TamperedChef Malware Research
Research notes related to TamperedChef-style malware and PUA behavior, including installer chains, browser/search hijacking, persistence, scheduled tasks, and related detection opportunities.
Luke Acha possibly has the first known usage of the name "Tampered Chef" as it relates to malware (RecipeLister) posted June 6, 2025 on X and on blog.lukeacha.com.
Related Files: RecipeLister, Calendaromatic.
Related Note: The name has evolved to include malicious apps related to EvilAI, YAPA, and possibly HydraSeven (DocuFlex shares a signing cert with CreateMyGif) which has some hits on public YARA).
May 2026 article on TamperedChef with related app names
Research Focus
-
Installer and updater behavior
Analysis focus includes installer/updater components, staged payloads, persistence methods, scheduled tasks, and configuration files.
-
Browser and search hijacking
TamperedChef-related activity may involve browser settings, extension behavior, search provider manipulation, or unwanted traffic redirection.
-
Detection opportunities
Useful hunting areas include scheduled task parameters, browser modification artifacts, file paths, registry changes, domains, and installer metadata.
-
Related blog posts
TamperedChef-related writeups and follow-on research can be found through the blog label page.