When a Signed App Is Not Safe: The TamperedChef Malware Campaign

If you’ve ever downloaded a productivity app like Zoom, Slack, or Microsoft Teams from a search ad or a third‑party site, you may have been one click away from infection. A recently reported campaign called TamperedChef is using a clever trick: the malware is digitally signed with valid certificates, so it looks legitimate to both users and security software.

Here’s what’s happening, why it matters, and what you can do to stay safe.

What Happened

In May 2026, cybersecurity researchers reported a wave of attacks known as TamperedChef. The attackers obtained (or stole) valid code‑signing certificates and used them to sign malicious installers disguised as popular productivity tools. These fake installers mimic Zoom, Microsoft Teams, Slack, and similar apps.

Once installed, the hidden payloads include ValleyRAT (a remote access trojan), RedLine Stealer, and AsyncRAT — all capable of stealing credentials, files, and even taking control of the victim’s machine. Because the executables carry a trusted digital signature, many antivirus engines and endpoint detection tools treat them as safe.

The distribution method is typical: SEO poisoning (paying for malicious ads that appear at the top of search results) and phishing websites designed to look like official download pages. Users who click these ads or visit these sites are prompted to download the “latest version” of the app.

Why It Matters

Digital signatures are meant to verify that software comes from a genuine publisher and hasn’t been tampered with. When malware uses a valid signature, it undermines that trust. Consumers who check for a signature as a safety measure can be lured into a false sense of security.

The TamperedChef campaign is a reminder that a signed app is not necessarily a safe app. The certificate may have been bought fraudulently, stolen, or issued to a shell company. By the time the certificate is revoked, the damage is often done.

For the average user, the risk is real: you search for a work app, click the first result, run the installer, and unintentionally give attackers access to your computer. The consequences include data theft, ransomware, or your device being used in further attacks.

What Readers Can Do

You don’t need to be a security expert to reduce your risk. Here are concrete steps:

  1. Always download from official sources. Go directly to the app’s website (e.g., zoom.us, microsoft.com, slack.com) or use the trusted app store on your device. Never click search ads for software — they are a common vector for malware.

  2. Check the digital signature even on official downloads. On Windows, right‑click the installer file, select Properties, then Digital Signatures. Verify that the publisher listed matches the legitimate company (for instance, “Microsoft Corporation” or “Zoom Video Communications, Inc.”). If the signature says “Unknown” or shows a name you don’t recognise, do not run the file.

  3. Use a file‑reputation service. Before opening a downloaded executable, upload it to VirusTotal or a similar tool. It will scan the file with dozens of antivirus engines. Even if the file is signed, a low detection rate doesn’t guarantee safety — but a high detection rate is a clear warning.

  4. Enable two‑factor authentication on all important accounts. If the malware steals your passwords, 2FA can prevent an attacker from logging in. This is a safety net, not a replacement for good download habits.

  5. Keep your security software up to date. Modern antivirus and endpoint detection tools can sometimes catch signed malware based on behaviour, even if the file itself appears clean. Make sure real‑time protection is on.

What to Do If You Suspect Infection

If you think you’ve run a suspicious installer, act quickly:

  • Disconnect the computer from the internet (unplug the Ethernet cable or turn off Wi‑Fi).
  • Run a full offline scan using your antivirus or a dedicated tool like Windows Defender Offline.
  • Change your passwords from a separate, trusted device (like a phone or another computer).
  • Consider restoring your system to a point before the infection, or reinstalling the operating system if the scan finds evidence of a persistent threat.

Sources

This article is based on reports published in May 2026 covering the TamperedChef campaign, as well as earlier documentation of ValleyRAT, RedLine Stealer, and signed‑malware techniques. Details about distribution via SEO poisoning and phishing are standard attack patterns described in multiple cybersecurity threat analyses.

Note: Digital signature verification is not foolproof, but following the steps above significantly lowers the chance of falling victim to this kind of attack.