Field Effect’s Threat Intelligence team has uncovered a new wave of the TamperedChef malware campaign, leveraging digitally signed binaries, deceptive packaging, and browser hijackers to deliver malware disguised as everyday productivity tools. The campaign centers on two trojanized applications: ImageLooker.exe and Calendaromatic.exe, both distributed via self-extracting archives.
The investigation began in late September 2025, when Microsoft Defender flagged a Potentially Unwanted Application (PUA). According to Field Effect, “PUAs, software that may not be overtly malicious but exhibits intrusive behavior, can serve as effective delivery mechanisms for more serious threats.”
Both ImageLooker and Calendaromatic were distributed as self-extracting 7-Zip archives, bypassing basic controls. Field Effect notes, “The executables are built using NeutralinoJS, a lightweight desktop framework that allows execution of arbitrary JavaScript code. It was distributed via deceptive advertising and search engine manipulation.”
Researchers tied these binaries to the TamperedChef campaign, previously known for trojanized productivity apps. The report explains, “Calendaromatic has been linked to the TamperedChef campaign by a malware sample repository… TamperedChef uses multiple digital signers and PUAs to redirect traffic, alter browser settings, and facilitate malware downloads.”
Malware publishers involved include CROWN SKY LLC, LIMITED LIABILITY COMPANY APPSOLUTE, OneStart Technologies LLC, Sunstream Labs, and others—entities previously implicated in distributing trojanized productivity tools, browser hijackers, and residential proxy abuse.
The campaign makes heavy use of obfuscation and covert encoding. Field Effect reports, “The malware’s use of Unicode homoglyphs to encode payloads within seemingly benign API responses allowed it to bypass string-based detection and signature matching.”
Other notable tactics include:
- Exploiting CVE-2025-0411 to bypass Windows Mark of the Web protections.
- Using command-line flags such as –install, –enableupdate, and –fullupdate for persistence.
- Establishing C2 communications with calendaromatic[.]com and movementxview[.]com.
- Exfiltrating browser data, stored credentials, and session information.
Victims are lured through SEO poisoning and deceptive ads. As Field Effect explains, “Threat actors manipulate search engine results by creating keyword-stuffed landing pages that rank highly for queries like ‘free PDF editor,’ ‘calendar app for Windows,’ or ‘image viewer download.’”
These fake sites mimic legitimate software portals with trust badges, fake reviews, and download counters, convincing users to download malicious installers.
The TamperedChef campaign exemplifies how PUAs can be weaponized as part of a malware distribution ecosystem, blurring the line between nuisanceware and full-scale cybercrime. By combining digitally signed binaries, obfuscation, homoglyph encoding, and deceptive distribution, the attackers successfully bypass reputation-based defenses and exploit user trust.
Field Effect warns, “The TamperedChef campaign illustrates how threat actors are evolving their delivery mechanisms by weaponizing potentially unwanted applications, abusing digital code signing, and deploying covert encoding techniques.”
- Obfuscated Malware Delivered via Google Calendar Invites and Unicode PUAs
- The Escalating Threat of the EV Code Signing Certificate Black Market
- SEO Poisoning: Unmasking the Malware Networks Behind Fake E-Commerce
- 34 tech firms signed “Cybersecurity Tech Accord” agreement that does’nt support government hacking operations
- PDFFlex: Analyzing PUA Persistence and Evasion Techniques
