Beware: TamperedChef Malware Hides in Signed Productivity Apps to Steal Your Data

A new malware campaign named TamperedChef is making the rounds, and it has a particularly sneaky trick: it uses legitimate-looking, digitally signed productivity applications to deliver information stealers and remote access trojans (RATs). Because the apps appear to be signed by their real publishers, many users let their guard down. Here’s what you need to know and how to avoid becoming a victim.

What happened

Security researchers have identified a campaign that spreads malware through what looks like authentic productivity software—think Microsoft Office, Google Workspace tools, or collaboration apps like Teams. The attackers either tamper with legitimate installers or create infected versions that still carry valid digital signatures. Once a victim runs the download, the installer drops a stealer (such as RedLine or Vidar) or a RAT (like AsyncRAT) alongside the expected app.

The malware can then harvest saved passwords, browser cookies, cryptocurrency wallets, and other sensitive data. In some cases, the RAT gives attackers full remote control over the infected machine, potentially leading to ransomware or long-term surveillance. The campaign is active now, relying on email phishing links and fake download websites that closely mimic official pages.

Why it matters

Digitally signed software has long been a trust signal for users. Seeing a valid “Microsoft Corporation” or “Google LLC” signature in the file properties often reassures people that the file is safe. TamperedChef exploits that trust. The signed status doesn’t guarantee the file is clean—it only means someone used a stolen or misused code-signing certificate to pass Windows or macOS security checks.

For everyday users who routinely download office tools, update prompts, or browser extensions, this attack vector is especially dangerous. You could be installing a completely functional app while unknowingly handing over your passwords and enabling remote access to your computer.

What readers can do

You don’t need to be a security expert to defend against TamperedChef. Most of the protection comes from simple, consistent habits.

1. Stick to official sources
Download productivity apps only from the vendor’s verified website or a trusted app store (Microsoft Store, Google Play, Apple App Store). Avoid third-party download portals, even if they seem legitimate. If an email or ad directs you to a download link, open a browser and go to the official site manually instead.

2. Verify the publisher, not just the signature
Right-click the installer file, go to Properties → Digital Signatures, and check that the signer is the expected publisher. But note: a valid signature alone is not enough. The certificate itself could have been issued fraudulently. If the file name, download source, or publisher seems off, don’t run it.

3. Enable app reputation checks
On Windows 10 or 11, make sure SmartScreen is turned on (under Virus & threat protection). On macOS, Gatekeeper should be set to allow only apps from the App Store and identified developers. These features can block unknown or untrusted installers before they execute.

4. Keep antivirus and OS updated
Modern endpoint protection (Windows Defender, third-party solutions) can detect many stealers and RATs. Update your operating system and software regularly to patch vulnerabilities that malware exploits.

5. Watch for signs of infection
Common indicators: slow system performance, unexpected pop-ups, new browser extensions, unknown processes in Task Manager, or unusual network activity. If you suspect infection, run a full scan with your antivirus, use a second opinion tool like Malwarebytes, change all important passwords from a clean device, and enable two-factor authentication (2FA) everywhere you can.

6. Be skeptical of unexpected app updates
If an app suddenly prompts you to “update” from within a pop-up or a random website, close the prompt and update it through the app’s own menu or official store. TamperedChef has been observed piggybacking on fake update notifications.

Sources

This article is based on threat intelligence from cybersecurity news outlets tracking the TamperedChef campaign. For deeper technical analysis, refer to reports from Cyble, BleepingComputer, and similar sources. The details here reflect what is publicly known as of late May 2026; some specifics may evolve as researchers uncover more about the attack chain.