Fake Productivity Apps Are Spreading TamperedChef Malware—Here’s How to Spot Them

A new wave of malware, tracked as TamperedChef, is being distributed through fake downloads of popular productivity applications like Microsoft Teams. What makes this campaign particularly dangerous is that the malicious installers are digitally signed, which can help them bypass some security software that trusts seemingly legitimate code. The end goal is to plant password stealers and remote access trojans (RATs) on victims’ machines. Here’s what you need to know to avoid falling for these fakes.

What happened

Security researchers recently reported an increase in malware campaigns that use signed fake apps to infect devices. TamperedChef is one such campaign. It delivers stealers (tools that harvest credentials, browser data, and cryptocurrency wallets) as well as RATs that give attackers remote control over the infected system.

The attackers create convincing copies of well-known productivity tools—Microsoft Teams appears to be a common bait. Victims are directed to download the installer from a page that looks like the official website but is actually a lookalike domain. Because the installer carries a valid digital signature, it may not trigger warnings from antivirus or Windows Defender.

It’s worth noting that a digitally signed file is not proof of authenticity. Attackers can obtain code-signing certificates through various means, including buying them from resellers or abusing stolen ones. So a green checkmark in the file properties does not guarantee the software is safe.

Why it matters for everyday users

Most people who need a tool like Teams, Zoom, or Slack will search for it online and click the first link. Scammers know this and optimize their fake download pages to appear high in search results. Once installed, the malware runs silently in the background. You might not notice anything wrong until important files are encrypted, accounts are compromised, or your computer starts acting strangely.

The use of signed installers is a notable escalation. It means traditional advice like “only download from trusted sources” is still correct, but the “trusted” badge is no longer a reliable indicator. You need to look more closely.

What you can do to stay safe

Recognize the red flags

  • The download page URL is slightly off—e.g., micros0ft-teams.com or teams-download.net.
  • The page urges you to download from a third-party file host rather than the vendor’s own download server.
  • The installer is much larger or smaller than the expected file size.
  • Your antivirus (if you have one) doesn’t run a scan on the downloaded file, or you’re asked to disable it to install.

Verify the source every time

  • Go directly to the official website by typing the address into your browser (e.g., teams.microsoft.com, zoom.us, slack.com). Do not click search results or ads.
  • Use the Microsoft Store or the app’s built-in update mechanism when available. For Windows, the Microsoft Store often handles official versions of Teams and other apps.
  • After downloading, right-click the installer, go to Properties → Digital Signatures. Check that the signer is the legitimate company (e.g., “Microsoft Corporation”). Even then, double-check the details—some fake signatures use names that look close but aren’t right.

If you think you’ve downloaded a fake

  • Disconnect your computer from the internet immediately.
  • Run a full scan with your antivirus software. If you don’t have one, consider using the Microsoft Defender Offline scan or a free second-opinion scanner like Malwarebytes.
  • Change passwords for any accounts you’ve accessed on that device, especially email and banking. Use a different, known-clean computer for the password reset.
  • Monitor your accounts for suspicious activity over the next few weeks.

Long-term prevention habits

  • Keep your operating system and all software updated. Patches often fix vulnerabilities that malware exploits.
  • Use a standard user account instead of an administrator account for daily tasks. This limits what malware can do.
  • Be skeptical of urgent download prompts or “update now” notifications that appear in your browser or email. Verify through the app itself.
  • Consider using an ad-blocker and a security extension in your browser to reduce exposure to misleading ads.

Sources

This article is based on recent reporting from CyberSecurityNews regarding the TamperedChef malware campaign. The original report can be found here. Additional context on signed malware and fake download pages comes from general cybersecurity advisories.