Don’t Trust a Signed App Blindly: How to Spot Malware Like TamperedChef
We’ve all heard the advice: only download software that is digitally signed. A valid signature used to be a strong sign that an app came from a legitimate developer and hadn’t been tampered with. But a recent malware campaign shows why that rule is no longer enough.
Earlier this year, security researchers reported a campaign called TamperedChef that distributes information stealers and remote access trojans (RATs) through legitimate-looking, signed versions of popular productivity apps. The attackers obtained valid code-signing certificates—whether by stealing them or by registering under fake identities—then used them to sign their malicious installers. As a result, the malware appears trusted to both the operating system and many antivirus engines.
If you download free text editors, compression tools, note-taking apps, or other small utilities from the internet, here is what happened and, more importantly, how you can protect yourself.
What happened
According to a report from CyberSecurityNews in May 2026, the TamperedChef campaign targeted users looking for productivity software. The attackers set up convincing download sites and even paid for ads in search results to push their malicious versions. When a user downloaded and ran the installer, it delivered both the expected app (to avoid immediate suspicion) and a hidden payload—a stealer or RAT designed to capture passwords, browser data, and other sensitive information.
What made this campaign particularly dangerous was that the installers were cryptographically signed. In tests, several antivirus products initially missed the malware because they trusted the signature.
Why it matters
The common advice to “only download signed apps” can create a false sense of security. While a valid signature once meant you could trust the publisher, attackers have found ways to abuse the system. They buy or steal certificates, or they create developer accounts using fake credentials and obtain their own certificates from authorities that don’t verify thoroughly enough.
For everyday users, the risk is real. Free productivity apps are a common entry point because they are small, easy to repackage, and have broad appeal. If you rely on a signature alone, you might let malware through without a second thought.
What you can do
You don’t need to become a security expert to avoid falling for signed malware. A few extra checks can make a big difference.
1. Use official sources first.
If you need a text editor like Notepad++ or a compression tool like 7-Zip, go directly to the developer’s official website. Bookmark it. Do not search for “free text editor download” and click the first link—those are often ads or look-alike pages.
2. Check the publisher name in the digital signature.
On Windows, right-click the installer, go to Properties > Digital Signatures, and look at the “Name of signer.” Is it the developer you expected? For example, a legitimate 7-Zip installer should be signed by “Igor Pavlov.” If the signer is something generic or unfamiliar, that is a red flag. Note that even a familiar name can be spoofed if a certificate was stolen, but it is still a useful first step.
3. Look for social proof beyond the signature.
Check how long the app has been available, how many downloads it has (on official platforms like the Microsoft Store or GitHub), and what users say in reviews. A brand-new download site with no history and a handful of glowing five-star reviews is suspicious.
4. Verify file hashes when possible.
Many legitimate developers publish SHA-256 or MD5 hashes of their installers on their official site. After downloading, you can generate the hash using a tool (or a command like certutil -hashfile file.exe SHA256 on Windows) and compare it. If it does not match, do not run the file.
5. Use security software that scans signed files.
Most modern antivirus products now scan even signed binaries for malicious behavior. Keep your definitions updated. Some advanced endpoint protection tools also check the reputation of the certificate itself.
6. Watch for unusual behavior after installation.
If an app suddenly asks for permission to access your contacts, browser data, or camera, and it has no reason to do so, uninstall it immediately. Slow performance, unexpected pop-ups, or network activity when the app is idle can also be signs of an infection.
7. If you suspect you installed something bad, act quickly.
Run a full system scan with your antivirus. Consider using a second opinion scanner like Malwarebytes or HitmanPro. If you find malware, change passwords from a clean device and enable two-factor authentication where possible.
The bottom line
Code signing is still a useful security feature, but it is not infallible. The TamperedChef campaign is a reminder that attackers will exploit any trust mechanism they can. The safest approach is to combine multiple verification steps: use official sources, check the signer, look for community feedback, and verify hashes when you can. A digital signature is just one piece of the puzzle—not a guarantee.
Sources
- CyberSecurityNews, “TamperedChef Malware Uses Signed Productivity Apps to Deliver Stealers and RATs,” May 21, 2026.
- The Hacker News, “ThreatsDay Bulletin: Linux Rootkits, Router 0-Day, AI Intrusions, Scam Kits and 25 New Stories,” May 21, 2026.