The National Computer Emergency Response Team (NCERT) has issued a high-priority cybersecurity advisory warning public and private sector organizations against a newly discovered malware campaign involving a trojanized version of AppSuite PDF Editor.
The malicious software, identified as TamperedChef, has been circulating online since August 21, 2025, disguised as a legitimate PDF editing application. According to NCERT, this malware incorporates remote JavaScript-based update mechanisms that enable hackers to exfiltrate sensitive data, establish command-and-control (C2) communications, and deploy secondary payloads including spyware and ransomware.
According to the advisory, the campaign leverages social engineering tactics to trick users into downloading the infected installer from phishing emails, cracked software bundles, or malicious advertisements. Once executed, TamperedChef gains access to system credentials, cookies, and documents, and can modify registry settings to maintain persistence.
NCERT warned that the malware poses a high risk to enterprise and government networks as it can act as an initial access vector for advanced persistent threats (APTs), enabling large-scale intrusions and data theft.
The agency highlighted multiple impacts of the infection, including breaches of confidentiality through data theft, unauthorized modification of PDF files, and system disruptions due to potential ransomware deployment. The threat primarily targets Windows systems—especially unpatched devices or those lacking effective antivirus or endpoint detection and response (EDR) solutions.
The malware communicates with malicious domains such as editor-update[.]com and pdfsuite-sync[.]net, which have been identified as C2 servers controlling infected hosts.
The advisory provided a comprehensive list of Indicators of Compromise (IOCs) and Indicators of Attack (IOAs), urging organizations to monitor for unusual file activity from AppData directories, unauthorized registry entries, or network connections to suspicious IP addresses (185.92.223[.]14 and 103.89.77[.]6).
Signs of infection also include silent modification of PDF documents, browser crashes, and periodic encrypted data transfers to external servers. NCERT emphasized that the malware campaign is active in the wild and spreading rapidly through malvertising and phishing campaigns.
In its mitigation guidelines, NCERT recommended immediate containment actions, including blocking identified IOCs at firewalls and intrusion prevention systems, enforcing AppLocker or Group Policy restrictions to prevent unauthorized execution from temporary directories, and applying the latest operating system and library patches.
The advisory also encouraged organizations to strengthen their security posture by enforcing multi-factor authentication (MFA), conducting phishing awareness sessions, and deploying updated endpoint protection tools.
The advisory concluded with a call to action for all entities to incorporate this risk into their enterprise threat models and supply-chain security frameworks. NCERT urged system administrators to isolate affected endpoints, reset compromised credentials, and share indicators with trusted cybersecurity networks.
Early detection and swift containment, the team stressed, are essential to preventing large-scale data breaches and ransomware incidents linked to the TamperedChef malware campaign.