Tampered Chef
Using steganography for communications, Tampered Chef demonstrates how seemingly legitimate apps can hide things in network traffic.
#3
Overall Rank
6.1%
Customers Affected
Tampered Chef is an Electron Node.js-based threat designed to process steganographic content delivering arbitrary JavaScript code alongside legitimate content. The threat leverages this steganographic content to deliver commands for stopping Google Chrome processes, restarting Chrome to make it visit arbitrary pages, and changing the default search engine or opening new tab pages to adversary-controlled websites.
The first iteration of Tampered Chef, observed by Red Canary in June 2025, posed as a “RecipeLister” application that leveraged the legitimate open-source TheMealDB API to deliver recipes in an attractive interface.
Preventing Tampered Chef from executing can be difficult, as it does not require administrator privileges for execution.
As we analyzed the RecipeLister application, we uncovered behavior showing that Tampered Chef’s command and control server did serve legitimate recipes but the recipe content was mixed together with steganographic content.
An example entry that we observed during analysis appeared as:
"meals": [
{
"idMeal": "53067",
"strMeal": "Stuffed Bell Peppers with Quinoa and Black Beans",
"strMealAlternate": "\u200c\u200b\u200c\u200c\...\u200b\u200c\u200c\u200b\u200b\u200b\u200c",
"strCategory": "Vegetarian",
...
"strIngredient4": "Garlic\u200b\u200c\u200c\u200b\u200c...\u200c\u200b",
"strIngredient5": "Quinoa",
...
"strImageSource": "",
"strCreativeCommonsConfirmed": "",
"dateModified": ""
}
]
During execution, the RecipeLister application would decode the invisible \u200b and \u200c characters into arbitrary JavaScript that would run in Node.js. While it didn’t occur often in our data, community malware analysts noted that Tampered Chef would eventually cause the Chrome web browser to spawn and visit arbitrary web pages, possibly also inducing search engine installation and new tab page changes.
The steganographic content tactic extended into a new Tampered Chef campaign in September 2025 with a new fake application named “Calendaromatic.” Additional analysis published by Guidepoint Security showed the application again used invisible characters for steganography in a slightly different scheme from the original RecipeLister campaign.
Code snippet courtesy of Guidepoint Security
There is no apparent targeting for Tampered Chef installations; the threat is opportunistic and has been observed across many organizations in many industries.
Readers should note that Red Canary defines our observations of Tampered Chef narrowly to RecipeLister and Calendaromatic. Other public reporting has tied Tampered Chef tracking to additional threats like JustAskJacky, AppSuite, and Browser Assistant. We track Tampered Chef separately from these threats as we’ve observed specific steganography use in Tampered Chef that was not present in the other apps. We’re not the only ones, either, as Expel has taken a similar approach.
Preventing Tampered Chef from executing can be difficult, as it does not require administrator privileges for execution and does not always always exhibit behaviors to make Chrome browsers visit web pages. Generic IT hygiene steps such as implementing advertisement blocking, providing safe locations for software downloads, and maintaining an approved software list can help make installation of Tampered Chef less likely by users seeking applications.
Organizations that want to specifically block known Tampered Chef instances can implement application control solutions to block by digital signature. For this threat, organizations can block executables with digital signatures of CROWN SKY LLC and Global Tech Allies ltd.
Red Canary detects Tampered Chef using intelligence indicators rather than specific behavioral analytics because the consistent behavior seen from Tampered Chef included connecting to specific domains. The indicators include domains and file hashes observed in execution.