CYBERSECURITY | Malvertising campaign hits multiple countries as Sophos unveils new workspace security
Sophos said its threat research team identified a campaign dubbed “TamperedChef” that used Google Ads to distribute a trojanized PDF editing application that appeared legitimate but secretly installed an infostealer on Windows devices.
Cybersecurity firm Sophos warned this week that a large-scale malvertising campaign spreading information-stealing malware has infected systems across multiple countries, even as the company announced a new security product aimed at tightening protection in browser-based work environments.
Sophos said its threat research team identified a campaign dubbed “TamperedChef” that used Google Ads to distribute a trojanized PDF editing application that appeared legitimate but secretly installed an infostealer on Windows devices. The company said the activity began around June 26, 2025, and affected more than 100 customer systems before detection and response efforts began.
According to telemetry from Sophos, the highest concentration of infections was recorded in Germany, the United Kingdom and France, although the company said the campaign showed global reach, with victims identified in 19 countries. Affected organizations spanned multiple industries, particularly those that rely heavily on specialized technical equipment, where employees frequently search online for manuals and documentation.
Researchers said the attackers used advanced techniques, including delayed activation, decoy software, staged payload delivery, abuse of code-signing certificates and methods designed to evade endpoint protection. Sophos said users who installed the malicious AppSuite PDF Editor should assume that credentials stored in their browsers were compromised.
“The adversaries behind this campaign leveraged targeted advertising and convincing software to achieve scale,” Sophos said, warning that malvertising remains an effective infection vector likely to be reused by other threat actors.
The disclosure comes as Sophos announced the launch of Sophos Workspace Protection, a browser-centric security offering designed to secure hybrid and remote work environments and provide visibility into employee use of applications and AI tools. The product is built around the Sophos Protected Browser, powered by Island, and is managed through the Sophos Central platform.
Sophos said the new offering is intended to reduce reliance on complex Secure Access Service Edge and Security Service Edge deployments by embedding security controls directly into the workspace where users operate. The company said the approach gives organizations visibility into so-called shadow IT and shadow AI usage, allowing them to assess risk and govern data access within the browser.
“Security teams are increasingly impacted by complexity as hybrid work and AI tools expand the workspace,” said Mike Jude, research director at IDC, who described the product as a shift toward endpoint- and browser-centric security.
Sophos Workspace Protection includes a secure enterprise browser, zero-trust network access, DNS-based web protection and an email monitoring add-on for cloud email platforms. Sophos said customers and partners will be able to access the product starting in February 2026.
The company said recent campaigns such as TamperedChef underscore the need for tighter controls over software installation and browser activity, particularly as employees increasingly rely on web-based tools for daily work.
————————————————————————-
WE ARE 10 YEARS OLD! TEN YEARS OF TECHSABADO, IMAGINE THAT.
WATCH TECHSABADO ON OUR YOUTUBE CHANNEL:
WATCH OUR OTHER YOUTUBE CHANNELS:
PLEASE LIKE our FACEBOOK PAGE and SUBSCRIBE to OUR YOUTUBE CHANNEL.
PLEASE LIKE our FACEBOOK PAGE and SUBSCRIBE to OUR YOUTUBE CHANNEL.
