How to Spot Fake Signed Productivity Apps That Steal Your Passwords

A new malware strain called TamperedChef is making the rounds by exploiting something most of us take as a green light: a digital signature on an app installer. The attackers package information stealers and remote access trojans inside installers that appear to be legitimate productivity tools—and those installers are cryptographically signed to look trustworthy. If you rely on that signature alone to decide whether an app is safe, this campaign is a reminder that the system has cracks.

Here’s what’s happening, why it matters for anyone who downloads software regularly, and concrete steps you can take to avoid being tricked.

What Is TamperedChef?

TamperedChef was first documented by cybersecurity firm Cyble in late May 2026. The malware is distributed through installers that impersonate popular productivity applications such as Slack, Notion, and Zoom. The installers are signed with digital certificates—either stolen from legitimate developers or purchased through schemes that bypass proper identity verification.

Once installed, the malware delivers payloads like RedLine and Vidar infostealers, along with remote access trojans (RATs) that give attackers control over the infected machine. The campaign primarily targets Windows users, though similar techniques could affect macOS.

Why Signed Malware Is a Growing Problem

A digital signature is meant to assure you that the software comes from a known publisher and hasn’t been tampered with. Operating systems and antivirus tools often treat signed software with less suspicion. But signatures are only as good as the certificate authority that issued them and the process used to validate the applicant’s identity.

In this campaign, the attackers used certificates that appeared valid. That means even careful users who checked the signature’s “Verified Publisher” label might have been misled. According to security researchers, the certificates involved were either stolen from small developers or obtained through a reseller that didn’t properly vet the request. The exact method isn’t yet public, but the result is clear: a signed app is no longer a guarantee of safety.

How the Attack Works

The infection chain starts with a download. Victims might land on a fake download page via a search ad, a social media post, or a phishing email. The page offers a seemingly legitimate app installer. If the user runs it, the installer drops the malicious payload alongside (or instead of) the real application in some cases.

The apps impersonated are widely used for remote work and collaboration—tools that employees might install quickly without checking the source. That makes the campaign especially dangerous in professional settings, where a single infected machine can lead to credential theft, data exfiltration, or lateral movement within a network.

What You Can Do to Protect Yourself

No single action will stop every threat, but combining a few habits makes it much harder for attackers to succeed.

1. Verify the download source, not just the signature

Always download productivity apps from the official website or the OS vendor’s app store (Microsoft Store, Mac App Store). Avoid links from search ads, third-party download portals, or social media promotions. If you land on a site that looks like the official page, double-check the URL—typosquatting is common.

2. Examine the certificate details

In Windows, right-click the installer and choose “Properties,” then go to the “Digital Signatures” tab. Look at the signer name: is it the expected company (e.g., “Slack Technologies,” “Notion Labs”)? If the name is misspelled, generic, or unknown, treat it as a red flag. On macOS, check the developer ID in the security settings after attempting to open the app.

Note: Even a correct name isn’t ironclad, but it’s a useful data point.

3. Compare file hashes with the official version

For high-stakes tools, the developer may publish SHA-256 hash values on their official site. After downloading, you can generate the hash of your file (using Get-FileHash on Windows or shasum -a 256 on macOS) and compare it. If they don’t match, the file has been modified.

4. Keep security software updated

Enable real-time protection on your antivirus or endpoint security tool. Even signature-based detection can catch some variants, and behavioral detection may flag suspicious installer behavior. That said, no tool catches everything—it’s a layer, not a shield.

5. Watch for signs of infection after installing

After installing a new app, monitor for unusual system behavior: unexpected pop-ups, slow performance, new processes in Task Manager, or outbound network connections you don’t recognize. If you see anything odd, quarantine the machine and run a full scan.

What to Do If You Think You’ve Been Infected

If you suspect you installed a tampered app:

Disconnect the computer from the network immediately to prevent data exfiltration.
Run a full malware scan using a reputable tool (Windows Defender, Malwarebytes, or similar).
Change passwords for any accounts you accessed on that machine, starting with email and financial accounts. Use a different, clean device for the password changes.
Enable two-factor authentication on all critical accounts if you haven’t already.
Consider enabling fraud alerts with your bank or credit agencies if you stored payment information on the infected machine.

The Bottom Line

The TamperedChef campaign is one example of a broader trend: attackers are investing in bypassing the trust mechanisms we rely on. Digital signatures are still useful, but they are not a definitive test of safety. The most practical defense is to control how you download software in the first place—and to stay suspicious of anything that arrives through a channel you didn’t initiate.

Sources:

Cyble research report on TamperedChef (May 2026)
Cybersecurity news coverage from CyberSecurityNews and other outlets (May 2026)
Public reporting on RedLine and Vidar stealer distribution methods