THE Unit 42 article tracks TamperedChef-style malware, also known as EvilAI, across two main activity clusters, CL-CRI-1089 and CL-UNK-1090, with a third cluster mentioned but not the focus, CL-UNK-1110. It notes over 4,000 samples across 100 unique variants and identifies 12,000 unique victim instances globally within its Managed Threat Hunting customer base.
The analysis highlights heavy use of code-signing certificates and adware-like payloads, including second-stage information stealers, RATs and browser hijackers delivered via malvertising and malicious ads. Calendaromatic is used to illustrate code-signing and certificate reuse, with 34 unique code-signing certificates attributed to CL-CRI-1089 and involvement of entities such as CANDY TECH LTD and TAU CENTAURI LTD in CL-UNK-1090.
The study also points to a vertically integrated ecosystem in CL-UNK-1090, where advertisers and code-signers are linked, with thousands of ads deployed (more than 20,000) and campaigns tied to Israeli infrastructure and signers. It further outlines the potential operational costs of certificates and the shift noted by attackers away from code signing toward other delivery methods, while emphasising that TAMperedChef campaigns exploit advertising pipelines to reach victims at scale.