The National Computer Emergency Response Team (NCERT) has issued a cybersecurity advisory warning users about a dangerous malware campaign disguised as a legitimate PDF editing tool called AppSuite PDF Editor.
The malware, known as TamperedChef, has been circulating online since August 21, 2025, posing as a trusted PDF software. It secretly infects computers, steals data, and enables remote hacker control.
According to NCERT, the infected PDF uses remote JavaScript-based updates that allow attackers to extract sensitive files, access credentials, and install spyware or ransomware. It poses a severe threat to enterprise networks.
The advisory explains that hackers are using social engineering methods such as fake emails, cracked software, and malicious ads to trick users into downloading the infected installer from unverified sources.
Once installed, TamperedChef collects system credentials, cookies, and personal documents. It also modifies system registry settings to ensure it stays active and hidden within the infected device.
NCERT has warned that this malware could become an entry point for advanced persistent threats (APTs), allowing large-scale breaches, data theft, and ransomware attacks in both public and private organizations.
READ: WhatsApp users warned of scam circulating via telegram
The malware targets mostly Windows users, particularly those with outdated systems or without proper antivirus protection. It communicates with fake domains like editor-update[.]com and pdfsuite-sync[.]net.
The agency’s report listed Indicators of Compromise (IOCs) and Indicators of Attack (IOAs), urging organizations to monitor unauthorized registry changes, unusual file activity, and suspicious IP connections.
Possible infection signs include altered PDF documents, browser crashes, and secret encrypted data transfers to unknown servers, suggesting the malware is still spreading through phishing and online ads.
For protection, NCERT advised organizations to block malicious IPs, update system patches, and use AppLocker or Group Policy settings to restrict unauthorized file executions from temporary directories.
It also recommended enabling multi-factor authentication (MFA), conducting phishing awareness training, and installing updated endpoint detection and response (EDR) software for stronger protection.
NCERT urged IT teams to isolate affected devices, reset compromised credentials, and share threat indicators with trusted cybersecurity networks to contain the TamperedChef malware campaign effectively.
The agency stressed that early detection and swift action are critical to prevent widespread data breaches and ransomware attacks linked to this ongoing malicious campaign.
How to Stay Safe TamperedChef PDF malware
The users can protect themselves from this malware software by following a few simple steps:
- Download apps only from official sources.
- Avoid clicking on suspicious ads or “free” software offers.
- Run a full antivirus scan if you’ve installed any unknown PDF editor.
- Watch for browser crashes, strange pop-ups, or suspicious network activity.
- Keep your operating system and antivirus updated.
- Change your passwords if you think your PC is infected.
