Sophos, a cybersecurity solutions provider, has warned about a malicious advertising campaign that used Google Ads to spread a data-stealing malware known as TamperedChef.
According to Sophos, the campaign tricked users into downloading a fake PDF editing app called AppSuite PDF Editor. The app looked real and worked like normal software, but once installed on a Windows computer, it secretly stole saved information such as usernames and passwords. Researchers believe TamperedChef is part of a larger operation known as EvilAI.
The campaign appears to have started on June 26, 2025. Many of the websites linked to the fake app were created or first detected around that time. These sites were promoted through online ads, making them appear trustworthy to people searching for PDF tools or product manuals.
Sophos said its monitoring confirmed that more than 100 customer systems were already infected before the threat was detected and blocked.
Data from Sophos show that many of the affected users were in Germany, the United Kingdom, and France. However, the company said the malware was found in 19 countries in total, suggesting that the campaign was spread widely and not aimed at specific locations.
“Victims of this campaign span a variety of industries, particularly those where operations rely heavily on specialized technical equipment, possibly because users in those industries frequently search online for product manuals, a behavior that the TamperedChef campaign exploits to distribute malicious software,” Sophos said in a news advisory.
Further investigation showed that the attackers used several tricks to avoid being caught. These included delaying the malware’s activity, using fake software as a cover, delivering harmful files in steps, and using trusted digital certificates to make the app look safe.
Other security researchers said parts of the campaign may still be active, even if some of the websites linked to it are no longer working.
Sophos warned that anyone who installed AppSuite PDF Editor should assume that information saved in their web browser may have been stolen. The company added that cybercriminals know online ads are an effective way to spread malware and that similar scams are likely to happen again.