How Malware Hides Inside Signed Productivity Apps – What You Need to Know

If you use apps like Notion, Trello, or Slack to manage your work or personal projects, you probably trust that the software you download is safe. Most people assume that if an app shows a valid digital signature, it has been checked by the developer and is free of malware. That assumption is being tested by a new campaign called TamperedChef.

On May 21, 2026, security researchers reported that TamperedChef is spreading through fake versions of popular productivity apps. These apps appear legitimate: they are signed with what looks like a proper digital certificate. But behind that signature, they deliver password stealers and remote access trojans (RATs) that can give attackers full control of your computer.

What Happened

TamperedChef works by taking well-known productivity applications and modifying them to include malicious code. The attackers then sign these tampered apps using stolen or fraudulently obtained code-signing certificates. Because the signature checks out, both the operating system and many security tools treat the file as trustworthy.

Once installed, the malware silently steals saved passwords, browser cookies, and other sensitive information. In some cases, it also opens a backdoor that lets the attacker run commands, capture keystrokes, or move laterally across a network. The campaign appears to target people who search for free or “cracked” versions of paid productivity tools, though the researchers did not rule out other distribution methods.

This is not a vulnerability in the apps themselves. The danger comes from downloading copies that are not from the official source.

Why It Matters

The use of signed apps makes this malware particularly hard to spot. Many users check only that a file has a digital signature and a green checkmark in Windows. But a valid signature only proves that the file hasn’t been altered since it was signed – it does not prove that the signer is who they claim to be, or that the file is safe.

Attackers have several ways to get signing certificates. They may buy them from shady resellers, steal them from development companies, or even forge them using weak certificate authorities. Once they have a certificate, they can sign any malware they want. The result is that traditional antivirus programs, which often trust signed files by default, may not flag the threat.

For everyday users, this means that the rule “only download signed apps” is no longer enough. You also need to verify where the download came from and what the app actually does after installation.

What Readers Can Do

Signs of a Fake App

Look for these clues before installing anything:

  • The download page is not the official company website. For example, a site that looks like “notion-download-free.net” instead of “notion.so” is a red flag.
  • The file size is different from the official version. A few megabytes difference can indicate added malware.
  • The app behaves strangely after installation – for example, it asks for permissions it shouldn’t need (like reading all your browser data), or it runs processes that you don’t recognise.
  • Your antivirus or Windows Defender shows a warning even if the file is signed. Some signatures are revoked after discovery, but not always immediately.

Steps to Verify a Download

  1. Only use official app stores or the developer’s website. For Notion, go to notion.so. For Trello, go to trello.com. For Slack, go to slack.com. Avoid third-party download mirrors.
  2. Check the publisher name in the digital signature. In Windows, right-click the installer, go to Properties → Digital Signatures. The publisher should match the official company name. If it says something generic like “CN=Unknown” or a misspelled name, do not install.
  3. Read recent security news about the app. If a malware campaign is active, security sites usually report it quickly. A quick search for “app name + malware” can save you trouble.
  4. Use antivirus with behavioural detection. Traditional signature-based antivirus may miss signed malware. Tools that monitor what an app does after launch (behavioural analysis) are more likely to catch malicious activity.
  5. If in doubt, run the installer in a virtual machine or sandbox first. Services like ANY.RUN (mentioned in the same report) let you test files safely.

What to Do If Infected

If you suspect you have installed a TamperedChef variant or similar signed malware:

  • Disconnect your computer from the internet immediately. This stops the attacker from communicating with your system.
  • Run a full scan with an up-to-date antivirus. Windows Defender is often good enough, but consider a second opinion from Malwarebytes or another reputable scanner.
  • Change all your passwords from a different, clean device. Start with your email, banking, and any accounts tied to the stolen data.
  • Enable two-factor authentication on every account that supports it. This adds a layer of protection even if passwords are compromised.
  • Check for unauthorised logins or unusual activity in your accounts. Many services show recent login locations – look for anything you don’t recognise.
  • If sensitive work data was involved, inform your IT department or security team. They can help check for broader network compromise.

Sources

  • CybersecurityNews. “TamperedChef Malware Uses Signed Productivity Apps to Deliver Stealers and RATs.” Published May 21, 2026. [Link to article]