Hackers Are Using Fake Signed Productivity Apps to Infect Your PC—Here’s How to Stay Safe

If you’ve ever downloaded a productivity tool like Zoom, Slack, or Notion from a search result rather than the official site, you’ve probably felt safe when Windows or macOS showed a “signed by a verified publisher” message. That green checkmark is supposed to mean the software hasn’t been tampered with and came from a legitimate developer. But a recently uncovered malware campaign called TamperedChef shows that trust can be misplaced. Attackers are using valid digital signatures on trojanized versions of these apps to slip past antivirus and straight onto your machine.

What Happened

In May 2026, cybersecurity researchers identified TamperedChef, a malware operation that distributes information stealers and remote access trojans (RATs) disguised as popular productivity software. The attackers obtained legitimate code-signing certificates—either stolen or fraudulently issued—and used them to sign modified installers of apps like Zoom and Slack. Because the files carry valid digital signatures, many security tools treat them as safe. Once installed, the malware quietly begins exfiltrating credentials, cookies, and other sensitive data, and can give attackers remote control of the infected system.

The campaign appears to rely on malicious ads, fake download pages, or compromised websites that rank highly in search results. Users searching for a free or updated version of a productivity tool may land on one of these pages and download what looks like the real thing, complete with a publisher name that checks out.

Why It Matters

Digital signatures have long been a cornerstone of trust in software distribution. When an app is signed, your operating system can verify that the file hasn’t been altered after signing and that the publisher’s identity matches a certificate authority’s records. But valid signatures do not guarantee the software is safe—they only confirm the file came from whoever holds that certificate. If attackers get hold of a certificate, or convince a certificate authority to issue one for a fake company, they can sign malicious code that appears legitimate.

This is not a theoretical risk. Similar attack chains have been used in the past with other malware families. What makes TamperedChef notable is its focus on widely used productivity apps and the apparent effectiveness of the signed payloads against common security products. The campaign highlights a gap in how both users and automated defenses evaluate trust: a signature should be just one factor, not a final “all clear.”

How to Verify an App Before Installing

You don’t need to become a security expert, but a few extra seconds of scrutiny can make the difference. Here’s what to check:

  • Only download from official sources. Go directly to the developer’s website or use an official app store (Microsoft Store, Mac App Store). Avoid third-party download sites, even if they look professional.
  • Look at the publisher name in the signature. When Windows shows a UAC prompt, you’ll see the publisher. For example, Zoom Video Communications, Inc. If you see a generic name, a misspelling, or something unfamiliar, that’s a red flag.
  • Examine the certificate details. On Windows, right-click the installer file, select Properties, go to the Digital Signatures tab, select the signature, and click Details. You can see who issued the certificate and the expiration date. Legitimate certificates are typically issued by well-known authorities like DigiCert, Sectigo, GlobalSign. If the certificate is self-signed or from an unknown authority, be suspicious.
  • Check the file’s reputation online. Before running the installer, you can upload the file to services like VirusTotal. While not perfect, a scan from dozens of antivirus engines can reveal if something is off. Keep in mind that zero-day signed malware may not be detected yet, but multiple detections are a strong warning.
  • Verify the download URL. Look at the address bar. Official download links usually have a domain like zoom.us/download or slack.com/downloads, not something like zoom-free-download.net.

Signs You May Be Infected

If you’ve already installed one of these fake apps, watch for:

  • Unusual network activity: your internet is slow, or you see unexplained data usage even when you aren’t browsing.
  • Your computer is sluggish, or the fan runs loudly when idle.
  • New processes in Task Manager with generic names or high CPU usage.
  • Antivirus alerts for things like “stealer” or “RAT”—but remember, signed malware may not trigger alerts at all.
  • You notice password resets or weird logins on your accounts.

What to Do If You Think You’re Infected

  1. Disconnect from the internet immediately to cut off remote access.
  2. Run a full offline antivirus scan using Windows Defender Offline or a bootable scanner. This can catch malware even if it’s signed.
  3. Change your passwords from a clean device (like a phone) for all important accounts, especially email, banking, and work logins.
  4. Enable multi-factor authentication (MFA) on every account that supports it. A stolen password alone won’t be enough if MFA is active.
  5. If possible, restore from a known clean backup or, as a last resort, wipe and reinstall your operating system.

The Bottom Line

The TamperedChef campaign is a reminder that digital signatures are a useful but limited trust indicator. Attackers are actively working to exploit that trust. Staying safe means developing a habit of verifying where software comes from, not just what a pop-up says. Stick to official sources, double-check publisher details, and treat any installer that asks for unusual permissions with skepticism. The extra minute you spend checking a download is a small investment against a very real threat.

Sources: Research findings on TamperedChef reported by cybersecurity news outlets in May 2026. Specific technical details about certificate acquisition methods and exact payload capabilities are still under investigation by security teams.