How to Avoid Malware Hidden in Signed Productivity Apps (TamperedChef Warning)

The short version

A new malware campaign called TamperedChef is spreading through productivity applications that appear to be digitally signed and legitimate. Once installed, these apps can steal passwords, install remote access tools (RATs), and give attackers control of your machine. The signed certificates help them bypass basic security checks. Here’s what happened, why it matters, and how to stay safe.

What happened

Security researchers recently identified a campaign they’ve named TamperedChef. The attackers are distributing versions of popular productivity software—things like document editors, note-taking apps, and project management tools—that have been tampered with. Crucially, these modified apps carry valid code signing certificates, which means they pass the signature checks that Windows, macOS, and some antivirus software rely on to decide whether a program is trustworthy.

Once the user downloads and runs the infected app, the malware unpacks additional payloads in the background. Those payloads include information stealers (to grab saved passwords, browser cookies, and crypto wallet details) and remote access trojans (RATs) that let the attacker control the computer remotely.

The campaign appears to target users who search for productivity tools from unofficial download sites, though it’s not yet clear how many people have been affected. The use of signed code makes detection harder for typical consumers.

Why it matters

Most of us have been told to only download software from official sources, and that a digital signature is a sign of safety. TamperedChef exploits that trust. By using stolen or fraudulently obtained code signing certificates, the malware can appear legitimate even to careful users who check the publisher name.

This matters because productivity apps are something many people download outside official stores—especially free or discounted versions. The malware doesn’t need a vulnerability in the operating system; it just needs you to click “run” on something that looks normal.

The consequences can be serious. Stolen credentials can lead to account takeovers, financial loss, or identity theft. A RAT on your machine means someone can watch your screen, turn on your webcam, or use your computer to attack others.

What you can do

None of this requires advanced technical knowledge. The following steps will reduce your risk significantly.

1. Download only from official channels

The safest place to get productivity software is the developer’s own website or an official app store (Microsoft Store, Mac App Store, official package managers like winget or Homebrew). Avoid third-party download sites, even if they seem reputable. Many of those sites host ad‑supported downloaders that bundle extra software—sometimes malicious.

2. Check the digital signature before installing

If you must download an .exe or .dmg from somewhere other than the official source, right-click the file and look at its digital signature properties. In Windows, open Properties → Digital Signatures. Verify that the signer is the actual publisher (e.g., “Microsoft Corporation” for Office, not some unknown name). Also check the date and whether the signature is valid. Be aware that attackers can forge or steal signatures, so this is not a perfect defense, but it catches some fakes.

3. Use a capable antivirus or endpoint protection

Free antivirus is better than none, but many rely heavily on signature detection and can miss signed malware. Consider using a solution that includes behavioral detection or sandboxing. Keep your antivirus updated. Some tools now flag apps with recently issued or rarely seen certificates as suspicious.

4. Be wary of unexpected download prompts

If a website claims you need to download an “update” to view a document, or if a pop‑up offers a “faster” version of a known app, close it immediately. That is a common distribution method for malware.

5. Watch for unusual behavior after installation

If a productivity app takes longer to start than expected, uses high CPU when idle, or prompts you for additional permissions (access to your browser data, keylogging, etc.), uninstall it and run a full malware scan. Legitimate apps don’t need those permissions.

6. What to do if you suspect infection

  • Disconnect from the internet immediately to limit data theft.
  • Run a full scan with your antivirus.
  • Change passwords for important accounts from a clean device.
  • If you have backups, restore from a point before the infection occurred.
  • Consider using a dedicated malware removal tool like Malwarebytes for a second opinion.

Sources

Note: The details of the TamperedChef campaign are based on the initial security report. As more information becomes available, some aspects—such as the exact scope or distribution method—may be updated. Always verify with multiple sources.