The threat involves a sophisticated malware distribution campaign leveraging Potentially Unwanted Applications (PUAs) that are weaponized for covert delivery. Central to this campaign are two malicious executables, ImageLooker.exe and Calendaromatic.exe, which are delivered via self-extracting 7-Zip archives. These binaries are digitally signed by multiple signers, a tactic used to bypass security detection mechanisms that often trust signed code. The campaign is attributed to the threat actor group known as TamperedChef, which is known for trojanizing productivity tools to gain initial access and conduct data exfiltration. The malware uses the NeutralinoJS framework, a lightweight application development framework, to facilitate its operations. It also employs Unicode homoglyphs—characters visually similar to legitimate ones—to deceive users and evade detection. The campaign exploits user behavior through SEO poisoning and malvertising, tricking victims into downloading what appears to be legitimate software. Additionally, the malware includes browser hijackers to manipulate victim browsing sessions. The attack chain involves multiple tactics and techniques such as code-signing abuse (T1553.002), command and scripting interpreter usage (T1059.007, T1059.001), data staging (T1074.001), persistence mechanisms (T1547.001), and credential dumping (T1003). The campaign’s complexity and use of deceptive packaging, digital signing, and social engineering highlight an evolution in threat actor tactics, weaponizing PUAs to evade traditional security controls and deliver malware covertly. Although no known exploits are currently observed in the wild, the presence of CVE-2025-0411 indicates a vulnerability leveraged by this campaign.

For European organizations, this threat poses a significant risk due to its stealthy delivery and evasion techniques. The abuse of digital code signing undermines trust in signed binaries, potentially leading to widespread infection before detection. The use of trojanized productivity tools targets common enterprise software usage patterns, increasing the likelihood of successful initial access. Once inside, the malware can exfiltrate sensitive data, disrupt user browsing through hijacking, and establish persistence, complicating incident response. The SEO poisoning and malvertising components increase the attack surface by targeting users searching for legitimate software, potentially impacting a broad range of sectors including finance, healthcare, and government. The campaign’s ability to bypass detection mechanisms may result in prolonged dwell time, increasing the risk of data breaches and operational disruption. The medium severity rating reflects the balance between the complexity of exploitation and the potential for significant confidentiality and integrity impacts if successful.

European organizations should implement multi-layered defenses tailored to this threat’s characteristics. Specifically: 1) Enforce strict application whitelisting that includes validation of digital signatures against known trusted signers and revocation lists to detect abuse of code signing. 2) Deploy advanced endpoint detection and response (EDR) solutions capable of behavioral analysis to identify suspicious use of NeutralinoJS framework and anomalous scripting activities. 3) Enhance email and web filtering to block SEO poisoned links and malvertising domains, including proactive threat intelligence sharing to update blocklists with indicators such as the domain iolenaightdecipien.org and known malicious hashes. 4) Conduct user awareness training focused on recognizing deceptive packaging and the risks of downloading software from untrusted sources. 5) Monitor for persistence mechanisms and unusual process creations linked to trojanized productivity tools. 6) Implement network segmentation and data loss prevention (DLP) to limit data exfiltration capabilities. 7) Regularly audit and update digital certificate trust stores and promptly revoke certificates associated with malicious binaries. 8) Employ sandboxing to analyze suspicious archives before allowing execution in production environments. These targeted measures go beyond generic advice by addressing the specific tactics and techniques used in this campaign.