Threat actors are running a global malvertising campaign named TamperedChef, tricking users into downloading malware disguised as legitimate software installers. The attackers exploit social engineering tactics, using familiar application names and malvertising techniques to lure victims. They also use Search Engine Optimization (SEO) and abused digital certificates from shell companies in the U.S., Panama, and Malaysia to enhance the perceived legitimacy of their malicious software. The campaign is ongoing, with new malware artifacts and infrastructure regularly detected. The malware, also referred to as BaoLoader by some cybersecurity firms, is designed to establish remote access to infected systems. After a user downloads and executes the installer, it drops an XML file that creates a scheduled task to run an obfuscated JavaScript backdoor. This backdoor communicates with an external server, sending sensitive information like session and machine IDs in an encrypted format. The campaign has notably affected industries like healthcare, construction, and manufacturing, which often rely on online searches for product manuals—an entry point for the attackers. Significant infection rates have been reported primarily in the U.S., with additional cases in Israel, Spain, Germany, India, and Ireland. The motivations behind the malware range from advertising fraud to potentially selling access to other cybercriminals or harvesting sensitive data for financial gain.