Unit 42: TamperedChef Clusters Deliver Stealthy Payloads via Trojanized Productivity Apps

Unit 42 published an analysis of TamperedChef, a threat actor cluster that distributes stealthy payloads through trojanized productivity applications and malvertising campaigns. The group reuses TLS certificates and code across infrastructure, allowing Unit 42 to cluster disparate campaigns despite rebranding.

The trojanized-app initial access vector is increasingly common and difficult to detect with signature alone. Security teams should enforce controls that flag anomalously signed application packages, monitor for malvertising-sourced downloads, and review endpoint telemetry for lateral movement following productivity app installs. The full report includes IOCs and certificate fingerprints for detection.