication (MFA) and phishing awareness training.
Deploying updated endpoint protection software.
NCERT urged all organizations to integrate this risk into their enterprise threat models and supply-chain security frameworks, quarantine compromised devices, reset exposed credentials, and share threat indicators with trusted cybersecurity networks.
