{"id":8211,"date":"2025-10-03T09:00:00","date_gmt":"2025-10-03T08:00:00","guid":{"rendered":"https:\/\/www.withsecure.com\/?post_type=lab_item&#038;p=8211"},"modified":"2026-05-22T14:24:52","modified_gmt":"2026-05-22T13:24:52","slug":"tamperedchef","status":"publish","type":"lab_item","link":"https:\/\/www.withsecure.com\/en\/resources-hub\/w-labs\/tamperedchef\/","title":{"rendered":"TamperedChef: Malvertising to Credential Theft"},"content":{"rendered":"<section\n    class=\"wp-block-one-column-block edwp-block js-wp-block-one-column-block wp-block-one-column-block--content-1 wp-block-one-column-block--meta-sharing layout--spacing-xxxxl-top layout--spacing-xl-bottom\"\n    >\n    <div class=\"wp-block-one-column-block__container\">\n                                                                                                                            <div class='wp-block-one-column-block__meta-sharing-grid'><div class=\"wp-component-content wp-component-content--default wp-block-one-column-block__content fade-in\">\n            <h1 class=\"wp-component-heading text--h2 wp-component-content__title\">\n    TamperedChef: Malvertising to  <span class=\"blue-text\">Credential Theft<\/span><\/h1>                    <div class=\"wp-component-content__inner\">\n                                                    <div class=\"wp-component-content__meta\">\n                                                                            <span class=\"wp-component-content__meta-categories\">\n                                                                    <span class=\"wp-component-content__meta-category\">\n                                        Identity security                                    <\/span>\n                                                                    <span class=\"wp-component-content__meta-category\">\n                                        Software Protection                                    <\/span>\n                                                                    <span class=\"wp-component-content__meta-category\">\n                                        Threat intelligence                                    <\/span>\n                                                            <\/span>\n                                                                                                    <span class=\"wp-component-content__meta-date\">\n                                03 October, 2025                            <\/span>\n                                                                    <\/div>\n                                            <\/div>\n                <\/div><section\n    class=\"wp-block-sharing-icons edwp-block wp-block-sharing-icons--disable-border wp-block-sharing-icons--content-1 wp-block-sharing-icons--disable-container wp-block-one-column-block__sharing fade-in wp-block-one-column-block__sharing fade-in\"\n    >\n    <div class=\"wp-block-sharing-icons__container\">\n        <div class=\"wp-block-sharing-icons__inner\">\n                            <p class=\"wp-block-sharing-icons__title fade-in\">\n                    Share this                <\/p>\n                        <div class=\"wp-component-socials wp-component-socials--dark-mode\">\n    \n            <a href=\"https:\/\/www.linkedin.com\/shareArticle?mini=true&#038;url=https:\/\/www.withsecure.com\/en\/resources-hub\/w-labs\/tamperedchef\/&#038;title=TamperedChef:%20Malvertising%20to%20Credential%20Theft\" target=\"_blank\" rel=\"noreferer noopener\" class=\"wp-component-socials__link\" title=\"Share on Linkedin\">\n            <svg class='edwp-icon edwp-icon--xlg js-icon ' aria-hidden='true'>\n                <use xlink:href='#linkedin'><\/use>\n            <\/svg>        <\/a>\n    \n            <a href=\"http:\/\/x.com\/share?text=TamperedChef: Malvertising to Credential Theft&#038;url=https:\/\/www.withsecure.com\/en\/resources-hub\/w-labs\/tamperedchef\/\" target=\"_blank\" rel=\"noreferer noopener\" class=\"wp-component-socials__link wp-component-socials__link--twitter\" title=\"Share on Twitter\">\n            <svg class='edwp-icon edwp-icon--xlg js-icon ' aria-hidden='true'>\n                <use xlink:href='#x'><\/use>\n            <\/svg>        <\/a>\n    \n    \n    <\/div>\n        <\/div>\n    <\/div>\n<\/section>\n<\/div>                                                                            <div class=\"wp-component-image__wrapper wp-block-one-column-block__image fade-in\">\n                    <\/div>\n                                                                                <\/div>\n<\/section>\n\n\n<section\n    class=\"wp-block-one-column-block edwp-block js-wp-block-one-column-block wp-block-one-column-block--content-1 layout--spacing-xxxl-bottom\"\n    >\n    <div class=\"wp-block-one-column-block__container\">\n                                                                                                                                    <div class=\"wp-component-image__wrapper wp-block-one-column-block__image fade-in\">\n                    <figure class=\"wp-component-image__figure\">\n                                            <img loading=\"lazy\" decoding=\"async\" width=\"1200\" height=\"800\" src=\"https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/ws_labs_news.jpg.webp\" class=\"wp-component-image\n                            wp-component-image--desktop\n                            wp-component-image--mobile\n                            wp-component-image--ratio-content-25-1 wp-component-image--fit-cover\" alt=\"\" srcset=\"https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/ws_labs_news.jpg.webp 1200w, https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/ws_labs_news-300x200.jpg.webp 300w, https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/ws_labs_news-1024x683.jpg.webp 1024w, https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/ws_labs_news-768x512.jpg.webp 768w, https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/ws_labs_news-447x298.jpg.webp 447w, https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/ws_labs_news-219x146.jpg.webp 219w\" sizes=\"auto, (max-width: 1200px) 100vw, 1200px\" \/>                                                    <\/figure>\n                    <\/div>\n                                                                                <\/div>\n<\/section>\n\n\n<section\n    class=\"wp-block-two-column-block edwp-block js-wp-block-two-column-block wp-block-two-column-block--content-1 wp-block-two-column-block__left--align-y-top wp-block-two-column-block__right--align-y-top wp-block-two-column-block--split-sidebar layout--none-top layout--spacing-xxxl-bottom\"\n    data-block-id=\"block_f2905d03ccb0758b6630a5c87e404cf8\"\n    >\n    <div class=\"wp-block-two-column-block__container row-load\">\n                                                        <div class=\"wp-block-two-column-block__left\">\n                                    <div class=\"wp-component-authors-list wp-block-two-column-block__authors\">\n                    <p class=\"wp-component-authors-list__title\">\n                Authors            <\/p>\n        \n        <div class=\"wp-component-authors-list__items\">\n                                                <div class=\"wp-component-author-card \">\n    <div class=\"wp-component-author-card__media\">\n                    <span class=\"wp-component-author-card__photo-placeholder\" aria-hidden=\"true\">\n                <svg viewBox=\"0 0 64 64\" role=\"presentation\" focusable=\"false\">\n                    <path d=\"M32 34c-8.1 0-14.7 6.6-14.7 14.7v3.5h29.4v-3.5C46.7 40.6 40.1 34 32 34z\"><\/path>\n                    <path d=\"M32 31.2c6 0 10.9-4.9 10.9-10.9S38 9.4 32 9.4s-10.9 4.9-10.9 10.9S26 31.2 32 31.2z\"><\/path>\n                <\/svg>\n            <\/span>\n            <\/div>\n    <div class=\"wp-component-author-card__content\">\n                    <h3 class=\"wp-component-author-card__name\">Bert Stepp\u00e9<\/h3>\n        \n                \n            <\/div>\n\n<\/div>\n\n                                    <\/div>\n\n            <\/div>\n<nav\n    class=\"wp-component-content-navigation wp-block-two-column-block__content-nav js-content-navigation\"\n    data-bem-base=\"wp-component-content-navigation\"\n    data-nav-column=\"left\"\n    data-nav-type=\"auto\"\n>\n            <p class=\"wp-component-content-navigation__title\">\n            Content        <\/p>\n    \n    <div class=\"wp-component-content-navigation__mobile\">\n        <label class=\"wp-component-content-navigation__mobile-label\">\n            <span class=\"wp-component-content-navigation__mobile-label-text\">\n                Content navigation            <\/span>\n            <select class=\"wp-component-content-navigation__select js-content-navigation-select\">\n                <option value=\"\">\n                    Select a section                <\/option>\n                            <\/select>\n        <\/label>\n    <\/div>\n\n    <div class=\"wp-component-content-navigation__desktop\">\n        <div class=\"wp-component-content-navigation__list-wrapper\">\n            <span\n                class=\"wp-component-content-navigation__indicator js-content-navigation-indicator\"\n                aria-hidden=\"true\"\n            ><\/span>\n            <ul class=\"wp-component-content-navigation__list js-content-navigation-list\">\n                            <\/ul>\n        <\/div>\n    <\/div>\n<\/nav>\n<section\n    class=\"wp-block-sharing-icons edwp-block wp-block-sharing-icons--disable-border wp-block-sharing-icons--disable-container wp-block-two-column-block__share wp-block-two-column-block__hide-mobile wp-block-two-column-block__share wp-block-two-column-block__hide-mobile\"\n    >\n    <div class=\"wp-block-sharing-icons__container\">\n        <div class=\"wp-block-sharing-icons__inner\">\n                            <p class=\"wp-block-sharing-icons__title fade-in\">\n                    Share this story                <\/p>\n                        <div class=\"wp-component-socials wp-component-socials--dark-mode\">\n    \n            <a href=\"https:\/\/www.linkedin.com\/shareArticle?mini=true&#038;url=https:\/\/www.withsecure.com\/en\/resources-hub\/w-labs\/tamperedchef\/&#038;title=TamperedChef:%20Malvertising%20to%20Credential%20Theft\" target=\"_blank\" rel=\"noreferer noopener\" class=\"wp-component-socials__link\" title=\"Share on Linkedin\">\n            <svg class='edwp-icon edwp-icon--xlg js-icon ' aria-hidden='true'>\n                <use xlink:href='#linkedin'><\/use>\n            <\/svg>        <\/a>\n    \n            <a href=\"http:\/\/x.com\/share?text=TamperedChef: Malvertising to Credential Theft&#038;url=https:\/\/www.withsecure.com\/en\/resources-hub\/w-labs\/tamperedchef\/\" target=\"_blank\" rel=\"noreferer noopener\" class=\"wp-component-socials__link wp-component-socials__link--twitter\" title=\"Share on Twitter\">\n            <svg class='edwp-icon edwp-icon--xlg js-icon ' aria-hidden='true'>\n                <use xlink:href='#x'><\/use>\n            <\/svg>        <\/a>\n    \n    \n    <\/div>\n        <\/div>\n    <\/div>\n<\/section>\n                <\/div>\n                                                <div class=\"wp-block-two-column-block__right\">\n                                <div class=\"wp-component-paragraph wp-block-two-column-block__paragraph \">\n    <h2>Executive Summary<\/h2>\n<p>TamperedChef is a sophisticated malware campaign that leveraged a convincing advertising campaign strategy and a fully functional decoy application to target European organizations. Disguised as a legitimate application such as a PDF editor, the malware operated with expected functionality for nearly two months before activating its payload to harvest browser credentials, impacting a significant number of systems.<\/p>\n<p>This campaign demonstrates how even well-defined organizations can be compromised by convincing, legitimate-looking software. The consequences are severe: credential theft, potential backdoor access, and the need for full remediation. Organizations must act quickly to identify and remove this threat.<\/p>\n<p>This post shares new insights uncovered by WithSecure\u2019s Strategic Threat Intelligence &amp; Research Group (STINGR), based on our unique visibility through telemetry into affected environments.<\/p>\n<figure><img decoding=\"async\" class=\"wp-component-image\" src=\"https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/tamperedchef-world.jpg.webp\" alt=\"\" \/><\/figure>\n<figure><img decoding=\"async\" class=\"wp-component-image\" src=\"https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/tamperedchef-eu-focus.jpg.webp\" alt=\"\" \/><\/figure>\n<h2>About AppSuite PDF Editor<\/h2>\n<p>A typical infection flow began when a user searching for a free PDF editor encountered a malicious ad campaign. Clicking the ad redirected them to a download site controlled by the threat actors, where they downloaded and executed a Microsoft Installer (MSI) package. The installer displayed a EULA acceptance dialog, which made the app appear more legitimate and helped it evade some automated security checks, such as automatic detonation in certain sandbox environments.<\/p>\n<figure><img decoding=\"async\" class=\"wp-component-image\" src=\"https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/eula-dialog.png.webp\" alt=\"\" \/><\/figure>\n<figure><img decoding=\"async\" class=\"wp-component-image\" src=\"https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/eula-dialog-fr.png.webp\" alt=\"\" \/><\/figure>\n<p>Clicking the Accept button was the final required user interaction; from there, the MSI downloaded the application installer from vault[.]appsuites[.]ai. This installer, built using NSIS (Nullsoft Scriptable Install System), installed the app under %USERPROFILE% and created persistence by adding an autorun registry entry to launch the app at logon. Notably, the installation required no admin rights, making it effective in business environments with restricted privileges.<\/p>\n<p>AppSuite PDF Editor is written in NodeJS and packaged as an Electron app. Its main executable, \u201cPDF Editor.exe\u201d functions as a full featured Chromium-based browser, executing bundled JavaScript. The malicious payload resides in:<\/p>\n<ul>\n<li>pdfeditor.js: The main, heavily obfuscated JavaScript file, responsible for both the limited UI and the malicious activity. Most PDF editing functionality is delivered via web content from pdf-tool[.]appsuites[.]ai, meaning the app does not work offline.<\/li>\n<li>Utilityaddon.node: A custom NodeJS module (native x64 DLL) used to create\/delete registry entries and scheduled tasks, and more.<\/li>\n<\/ul>\n<figure><img decoding=\"async\" class=\"wp-component-image\" src=\"https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/utilityaddon.png.webp\" alt=\"\" \/><\/figure>\n<h2>The Attacker&#8217;s Response<\/h2>\n<p>When the malicious payload embedded in pdfeditor.js was activated on August 21, 2025, and began stealing browser credentials, the campaign\u2019s true intent was exposed. The threat actors quickly responded by releasing new, \u201cclean\u201d versions of the app (1.0.40 and 1.0.41) just days later, with all malicious JavaScript code removed and the code no longer obfuscated. However, the app continued to connect to attacker-controlled infrastructure, so its use remains strongly discouraged.<\/p>\n<figure><img decoding=\"async\" class=\"wp-component-image\" src=\"https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/no-obf.png.webp\" alt=\"\" \/><\/figure>\n<h2>The Abandoned: &#8220;AppSuite Print&#8221;<\/h2>\n<p>During our investigation, we found a similar decoy app called AppSuite Print. It was built and signed around the same time as the PDF Editor, on May 20, 2025. It uses an obfuscated JavaScript file named appsuite-print.js, which loads content from hxxps:\/\/pdf-tool[.]appsuites[.]ai\/en\/print. The executable files are signed by &#8216;ECHO INFINI SDN. BHD.&#8217;, the same certificate used in some versions of the PDF Editor. Technically, it was almost identical, but we found no evidence of its deployment among our customers. It appears the attackers abandoned this variant, likely due to lower demand for a print utility.<\/p>\n<figure><img decoding=\"async\" class=\"wp-component-image\" src=\"https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/print-dir.png.webp\" alt=\"\" \/><\/figure>\n<h2>The Successor: &#8220;S3-Forge&#8221;<\/h2>\n<p>Shortly after the malicious payload was activated, the true intention of AppSuite PDF Editor became evident. As a result, defenders began detecting and blocking the application, rendering it useless for the threat actor. The attackers quickly pivoted and, based on shared code artifact and development patterns observed in previous campaigns, their next decoy project appears to be an early staged application named S3-Forge.<\/p>\n<p>S3-Forge builds directly on the PDF Editor concept but remains under active development. Several artifacts in the codebase continues to reference PDF Editor, and none of the executables are signed. The main window resembles the PDF Editor interface but connects to a different domain (freeonlinetools[.]info), and the application continues to use the original PDF Editor icon.<\/p>\n<figure><img decoding=\"async\" class=\"wp-component-image\" src=\"https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/s3main1.png.webp\" alt=\"\" \/><\/figure>\n<figure><img decoding=\"async\" class=\"wp-component-image\" src=\"https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/remants-of-tempered-chef.png.webp\" alt=\"\" \/><\/figure>\n<figure><img decoding=\"async\" class=\"wp-component-image\" src=\"https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/current-config.png.webp\" alt=\"\" \/><\/figure>\n<p>The S3-Forge binary is unsigned, likely because the project is still in early development. The \u201c&#8211;cm\u201d argument is also present in S3-Forge, as in PDF Editor, where it serves as the primary mechanism to enable malicious capabilities.<\/p>\n<figure><img decoding=\"async\" class=\"wp-component-image\" src=\"https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/command-line-arg-present-in-new-file.png.webp\" alt=\"\" \/><\/figure>\n<p>S3-Forge currently contains no malicious code and we suspect this is consistent with the application being under development and the threat actor testing the various portions of the application. It is also unclear at this point the decoy strategy of the threat actor. The &#8220;S3&#8221; name might refer to a car model, but it is more likely a reference to Amazon Web Services (AWS) cloud storage, suggesting a possible shift toward targeting software developers. Most observed S3-Forge installers are NuGet packages built by Squirrel (an open-source installation and update framework), indicating experimentation with new distribution methods. In addition to this, Utilityaddon.node and the application\u2019s supporting scripts have been bundled into app.asar, making it less straightforward to detect.<\/p>\n<p>The first known version of S3-Forge was uploaded to VirusTotal on August 26, 2025, just one day after the \u201cde-weaponized\u201d update of PDF Editor.<\/p>\n<h2>Conclusions &amp; Recommendations<\/h2>\n<p>The TamperedChef campaign demonstrates a high level of planning and execution. The attackers obtained code-signing certificates, developed legitimate-looking applications, and ran a targeted ad campaign to maximize installations. The impact is significant: anyone who installed AppSuite PDF Editor should assume their browser-stored credentials were compromised.<\/p>\n<p>Given the campaign\u2019s success, it is likely the attackers will attempt similar tactics in the future, and other threat actors may follow suit. To protect against these threats:<\/p>\n<ul>\n<li>Avoid installing software promoted via advertisements. Always use reputable sources.<\/li>\n<li>In business environments, only install pre-approved applications.<\/li>\n<li>Invalidate sessions and rotate credentials for affected users.<\/li>\n<li>Disable browser password stores where feasible. Enforce password managers with policy.<\/li>\n<\/ul>\n<p>Special thanks to Elias Koivula and Jeremy Ong for their contributions to the investigation.<\/p>\n<h2>Detection<\/h2>\n<p>WithSecure products detect and block TamperedChef via combination of generic and specific signatures, including but not limited to:<\/p>\n<ul>\n<li>Trojan:W32\/TamperedChef.A*<\/li>\n<li>Backdoor.BDS\/AVI.Agent.*<\/li>\n<li>Trojan.TR\/AVI.Agent.*<\/li>\n<\/ul>\n<p>Indicator of Compromise &#8211; IOC<\/p>\n<ul>\n<li><a href=\"https:\/\/github.com\/WithSecureLabs\/iocs\/tree\/master\/TamperedChef\" target=\"_blank\" rel=\"noopener\">iocs\/TamperedChef at master \u00b7 WithSecureLabs\/iocs<\/a><\/li>\n<\/ul>\n<h2>References<\/h2>\n<ul>\n<li>https:\/\/www.truesec.com\/hub\/blog\/tamperedchef-the-bad-pdf-editor<\/li>\n<li>https:\/\/heimdalsecurity.com\/blog\/heimdal-tamperedchef-investigation\/<\/li>\n<li>https:\/\/expel.com\/blog\/you-dont-find-manualfinder-manualfinder-finds-you\/<\/li>\n<li>https:\/\/www.gdatasoftware.com\/blog\/2025\/08\/38257-appsuite-pdf-editor-backdoor-analysis<\/li>\n<\/ul>\n<\/div>\n<section\n    class=\"wp-block-sharing-icons edwp-block wp-block-sharing-icons--disable-border wp-block-sharing-icons--disable-container wp-block-two-column-block__share wp-block-two-column-block__mobile-after-right wp-block-two-column-block__share wp-block-two-column-block__mobile-after-right\"\n    >\n    <div class=\"wp-block-sharing-icons__container\">\n        <div class=\"wp-block-sharing-icons__inner\">\n                            <p class=\"wp-block-sharing-icons__title fade-in\">\n                    Share this story                <\/p>\n                        <div class=\"wp-component-socials wp-component-socials--dark-mode\">\n    \n            <a href=\"https:\/\/www.linkedin.com\/shareArticle?mini=true&#038;url=https:\/\/www.withsecure.com\/en\/resources-hub\/w-labs\/tamperedchef\/&#038;title=TamperedChef:%20Malvertising%20to%20Credential%20Theft\" target=\"_blank\" rel=\"noreferer noopener\" class=\"wp-component-socials__link\" title=\"Share on Linkedin\">\n            <svg class='edwp-icon edwp-icon--xlg js-icon ' aria-hidden='true'>\n                <use xlink:href='#linkedin'><\/use>\n            <\/svg>        <\/a>\n    \n            <a href=\"http:\/\/x.com\/share?text=TamperedChef: Malvertising to Credential Theft&#038;url=https:\/\/www.withsecure.com\/en\/resources-hub\/w-labs\/tamperedchef\/\" target=\"_blank\" rel=\"noreferer noopener\" class=\"wp-component-socials__link wp-component-socials__link--twitter\" title=\"Share on Twitter\">\n            <svg class='edwp-icon edwp-icon--xlg js-icon ' aria-hidden='true'>\n                <use xlink:href='#x'><\/use>\n            <\/svg>        <\/a>\n    \n    \n    <\/div>\n        <\/div>\n    <\/div>\n<\/section>\n                <\/div>\n                        <\/div>\n<\/section>\n\n\n<section\n    class=\"wp-block-cta-banner edwp-block js-wp-block-cta-banner wp-block-cta-banner--style-icon wp-block-cta-banner--no-image layout--spacing-xxxl-top layout--spacing-xxxl-bottom\"\n    >\n    <div class=\"wp-block-cta-banner__container\">\n        <div class=\"wp-block-cta-banner__box row-load\">\n            <div class=\"wp-component-content wp-component-content--help-text wp-component-content--dark wp-block-cta-banner__content\">\n                        <div class=\"wp-component-content__inner\">\n                <h2 class=\"wp-component-heading text--h2 wp-component-heading--dark wp-component-content__title\">\n    What <span class=\"blue-text\">next?<\/span><\/h2>                                    <div class=\"wp-component-content__content wysiwyg wysiwyg--dark\">\n                        <div class=\"wp-component-paragraph wp-component-paragraph--dark\">\n    <p class=\"text--p-medium\">Discover WithSecure\u2122 Elements Exposure Management.<br \/>\n&#8211; No credit card required. No obligations.No complexity.<\/p>\n<\/div>\n                    <\/div>\n                            <\/div>\n                            <div class=\"wp-component-content__buttons\">\n                <a class=\"wp-component-button btn btn--primary btn--dark\" href=\"https:\/\/www.withsecure.com\/en\/contact-us\/\">Contact us<\/a>            <\/div>\n                <\/div>                    <\/div>\n    <\/div>\n<\/section>\n\n\n\n\n<section\n    class=\"wp-block-cards edwp-block wp-block-cards--col-3 js-wp-block-cards wp-block-cards--show-overflow wp-block-cards--auto-slides-per-view layout--spacing-xxxl-top layout--spacing-xxxl-bottom\"\n    >\n    <div class=\"wp-block-cards__container\">\n        <div class=\"wp-component-content wp-component-content--default wp-block-cards__content\">\n            <h2 class=\"wp-component-heading text--h2 wp-component-content__title\">\n    Related <span class=\"blue-text\">Labs content<\/span><\/h2>                    <div class=\"wp-component-content__inner\">\n                                    <div class=\"wp-component-content__content wysiwyg\">\n                        <div class=\"wp-component-paragraph \">\n    <p class=\"text--p-medium\"><span data-teams=\"true\">Find related content relating to this topic.<\/span><\/p>\n<\/div>\n                    <\/div>\n                                                            <\/div>\n                <\/div>                            <div\n                class=\"swiper wp-block-cards__swiper js-wp-block-cards-swiper\"\n                data-slides-per-view-desktop=\"auto\"\n                data-slides-per-view-tablet=\"auto\"\n                data-slides-per-view-mobile=\"auto\"\n            >\n                <div class=\"swiper-wrapper wp-block-cards__swiper-wrapper row-load\">\n                                            <div class=\"swiper-slide wp-block-cards__slide\">\n                            <div class=\"wp-component-card-insight wp-block-cards__card wp-component-card-insight--highlighted\">\n    <div class=\"wp-component-card-insight__image-wrapper\">\n        <img loading=\"lazy\" decoding=\"async\" width=\"618\" height=\"440\" src=\"https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/placeholder.jpg.webp\" class=\"wp-component-card-insight__image\" alt=\"\" srcset=\"https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/placeholder.jpg.webp 618w, https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/placeholder-300x214.jpg.webp 300w, https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/placeholder-447x318.jpg.webp 447w, https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/placeholder-205x146.jpg.webp 205w\" sizes=\"auto, (max-width: 618px) 100vw, 618px\" \/>                    <p class=\"wp-component-card-insight__content-type\">W\/Labs<\/p>\n            <\/div>\n    <div class=\"wp-component-card-insight__content\">\n                    <div class=\"wp-component-card-insight__meta\">\n                <div class=\"wp-component-card-insight__categories\">\n                                            <span class=\"wp-component-card-insight__category\">AI security<\/span>\n                                            <span class=\"wp-component-card-insight__category\">Software Protection<\/span>\n                                            <span class=\"wp-component-card-insight__category\">Threat intelligence<\/span>\n                                    <\/div>\n            <\/div>\n                            <h3 class=\"wp-component-card-insight__title\">GREYVIBE: A Russia-nexus group leveraging AI across state-aligned operations<\/h3>\n                                    <p class=\"wp-component-card-insight__read-time\">15<\/p>\n                                    <div class=\"wp-component-card-insight__button-wrapper\">\n                <a class=\"wp-component-button btn btn--primary btn--dark wp-component-card-insight__button btn--small\" href=\"https:\/\/www.withsecure.com\/en\/resources-hub\/w-labs\/greyvibe\/\">Read more<\/a>            <\/div>\n            <\/div>\n<\/div>                        <\/div>\n                                            <div class=\"swiper-slide wp-block-cards__slide\">\n                            <div class=\"wp-component-card-insight wp-block-cards__card\">\n    <div class=\"wp-component-card-insight__image-wrapper\">\n        <img loading=\"lazy\" decoding=\"async\" width=\"618\" height=\"440\" src=\"https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/placeholder.jpg.webp\" class=\"wp-component-card-insight__image\" alt=\"\" srcset=\"https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/placeholder.jpg.webp 618w, https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/placeholder-300x214.jpg.webp 300w, https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/placeholder-447x318.jpg.webp 447w, https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/placeholder-205x146.jpg.webp 205w\" sizes=\"auto, (max-width: 618px) 100vw, 618px\" \/>                    <p class=\"wp-component-card-insight__content-type\">W\/Labs<\/p>\n            <\/div>\n    <div class=\"wp-component-card-insight__content\">\n                            <h3 class=\"wp-component-card-insight__title\">WithSecure uncovers Russia-nexus threat group using AI to target Ukraine and European organisations<\/h3>\n                                                    <div class=\"wp-component-card-insight__button-wrapper\">\n                <a class=\"wp-component-button btn btn--primary wp-component-card-insight__button btn--small\" href=\"https:\/\/www.withsecure.com\/en\/resources-hub\/w-labs\/10919\/\">Read more<\/a>            <\/div>\n            <\/div>\n<\/div>                        <\/div>\n                                            <div class=\"swiper-slide wp-block-cards__slide\">\n                            <div class=\"wp-component-card-insight wp-block-cards__card\">\n    <div class=\"wp-component-card-insight__image-wrapper\">\n        <img loading=\"lazy\" decoding=\"async\" width=\"1200\" height=\"800\" src=\"https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/ws_labs_research.jpg.webp\" class=\"wp-component-card-insight__image\" alt=\"\" srcset=\"https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/ws_labs_research.jpg.webp 1200w, https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/ws_labs_research-300x200.jpg.webp 300w, https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/ws_labs_research-1024x683.jpg.webp 1024w, https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/ws_labs_research-768x512.jpg.webp 768w, https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/ws_labs_research-447x298.jpg.webp 447w, https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/ws_labs_research-219x146.jpg.webp 219w\" sizes=\"auto, (max-width: 1200px) 100vw, 1200px\" \/>                    <p class=\"wp-component-card-insight__content-type\">W\/Labs<\/p>\n            <\/div>\n    <div class=\"wp-component-card-insight__content\">\n                    <div class=\"wp-component-card-insight__meta\">\n                <div class=\"wp-component-card-insight__categories\">\n                                            <span class=\"wp-component-card-insight__category\">Attack Detection<\/span>\n                                            <span class=\"wp-component-card-insight__category\">Software Protection<\/span>\n                                            <span class=\"wp-component-card-insight__category\">Threat intelligence<\/span>\n                                    <\/div>\n            <\/div>\n                            <h3 class=\"wp-component-card-insight__title\">DarkGate Rises: New version of DarkGate malware hunts like a Duck but bites like a RAT<\/h3>\n                                            <p class=\"wp-component-card-insight__desc\">Source: https:\/\/labs.withsecure.com\/publications\/darkgate-rises<\/p>\n                            <div class=\"wp-component-card-insight__button-wrapper\">\n                <a class=\"wp-component-button btn btn--primary wp-component-card-insight__button btn--small\" href=\"https:\/\/www.withsecure.com\/en\/resources-hub\/w-labs\/darkgate-rises\/\">Read more<\/a>            <\/div>\n            <\/div>\n<\/div>                        <\/div>\n                                    <\/div>\n                <div class=\"wp-block-cards__nav fade-in\">\n                    <div class=\"wp-block-cards__pagination js-wp-block-cards-pagination\">\n                    <\/div>\n                    <div class=\"wp-block-cards__nav-arrow js-wp-block-cards-nav-prev\">\n                        <svg class='edwp-icon edwp-icon--reg js-icon ' aria-hidden='true'>\n                <use xlink:href='#chevron'><\/use>\n            <\/svg>                    <\/div>\n                    <div class=\"wp-block-cards__nav-arrow js-wp-block-cards-nav-next\">\n                        <svg class='edwp-icon edwp-icon--reg js-icon ' aria-hidden='true'>\n                <use xlink:href='#chevron'><\/use>\n            <\/svg>                    <\/div>\n                <\/div>\n            <\/div>\n                                    <\/div>\n<\/section>\n","protected":false},"excerpt":{"rendered":"<p>TamperedChef is a sophisticated malware campaign that leveraged a convincing advertising campaign strategy and a fully functional decoy application to target European organizations.<\/p>\n","protected":false},"author":3,"featured_media":8857,"template":"","categories":[270,231,269],"labs_content_type":[299],"class_list":["post-8211","lab_item","type-lab_item","status-publish","has-post-thumbnail","hentry","category-identity-security","category-software-protection","category-threat-intelligence"],"acf":[],"card":"<div class=\"wp-component-card-insight js-card-link wp-component-card-insight--highlighted\">\n    <div class=\"wp-component-card-insight__image-wrapper\">\n        <img width=\"1200\" height=\"800\" src=\"https:\/\/www.withsecure.com\/wp-content\/uploads\/2026\/05\/ws_labs_news.jpg\" class=\"wp-component-card-insight__image\" alt=\"\" decoding=\"async\" loading=\"lazy\" srcset=\"https:\/\/www.withsecure.com\/wp-content\/uploads\/2026\/05\/ws_labs_news.jpg 1200w, https:\/\/www.withsecure.com\/wp-content\/uploads\/2026\/05\/ws_labs_news-300x200.jpg 300w, https:\/\/www.withsecure.com\/wp-content\/uploads\/2026\/05\/ws_labs_news-1024x683.jpg 1024w, https:\/\/www.withsecure.com\/wp-content\/uploads\/2026\/05\/ws_labs_news-768x512.jpg 768w, https:\/\/www.withsecure.com\/wp-content\/uploads\/2026\/05\/ws_labs_news-447x298.jpg 447w, https:\/\/www.withsecure.com\/wp-content\/uploads\/2026\/05\/ws_labs_news-219x146.jpg 219w\" sizes=\"auto, (max-width: 1200px) 100vw, 1200px\" \/>                    <p class=\"wp-component-card-insight__content-type\">W\/Labs<\/p>\n            <\/div>\n    <div class=\"wp-component-card-insight__content\">\n                    <div class=\"wp-component-card-insight__meta\">\n                <div class=\"wp-component-card-insight__categories\">\n                                            <span class=\"wp-component-card-insight__category\">Identity security<\/span>\n                                            <span class=\"wp-component-card-insight__category\">Software Protection<\/span>\n                                            <span class=\"wp-component-card-insight__category\">Threat intelligence<\/span>\n                                    <\/div>\n            <\/div>\n                            <h3 class=\"wp-component-card-insight__title\">TamperedChef: Malvertising to Credential Theft<\/h3>\n                                            <p class=\"wp-component-card-insight__desc\">TamperedChef is a sophisticated malware campaign that leveraged a convincing advertising campaign strategy and a fully functional decoy application to target European organizations.<\/p>\n                            <div class=\"wp-component-card-insight__button-wrapper\">\n                <a class=\"wp-component-button btn btn--primary btn--dark wp-component-card-insight__button btn--small\" href=\"https:\/\/www.withsecure.com\/en\/resources-hub\/w-labs\/tamperedchef\/\">Read more<\/a>            <\/div>\n            <\/div>\n<\/div>","_links":{"self":[{"href":"https:\/\/www.withsecure.com\/en\/wp-json\/wp\/v2\/lab_item\/8211","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.withsecure.com\/en\/wp-json\/wp\/v2\/lab_item"}],"about":[{"href":"https:\/\/www.withsecure.com\/en\/wp-json\/wp\/v2\/types\/lab_item"}],"author":[{"embeddable":true,"href":"https:\/\/www.withsecure.com\/en\/wp-json\/wp\/v2\/users\/3"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.withsecure.com\/en\/wp-json\/wp\/v2\/media\/8857"}],"wp:attachment":[{"href":"https:\/\/www.withsecure.com\/en\/wp-json\/wp\/v2\/media?parent=8211"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.withsecure.com\/en\/wp-json\/wp\/v2\/categories?post=8211"},{"taxonomy":"labs_content_type","embeddable":true,"href":"https:\/\/www.withsecure.com\/en\/wp-json\/wp\/v2\/labs_content_type?post=8211"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}