How to Spot Fake Signed Productivity Apps Before They Infect Your PC

When you download a free PDF editor or a note-taking tool, you might see a message like “Publisher verified” or a green certificate icon. That usually signals the software is safe. But attackers are now putting valid digital signatures on malware to make it look legitimate—so even that trusted indicator can deceive you.

A recent campaign called TamperedChef has been distributing signed installers that impersonate popular productivity apps such as Notepad++, PDF converters, and office suites. Security researchers observed the campaign in May 2026. The signed executables carry stealer malware and remote-access tools (RATs) that can steal passwords, cookies, and even take control of your machine. This is not a isolated incident; similar signed malware (like ValleyRAT, distributed through fake Microsoft Teams downloads) shows that the technique is becoming common.

What Happened?

According to reports, the TamperedChef operation uses code-signing certificates stolen from legitimate companies or forged using compromised certificate authorities. Because the digital signature appears valid, Windows’ SmartScreen and some antivirus engines may trust it—or at least not flag it as suspicious. The fake apps are hosted on third-party download sites that closely mimic the real developer’s page. Unsuspecting users searching for a free tool find these sites, download what looks like an authentic installer, and run it. The signed binary then drops a second-stage payload that steals sensitive data.

Why It Matters

A digital signature is meant to guarantee that the software comes from a particular publisher and hasn’t been tampered with. When attackers misuse that trust, the entire system of code verification is weakened. For everyday users, the green “verified” badge becomes a liability rather than a safety net. Moreover, signed malware can bypass some endpoint protection because the signature shows a previously trusted publisher. This makes it especially dangerous for people who rely on visual cues alone to decide whether software is safe.

What You Can Do to Protect Yourself

You can still rely on signatures, but you need to go beyond the initial green checkmark. Here are concrete steps to verify a productivity app before you install it.

1. Check the Signature Details, Not Just the Badge

  • In Windows, right-click the installer file and select PropertiesDigital Signatures. You’ll see a list of signers.
  • Look at the Signer name. Is it the actual developer (e.g., “Notepad++ Team” if you’re downloading Notepad++)? If the name is generic or unrelated, do not run the file.
  • Click Details, then View Certificate. Check the Issued to field and the certificate’s expiration date. Also look at the Certificate Path tab—all certificates in the chain should be valid and issued by a trusted root authority. If you see warnings like “This certificate has been revoked,” the file could be compromised.

2. Stick to Official Sources

The safest place to download any productivity app is its official website or a trusted app store (Microsoft Store, Apple App Store, or a verified repository like GitHub releases). Third-party download aggregators often host old versions or re-bundled installers that can include malware, even if they are signed. Bookmark the official site; don’t rely on search engine results.

3. Verify the File Hash

After downloading a file, you can compute its SHA-256 checksum and compare it with the hash published on the developer’s official site. Here’s how:

  • Open PowerShell or Command Prompt and run: certutil -hashfile "C:\path\to\file.exe" SHA256
  • Copy the resulting hash and paste it into the developer’s download page (look for a “Checksum” or “Verify” section). If the hashes don’t match, the file has been altered and should be deleted.

4. Enable Behavioral Antivirus Features

Not all malware is detected by static signatures. Use an antivirus solution that includes behavioral monitoring (sometimes called “real-time protection” or “heuristic analysis”). These tools watch what a program does after it runs—like accessing your browser’s password database or modifying system files—and can block it even if the installer is signed.

5. Be Wary of Unusual Permissions

When you launch the app, pay attention to what it asks for. A note-taking tool should not request access to your camera, microphone, or browser history. If a seemingly innocent app demands suspicious permissions, cancel the installation and remove the file.

The Bottom Line

Signed malware like TamperedChef exploits our trust in digital certificates. By checking signatures thoroughly, verifying hashes, and only downloading from official sources, you can avoid being the next victim. A green checkmark alone is not enough—treat it as a starting point, not a final guarantee.

Sources

  • “TamperedChef Malware Uses Signed Productivity Apps to Deliver Stealers and RATs,” CyberSecurityNews, 21 May 2026.
  • “Hackers Use Fake Microsoft Teams Downloads to Deploy ValleyRAT Malware,” CyberSecurityNews, 21 May 2026.
  • Additional details on code-signing certificate theft and misuse from public threat reports (May 2026).