Potentially Unwanted Applications (PUAs) weaponized for covert delivery

Executive summary

On September 22, 2025, during the analysis of a potentially unwanted application (PUA) flagged by Microsoft Defender as malicious, Field Effect uncovered a broader malware distribution campaign leveraging digitally signed binaries, deceptive packaging, and browser hijackers.

The campaign centers around two malicious applications:

• ImageLooker.exe
• Calendaromatic.exe

Both applications were probably delivered via self-extracting 7-Zip archives designed to bypass standard security controls. Following further research, we found that these artifacts align with the previously reported TamperedChef malware campaign, which uses trojanized productivity tools to gain initial access and exfiltrate sensitive data.

It's important to note that PUAs, software that may not be overtly malicious but exhibits intrusive behavior, can serve as effective delivery mechanisms for more serious threats.

Details

The investigation began on September 22, 2025, with binaries signed by CROWN SKY LLC. This signer has been previously associated with Calendaromatic.exe, an unassuming desktop application designed to look like a calendar tool.

An open-source research report, dated September 17, 2025, linked that executable to an advanced campaign leveraging modern application frameworks and covert channels to deliver malware. The file used in the campaign was a 7-Zip archive packaged as an executable (.exe) that can extract its contents automatically when run.

Our team identified an ImageLooker executable, also signed by CROWN SKY, which used a similar self-extracting 7-Zip packaging method. Upon execution, ImageLooker.exe contacted movementxview[.]com, a domain not previously linked to Calendaromatic.

Stay on top of emerging threats like this.

Sign up to receive a weekly roundup of our security intelligence feed. You'll be the first to know of emerging attack vectors, threats, and vulnerabilities. 

Sign up

The executables are built using NeutralinoJS, a lightweight desktop framework that allows execution of arbitrary JavaScript code. It was distributed via deceptive advertising and search engine manipulation. The malware uses Unicode homoglyphs to encode and execute hidden payloads, bypassing traditional detection mechanisms.

Calendaromatic has been linked to the TamperedChef campaign by a malware sample repository MalwareBazaar. TamperedChef’s uses multiple digital signers and PUAs to redirect traffic, alter browser settings, and facilitate malware downloads.

Further investigation revealed a broader set of suspicious signing publishers associated with TamperedChef-linked binaries. These include:

• LIMITED LIABILITY COMPANY APPSOLUTE
• CROWN SKY LLC
• OneStart Technologies LLC
• Sunstream Labs (Capital Intellect Inc.)
• Echo Infini Sdn. Bhd.
• GLINT SOFTWARE SDN. BHD.
• SPARROW TIDE LTD
• TECHNODENIS LTD
• INCREDIBLE MEDIA INC
• Global Tech Allies Ltd

These publishers have been observed signing binaries that exhibit similar packaging, behavior, and infrastructure overlap with known TamperedChef artifacts and/or similar malicious activity.

Many of these publishers have previously been implicated in malicious activity involving trojanized productivity tools, browser hijackers, and residential proxy abuse. Their presence across multiple samples suggests either a shared malware-as-a-service provider or a code-signing marketplace that facilitates broad distribution.

Tactics, techniques, and procedures (TTPs)

The threat actors behind the Calendaromatic and ImageLooker malware employed deceptive software packaging and digital code signing to bypass user trust and endpoint defenses.

Both malware variants were delivered as self-extracting 7-Zip archives, possibly exploiting CVE-2025-0411 to evade Windows’ Mark of the Web protections. This allowed the binaries to execute without triggering SmartScreen or other reputation-based controls. The use of signed binaries further reduced noise during execution and increased the likelihood of user interaction.

Once executed, the malware established persistence through scheduled tasks and registry modifications, using command-line flags such as:

• --install
• --enableupdate
• --fullupdate

The use of NeutralinoJS to execute JavaScript payloads and interact with native system APIs enabled covert file system access, process spawning, and network communication. The malware’s use of Unicode homoglyphs to encode payloads within seemingly benign API responses allowed it to bypass string-based detection and signature matching.

Network activity revealed outbound connections to domains such as calendaromatic[.]com and movementxview[.]com. These domains serve as command-and-control infrastructure and were contacted immediately upon execution.

The malware also exfiltrates browser data, including stored credentials and session information, indicating a focus on credential harvesting and reconnaissance. The presence of browser hijackers and PUAs like OneSearch in the same ecosystem suggests that adware infrastructure may have been repurposed to facilitate malware propagation and initial access.

The campaign’s reliance on a broad set of suspicious signing publishers could indicate a coordinated or shared distribution network. These publishers were observed signing binaries with similar packaging and behavioral traits, suggesting either a common provider or a marketplace for code-signing abuse.

Conclusion

The TamperedChef campaign illustrates how threat actors are evolving their delivery mechanisms by weaponizing potentially unwanted applications, abusing digital code signing, and deploying covert encoding techniques. These tactics allow malware to masquerade as legitimate software, bypass endpoint defenses, and exploit user trust.

The campaign likely leverages SEO poisoning alongside malvertising to drive unsuspecting users toward malicious downloads. The campaign exploits common user behavior, such as clicking on sponsored search results or banner ads promising free utilities, to redirect victims to deceptive landing pages.

Threat actors manipulate search engine results by creating keyword-stuffed landing pages that rank highly for queries like “free PDF editor,” “calendar app for Windows,” or “image viewer download.” These pages often mimic legitimate software sites, complete with fake reviews, download counters, and trust badges.

The use of digitally signed binaries and self-extracting archives further reduces suspicion, allowing malware to masquerade as helpful utilities while bypassing reputation-based defenses.

PUAs may be installed without full user awareness and often perform intrusive actions such as displaying ads, collecting browsing data, or redirecting traffic. While not always classified as malware, their presence can degrade system performance and introduce serious security risks.

In this campaign, PUAs appear to have been used to propagate malware or broker initial access. Vigilance in software sourcing, endpoint monitoring, and certificate validation is essential to reducing exposure across unmanaged environments.

Mitigation recommendations

• Block execution of self-extracting archives from untrusted sources using application control or endpoint protection rules.
• Update 7-Zip to version 24.09 or later to prevent exploitation of CVE-2025-0411, which bypasses Windows’ Mark of the Web protections.
• Monitor for binaries signed by suspicious publishers listed in this report.
• Identify and remove PUAs and browser hijackers using endpoint protection platforms with PUA detection enabled.
• Restrict installation of unsigned or unverified software via Group Policy or centralized application allowlisting.
• Inspect registry entries and scheduled tasks for suspicious command-line flags like --install, --enableupdate, and --fullupdate.
• Use network monitoring to detect outbound traffic to the malicious domains noted above.
• Reset all user credentials on any host where Calendaromatic.exe or ImageLooker.exe was executed, including credentials stored in browsers.
• Restore affected systems from a backup taken prior to malware installation, or perform a complete OS reinstallation to ensure full remediation.

Field Effect MDR mitigates tactics, techniques, and procedures similar to the ones used in this campaign by detecting and blocking malicious binaries (even those digitally signed or disguised as legitimate tools) via behavioral analytics, certificate reputation, and endpoint telemetry.

It monitors for suspicious command-line flags, registry changes, and outbound traffic to known C2 domains, while identifying PUAs and browser hijackers that may facilitate initial access. Endpoint, network, and cloud telemetry are integrated into a single dashboard, reducing blind spots exploited by covert malware.

Field Effect’s intelligence team correlate IOCs like file hashes, domains, and publisher names with known campaigns such as TamperedChef, enabling faster triage and response.

Indicators of compromise (IOCs)

Malware: calendaromatic.exe

Domains:

• calendaromatic[.]com
• iolenaightdecipien[.]org

Hashes:

• calendaromatic-win_x64.exe
  • SHA256: 69934DC1D4FDB552037774EE7A75C20608C09680128C9840B508551DBCF463AD
  • Path: <USER_DIR>\AppData\Local\Temp\7ZipSfx.000\calendaromatic-win_x64.exe
• Calendaromatic.exe
  • SHA256: E32D6B2B38B11DB56AE5BCE0D5E5413578A62960AA3FAB48553F048C4D5F91F0
  • Path: <USER_DIR>\Downloads\Calendaromatic.exe
• 7ZSfxMod_x64.exe
  • SHA256: 497ED5BCA59FA6C01F80D55C5F528A40DAFF4E4AFDDFBE58DBD452C45D4866A3

Signing publisher:

• CROWN SKY LLC

Malware: ImageLooker.exe

Domains:

• movementxview[.]com

First Level Dropper (ImageLooker.exe):

Hashes:

• MD5: 5F9AF7C0324ABD475D33D149B20CEA2E
• SHA1: 05F263F3CEC9B5D64345C76785EF1493E10D80FC
• SHA256: A85D13A46213A83EC1910542AC42C9FC58C473B9FD0B1DDB68455CD617814C89

Signing publisher:

• LIMITED LIABILITY COMPANY APPSOLUTE
• First seen: 2025-08-26T21:17:54.736000+00:00

Second Level Malware (ImageLooker.exe):

Hashes:

• MD5: 4452BEF7FFD8A1B0E424C4C9485289AE
• SHA1: BCCC8E59ADE8ABCE2710CC005DFCE1D51843E74D
• SHA256: F4B3C6BB24F20AA995E8B2AF92C128B299446A9B7B02B5F45462E5D4C0DF87F2

Signing publisher:

• CROWN SKY LLC
• First Seen: 2025-08-26T21:18:04.873000+00:00

Suspicious signing publishers:

• LIMITED LIABILITY COMPANY APPSOLUTE
• CROWN SKY LLC
• OneStart Technologies LLC
• Sunstream Labs (Capital Intellect Inc.)
• Echo Infini Sdn. Bhd.
• GLINT SOFTWARE SDN. BHD
• SPARROW TIDE LTD
• TECHNODENIS LTD
• INCREDIBLE MEDIA INC
• Global Tech Allies ltd