TamperedChef: New Global Malvertising Campaign Using Fake Software Installers to Deliver Stealthy Backdoors
The TamperedChef campaign first surfaced earlier this year as security researchers began tracking a rise in fake software installers pushed through manipulated online ads and poisoned search results. The operation has since expanded into a large, coordinated effort that distributes JavaScript-based backdoors by convincing users to download tools that appear completely legitimate. The operators behind TamperedChef run an organized infrastructure that churns out new websites, delivery paths, and signed installers at a rapid pace. They register shell companies in multiple countries to acquire code-signing certificates, which makes their counterfeit applications appear authentic and trustworthy to end users. When someone downloads one of these installers (often while searching for PDF tools, utilities, or equipment documentation), the program displays normal installation screens while quietly dropping a scheduled task that launches an obfuscated script in the background. That script contacts remote servers, sends system metadata, and establishes a foothold that the attackers can reuse for future activity. The campaign's scale, automation, and constant rotation of certificates show how industrialized the operation has become. While the malware's ultimate purpose varies, investigators have tied the activity to data theft, credential harvesting, access resale, and fraud schemes that generate steady revenue for the actors involved. A growing number of infections have been identified across the United States and several regions overseas, with notable impact on healthcare, construction, and manufacturing environments, industries where users frequently search online for manuals, drivers, or specialized tools, making them easy targets for manipulated ads. The broader activity ties into a larger trend of attackers abusing AI-themed tools and common business utilities as lures to reach a wider audience. The combination of convincing installers, trusted digital signatures, and persistent backdoor placement significantly increases the risk for organizations that rely heavily on online software sourcing. To reduce exposure, organizations should direct staff toward vetted download portals, block high-risk ad networks, and audit endpoints for unexpected scheduled tasks or unrecognized certificates that may indicate a tampered installation.
“The Gentlemen” Ransomware Group Rapidly Emerges as a High-Impact Global Threat
First identified around July 2025, 'The Gentlemen' ransomware group has quickly moved from a newly observed operation to a fully mature threat actor with a wide victim footprint across multiple sectors. By September, they launched a dedicated leak site and published data from 48 compromised organizations, signaling both confidence and operational momentum. Their approach blends traditional dual-extortion techniques with an evolving attack strategy that includes ongoing experimentation, affiliate recruitment, and rapid adoption of advanced tooling. Intelligence reporting shows the group tested multiple affiliate models from well-known ransomware ecosystems before launching its own full-featured RaaS platform, giving them a polished operational model from day one. This early refinement has enabled the group to attract skilled partners, automate large portions of its workflow, and scale attacks at an unusual rate for a newcomer. Their infrastructure and communication channels across dark-web forums further indicate a coordinated and well-resourced operation. Recent malware updates demonstrate a clear effort to expand reach and sophistication across Windows, Linux, and ESXi environments. Their payloads now feature persistent startup mechanisms, faster encryption modules, multi-speed encryption modes, and improved lateral movement through WMI, PowerShell remoting, and remote service manipulation. The ransomware uses strong cryptographic algorithms, targets both local and networked drives, and intentionally preserves file timestamps to bypass time-based detection. Their Linux and ESXi variants include privilege escalation, boot persistence, and aggressive disk-wiping behavior that undermines recovery efforts. Analysis also shows built-in anti-forensics capabilities designed to delete logs, disable security tools, and obstruct incident responders. Combined with a polished RaaS offering that includes EDR-killing utilities, customizable payload options, and structured negotiation support, The Gentlemen has quickly positioned itself as a highly capable and persistent threat. Organizations should reinforce backup integrity, strengthen lateral-movement controls, harden virtual infrastructure, and maintain an actionable incident response plan to reduce exposure to this expanding threat actor.
Update: Nova Stealer Introduces Advanced Application-Swapping Tactics in New macOS Theft Campaign
Nova Stealer is a recently uncovered macOS threat that stands out through an unusual reliance on detached screen sessions to remain hidden. Instead of running as visible foreground processes, each malicious script launches through background "screen" daemons that survive logouts and blend into system activity. Persistence is handled through a LaunchAgent that loads a script manager on every boot, ensuring the malware continually refreshes itself. The orchestrator uses a flexible update mechanism that retrieves base64-encoded modules from a command-and-control server, decodes them, and redeploys updated scripts into individual screen sessions. This modular framework supports several components focused on reconnaissance and cryptocurrency theft, including automated collection of wallet data from Trezor, Exodus, and Ledger applications. Even though Nova leaves more disk artifacts than high-end malware families, the way it maintains hidden processes and refreshes modules without reinstalling gives it an operational durability that is difficult to disrupt. The most alarming capability is Nova's full application-swapping technique, which replaces legitimate cryptocurrency applications with near-perfect counterfeits. The malware deletes original Ledger Live and Trezor Suite installations, wipes Launchpad records, and downloads fraudulent versions that appear completely normal to the user. These replacements are lightweight Swift-based apps that display phishing pages through WebKit while capturing recovery phrases, keystrokes, and user activity in real time. The phishing pages validate seed words using standard BIP-39 and SLIP-39 dictionaries, creating a convincing interface with dynamic autocomplete that mirrors legitimate wallet behavior. Operators receive continuous updates on victim activity through tracking beacons, while typed or submitted recovery phrases are streamed to dedicated endpoints. The combination of hidden process management, modular updates, and application swapping demonstrates a clear evolution in macOS-focused cryptocurrency theft, giving attackers a persistent foothold and the flexibility to refine phishing techniques remotely over long periods. Organizations and individuals should download software only from verified developer portals, monitor macOS systems for unauthorized LaunchAgents or hidden screen sessions, and treat any unexpected wallet prompts or reinstallation requests as high-risk indicators of compromise. Regularly auditing cryptocurrency applications, validating file hashes, and enabling endpoint protections that flag unsigned binaries or suspicious network activity will significantly reduce exposure to this evolving threat.
