Hackers Are Using Signed Productivity Apps to Hide Malware: What to Watch For

Hackers Are Using Signed Productivity Apps to Hide Malware: What to Watch For

A new malware campaign called TamperedChef is making the rounds, and it takes a different approach than most. Instead of relying on shady downloads or obvious phishing links, attackers are disguising malicious software as legitimate, digitally signed copies of popular productivity apps. If you regularly use tools like Office, Slack, or Zoom, here’s what you need to know—and what you can do about it.

What happened

According to a report from CyberSecurityNews on May 21, 2026, the TamperedChef campaign uses stolen or misused digital certificates to sign malicious installers. When you download what appears to be a genuine version of a common productivity app, you’re actually getting a payload that delivers stealers and remote access trojans (RATs). The malware has been observed targeting apps like Microsoft Office, Slack, and Zoom, though the exact list may expand as researchers dig deeper.

What makes this attack particularly tricky is the digital signature. A signed application usually means it came from the developer and hasn’t been tampered with—or so most people assume. In this case, the attackers obtained legitimate certificates (through theft or abuse) and used them to sign their malware. So even if your system reports the file as “signed by a verified publisher,” it could still be malicious.

Why this matters for everyday users

Most of us have been told to only download software from official sources, and that a digital signature is a sign of safety. TamperedChef undermines that advice. It shows that a signed app is not automatically a safe app. For someone who clicks “accept” every time Windows or macOS asks for permission, this is a wake-up call.

If you happen to install a tampered app, the consequences go beyond a slow computer. Stealers can grab saved passwords, browser cookies, and even two-factor authentication tokens. RATs give attackers remote control of your machine, allowing them to spy, steal files, or use your device for further attacks. The damage isn’t limited to your device—it can extend to work accounts, banking, and anything else you access from that computer.

What you can do to stay safe

You don’t need to become a cybersecurity expert to reduce your risk. The following steps are practical and don’t require special tools.

1. Download only from official app stores or developer websites. That means the Microsoft Store, Slack’s official site, Zoom’s download page, and so on. Avoid third-party download portals, even if they appear in search results first. Scammers often pay for ads that push malicious copies.

2. Don’t rely solely on the digital signature. Look at the publisher name carefully. If it says “Microsoft Corporation” for an Office install, that’s correct. If it says something odd like “M1crosoft” or a name you don’t recognize, treat it with suspicion. Check the certificate details if you can.

3. Enable app reputation checks. On Windows, turn on SmartScreen (it’s usually on by default). On macOS, keep Gatekeeper enabled. These features check against known malware databases, even for signed apps.

4. Use antivirus or endpoint protection. A good antivirus product (like Windows Defender, which is free and built in) can catch signed malware based on behavior, not just signatures. Make sure it’s updated.

5. Be wary of unexpected update prompts. Malware often masquerades as a software update. If an app you already have asks you to download a new version, check by opening the app itself and looking for an update option in its menu—don’t click a pop-up from your browser or a random notification.

Signs of infection

If you suspect you’ve installed a tampered app, watch for these symptoms:

• Your computer slows down noticeably, especially during startup.
• Unusual pop-ups or ads appear, even when no browser is open.
• Programs crash or behave erratically.
• You notice unauthorized activity in your online accounts (unfamiliar logins, password reset emails, new devices linked to your account).

What to do if you think you’re infected

First, disconnect from the internet to limit the malware’s ability to communicate with its controller. Then run a full antivirus scan. If your antivirus doesn’t find anything (some signed malware can evade detection), consider using a second opinion tool like Malwarebytes or Emsisoft Emergency Kit.

After cleaning the infection, change your passwords—especially for email, banking, and any accounts that don’t have two-factor authentication (2FA). Enable 2FA wherever possible. Also check for any suspicious account activity or new devices linked to your accounts.

If the infection involved work devices, inform your IT or security team immediately. They may need to investigate further and reimage the machine.

Final thoughts

The TamperedChef campaign is a reminder that the old rules aren’t enough. A signed app used to mean “safe,” but attackers are adapting. The best defense is a combination of cautious downloading, using built-in security features, and staying alert for unusual behavior. No single step will protect you perfectly, but together they make it much harder for malware to slip through.

Sources

• CyberSecurityNews, “TamperedChef Malware Uses Signed Productivity Apps to Deliver Stealers and RATs,” May 21, 2026.