Hackers Are Hiding Malware in Common Productivity Apps – Here’s How to Stay Safe

If you routinely download free tools like Notepad++, 7-Zip, or PDF editors from third-party download sites, a recent malware campaign should give you pause. Security researchers have identified a fresh wave of attacks, dubbed “TamperedChef,” that uses signed installers of popular productivity software to slip information stealers and remote access trojans (RATs) onto victims’ computers.

What Happened

According to reports from mid‑May 2026, the TamperedChef campaign works by taking legitimate installer files for widely used productivity applications, injecting malicious code, and then digitally signing the tampered version. Because the files appear properly signed, they can bypass some basic security checks and often look trustworthy to users. Once installed, the malware can steal credentials, collect sensitive data, and give attackers remote control over the machine.

The attackers appear to have obtained valid code‑signing certificates, possibly by purchasing them from resellers or by compromising developer accounts. That makes the malicious downloads harder to distinguish from genuine ones. The malware payloads observed include both stealers (designed to harvest passwords, cookies, and cryptocurrency wallets) and RATs that allow long‑term access.

Why It Matters for Everyday Users

Most home and small‑office users rely on productivity apps daily. Many download them from search ads, “freeware” directories, or mirror sites without checking the source. A signed executable is not proof of safety – it only proves the file was signed with a certificate, not that the signer is legitimate. TamperedChef exploits this trust gap.

The risk is not theoretical. If you have installed a tool like Notepad++ or 7-Zip from a site other than the official developer homepage or a trusted store (like the Microsoft Store or winget), you could have downloaded a version that looks and works normally but secretly runs malicious code in the background. Even antivirus software may not flag it immediately because the signature appears valid and the behavior mimics a regular app.

What You Can Do to Protect Yourself

The good news is that a few straightforward habits can reduce your risk significantly.

1. Download Only from Official Sources

Visit the developer’s official website directly. For Notepad++, that’s notepad-plus-plus.org; for 7-Zip, it’s 7-zip.org. Use a bookmarked link or type the URL yourself, rather than clicking a search ad. Avoid third‑party download portals like Download.com, Softonic, or random file hosting sites.

2. Verify Digital Signatures

After downloading any executable, right‑click it in File Explorer and select Properties → Digital Signatures. Check who the signer is. For example, the official 7‑Zip installer should be signed by Igor Pavlov. If the signer name looks unfamiliar or mismatched, do not run the file. If no signature is present, treat the file with extra suspicion.

3. Use a Standard (Non‑Admin) User Account

When you run an infected installer from an admin account, the malware gains full system access. If you log in as a standard user for day‑to‑day tasks, the malware’s ability to install itself system‑wide is limited. It’s a simple but effective layer of protection.

4. Keep Antivirus and Antimalware Software Updated

No tool is perfect, but updates help catch newer variants. Make sure real‑time scanning is enabled. Some dedicated antimalware scanners, such as Malwarebytes, can detect suspicious behavior even when the signed executable is not in their signature database.

5. Be Skeptical of Unusual Permissions

After installation, if an app begins asking for network access, reading your browser cookies, or modifying system files, that is a red flag. Legitimate text editors and compression tools do not need those permissions. Uninstall the app and run a full scan.

What to Do If You Suspect Infection

If you notice any of the following signs – unexplained system slowdowns, unexpected pop‑ups, new browser toolbars, or passwords that stop working – take action:

Disconnect from the internet to prevent data exfiltration.
Run a full scan with your antivirus software.
Consider using a second opinion scanner like Malwarebytes.
Change passwords for critical accounts from a clean device (phone or another computer).
If you have used a tampered app recently, it’s safest to treat that computer as compromised and, if possible, restore from a known‑good backup or reformat.

Sources

This article is based on reporting from CyberSecurityNews (May 21, 2026) and The Hacker News (May 21, 2026), which first detailed the TamperedChef campaign. The specifics of the malware’s use of signed productivity app installers are drawn from those reports. No independent confirmation of every detail is available at this time, but the pattern of attacks is consistent with long‑established techniques in the malware ecosystem.

Stay safe, and remember: a signed app is not a safe app. Verify the source first.

Hackers Are Hiding Malware in Common Productivity Apps – Here’s How to Stay Safe#

What Happened#

Why It Matters for Everyday Users#

What You Can Do to Protect Yourself#

1. Download Only from Official Sources#

2. Verify Digital Signatures#

3. Use a Standard (Non‑Admin) User Account#

4. Keep Antivirus and Antimalware Software Updated#

5. Be Skeptical of Unusual Permissions#

What to Do If You Suspect Infection#

Sources#