A new malware campaign dubbed “TamperedChef” has been observed using heavily obfuscated JavaScript to deploy a remote-execution backdoor on Windows systems.
The findings, published by Acronis Threat Research Unit (TRU) today, show that attackers relied on an open-source obfuscation tool to conceal core logic, suppress debugging, and evade static analysis when delivering legitimate-looking installers for browsers, PDF editors, manual readers, and video games.
“Users see a seemingly legitimate application name that they might use daily, increasing trust and making them more likely to install and run the software,” wrote Acronis researchers Darrel Virtusio and Jozsef Gegeny.
The researchers said they partially deobfuscated two scripts from this campaign, recovering portions of the underlying logic. Variable and function names remained scrambled, and one sample showed significantly deeper obfuscation than the other. Both samples wrote console output to a log file and manipulated Windows registry keys to generate a unique machine identifier for device fingerprinting.
The two variants also contacted hard-coded command-and-control (C2) servers to send encrypted telemetry, including event names, session identifiers and machine IDs. Each sample demonstrated remote code-execution capabilities.
Pivoting from the domains api[.]mxpanel[.]com and api[.]mixpnl[.]com revealed a wider ecosystem of malicious binaries, Acronis said. Many were signed by newly formed shell companies (such as Stratus Core Digital LLC and DataX Engine LLC) and mimicked legitimate applications while following the same execution chain.
Attack Motivations and Prevention Strategies
Acronis’ telemetry data indicates that the majority of victims linked to this campaign were located in the Americas, with approximately 80% situated in the United States and the remaining 20% distributed across various other countries.
The cybersecurity experts outlined several possible motivations, including initial access for resale, credential and data theft, particularly affecting healthcare organizations, and preparatory stages for ransomware. Opportunistic espionage also remained plausible if attackers encountered high-value systems.
Acronis said they first observed this campaign in June 2025, but signs pointed to earlier activity during the year. By late 2025, operators were observed shifting from long-validity certificates and domain-generated hostnames to short-lived certificates and human-readable domains, which suggests continued adaptation to defensive pressure.
“Even software bearing valid digital signatures can be malicious. Attackers can exploit the inherent trust that users place in signed applications to distribute stealthy malware, bypass traditional defenses and gain persistence on systems,” wrote Virtusio and Gegeny.
“This underscores that digital signatures alone are not a guarantee of safety, and organizations must implement additional layers of security, vigilance and user awareness to detect and mitigate threats effectively.”
