How to Avoid TamperedChef Malware Hiding in Free Productivity Apps
A new malware campaign called TamperedChef is using a trick that makes dangerous software look perfectly safe: valid digital signatures on fake versions of popular free apps like Notepad++. Because the malware is signed with authentic code signing certificates, it can slip past Windows Defender, macOS Gatekeeper, and other security checks that normally flag unsigned downloads. Here is what happened, why it matters for anyone who downloads free tools, and a practical checklist to verify an app before you install it.
What happened
In May 2026, cybersecurity researchers disclosed a campaign that distributes trojanized versions of productivity apps—primarily Notepad++, but also PDF editors and system utilities. The attackers obtained valid code signing certificates (the same kind used by legitimate software publishers) and used them to sign the malicious installers. Once a user runs the signed installer, it drops an information stealer and a remote access trojan (RAT) in the background, all while presenting a fully functional copy of the requested app to avoid suspicion.
The signed installer is often distributed through search engine ads or fake download sites that look like the official project’s page. Because the file carries a valid signature, it does not trigger the typical “unverified publisher” warnings that most users rely on to judge safety. This makes TamperedChef more dangerous than many other malware strains—the signature is the camouflage.
Why it matters
For years, the common advice has been “only download software that is digitally signed from a reputable publisher.” That guidance still holds, but it is no longer sufficient. A signed file from an unknown or recently created publisher can still be malicious. The TamperedChef campaign shows that attackers are willing to invest in valid certificates (either by buying from a certificate authority with weak vetting or by compromising a legitimate developer’s signing infrastructure) to make their payloads look legitimate.
For everyday users, the immediate consequence is that a signed installer from a search ad or a third‑party download site is not automatically safe. The risk extends beyond Notepad++: other free productivity tools, especially those hosted on GitHub or official project sites that do not control third‑party copies, are likely targets.
What readers can do
You do not need to become a security expert to lower your risk. The following steps take only a minute or two but can catch many signed malware variants before they run.
1. Download only from the official source
The simplest and most effective defense is to skip search ads entirely. Bookmark the official website for each tool you use regularly (for Notepad++, that is notepad-plus-plus.org). If you need a PDF editor, go to the vendor’s known domain, not a download aggregator. If the official site is unavailable, wait for it to come back rather than searching for an alternative download.
2. Check the digital signature details
Even if a file is signed, you can check who signed it and whether the certificate is recent or from an unknown organization.
- On Windows: Right‑click the installer, select Properties, go to the Digital Signatures tab, select the signature, and click Details. Look at the “Name” and “Issuer” fields. A legitimate Notepad++ installer, for example, will be signed by “Notepad++” or “Don HO” (the developer). If the signer is an unfamiliar company name, or the certificate was issued within the last few months, treat it with suspicion.
- On macOS: Right‑click the app or installer, choose Get Info, and expand the More Info or General section to see the signature. Look for a known developer name. If you see “Not Verified” or an unknown signer, do not open it.
3. Check the download URL and file name
Attackers often use misspelled domains (e.g., notepad-plusplus.org instead of notepad-plus-plus.org) or add extra words to the file name (e.g., Notepad++_v8.7_installer.exe). Compare the URL against the official site. If the name contains unusual characters or a version number that does not match the current release, verify before running.
4. Run a second opinion scan
Before opening any downloaded installer, upload it to a service like VirusTotal (or use a local antivirus with multiple engines). TamperedChef may bypass some signature-based detection, but multiple engines can flag behavioral anomalies. If even one or two scanners mark it malicious, do not run it.
5. Avoid “cracked” or “portable” versions
Many free app repacks, “premium” cracks, and “portable” copies come from untrusted sources and are a common vector for signed malware. Stick to the official installer, even if it means you get limited functionality.
6. Keep your operating system and antivirus updated
While no update can catch every signed malware variant, newer definitions increasingly include behavioral detection and signature reputation scoring. Enable automatic updates for Windows Defender, macOS XProtect, or your third‑party antivirus.
What to do if you suspect an infection
If you have already installed a suspicious signed app, disconnect from the internet, run a full antivirus scan, and change passwords for any accounts you accessed on that device. Enable two‑factor authentication (2FA) on critical accounts, especially email and financial services. Monitor for unusual activity over the following weeks, as stealers often exfiltrate data in stages. If you find persistent malware, consider a clean reinstall of the operating system.
Sources
- CyberSecurityNews: “TamperedChef Malware Uses Signed Productivity Apps to Deliver Stealers and RATs” (published 21 May 2026).