Fake Signed Apps Are Spreading Malware – Here’s How to Spot Them

Most of us have been told that “signed” software is safe. When you download a program and see a digital signature from a known publisher, Windows or macOS will usually let it run without extra warnings. But that trust is being exploited in a new wave of malware campaigns — including one security researchers have named TamperedChef.

If you routinely download free tools like Notepad++, 7-Zip, or Microsoft Teams installers from anywhere other than the official source, you might be at risk. Here’s what’s happening and how to protect yourself.

What Happened

According to cybersecurity news reports, the TamperedChef campaign is distributing malware — including information stealers and remote access trojans (RATs) — by bundling them inside what appear to be legitimate, digitally signed versions of common productivity apps. The malware has been found inside signed copies of Notepad++ and 7-Zip, two widely trusted utilities.

The digital signatures on these fake installers are not always forged from scratch. In some cases, attackers steal code-signing certificates from real developers or use self-signed certificates that appear legitimate at a quick glance. The result: your antivirus may not flag the file, and Windows may show a green “verified publisher” message, leading you to believe the software is safe.

This is not an isolated incident. Separately, researchers have observed hackers using fake Microsoft Teams download pages to deploy a RAT known as ValleyRAT. The pattern is consistent: attackers take advantage of the trust users place in digital signatures.

Why It Matters

Digital signatures are supposed to guarantee that a file hasn’t been tampered with and that it comes from a specific developer. When you see “Signed by: Notepad++” in the file properties, you assume you’re getting the real thing.

The TamperedChef campaign undermines that assumption. It shows that a signed file is not proof of safety — especially if the signature has been stolen or issued by an untrustworthy certificate authority. For everyday users, this means that relying solely on the presence of a digital signature is no longer enough.

The malware delivered by these fake installers can steal passwords, browser cookies, cryptocurrency wallets, and other sensitive data. Some variants also give attackers full remote control over the infected machine.

What You Can Do

You don’t need to become a security expert, but a few simple habits can reduce your risk significantly.

1. Download only from official websites or trusted app stores.
If you need Notepad++, go to notepad-plus-plus.org (or the official GitHub repository). For 7-Zip, use 7-zip.org. Avoid third-party download sites, which are common sources of tampered installers. The official site will always have the correct file hash and a proper signature chain.

2. Check the digital signature – not just its presence, but its details.
On Windows, right-click the installer, choose Properties, then go to the Digital Signatures tab. Look at the “Name of signer” and “Timestamp” fields. A legitimate file from Notepad++ should list “Notepad++” or its developer (Don HO) as the signer. If the signer is something generic like “Test Certificate” or an unfamiliar company, do not install.

3. Verify the certificate chain.
In the same Digital Signatures dialog, select the signature and click Details, then View Certificate. Check that the certificate was issued by a well-known certificate authority (e.g., DigiCert, Sectigo, Let’s Encrypt) and that it hasn’t expired. If you see any warnings like “This certificate cannot be verified,” treat the file as suspicious.

4. Use reputable security software.
Modern antivirus programs often scan files before execution, even if they are signed. They may detect malicious behavior during installation. However, keep in mind that some malware is designed to bypass antivirus — so this is a last line of defense, not a replacement for cautious downloading.

5. Be wary of unexpected download prompts.
If you click a link in an email or a social media message that claims to be a “critical update” for a productivity tool, close it and go to the official site yourself. Many fake download pages look nearly identical to the real thing but serve malware.

Sources

  • Cybersecurity News: TamperedChef Malware Uses Signed Productivity Apps to Deliver Stealers and RATs (May 21, 2026)
  • Cybersecurity News: Hackers Use Fake Microsoft Teams Downloads to Deploy ValleyRAT Malware (May 21, 2026)

Bottom line: A digital signature is a helpful indicator, but not a guarantee. Treat every download with a healthy dose of skepticism, especially if it comes from anywhere other than the official developer site. By verifying signatures carefully and sticking to trusted sources, you can avoid the most common pitfalls that TamperedChef and similar campaigns exploit.