How to Spot Malware Hidden in Signed Productivity Apps

A new malware campaign, tracked as TamperedChef, is making the rounds by doing something that sounds contradictory: using legitimately signed installer files to deliver stealers and remote access trojans. If you’ve ever downloaded a “cracked” version of Microsoft Office or a free copy of a paid productivity tool, this is the kind of threat you need to watch out for.

What Happened?

According to reports from late May 2026, the TamperedChef campaign targets users of popular productivity software—think Microsoft Office, Google Drive desktop clients, Notion, and similar tools. Attackers tamper with installer files, add malware, and then sign the modified installer with a valid code-signing certificate. Those certificates may be stolen, forged, or obtained through shady resellers, but they pass Windows SmartScreen and many antivirus checks because the file appears to come from a trusted publisher.

The malware hidden inside these signed installers includes information stealers (to grab saved passwords, browser data, and credentials) and remote access trojans (RATs) that let attackers take full control of the device. The initial distribution happens via fake download sites, torrent files, and phishing emails that point to unofficial download links.

Why It Matters

Most of us have been taught to trust a “signed by” label. When you see a publisher name you recognize, you assume the file is safe. That assumption is what TamperedChef exploits. Because the installer carries a valid digital signature, traditional security filters often let it through without a second look.

The threat is real for anyone who doesn’t stick to official sources. A single click on a fake download link can give attackers access to your email, your work files, and even your webcam. Since these malware families are designed to be persistent, they can stay hidden for weeks or months.

What You Can Do to Protect Yourself

None of this requires advanced technical skills. Here are concrete steps you can take right now:

Download only from official stores or publisher websites.
For Microsoft Office, that means microsoft.com or the Microsoft Store. For Google Drive, that means google.com/drive/download. For any other productivity app, go to the developer’s site directly. Avoid third-party download aggregators, torrents, or “free download” portals.

Check the digital signature before running an installer.
Right-click the installer file, select Properties, and go to the Digital Signatures tab. Look at who signed it. If you’re expecting a file from Microsoft but the signer is some random company, do not run it. Also check the “Details” button to see the certificate chain and expiration date. A certificate that’s been revoked or is expired is a red flag.

Use an app reputation service.
Before launching a downloaded file, upload it to a site like VirusTotal (virustotal.com). It will check the file against dozens of antivirus engines. No single engine is perfect, but if more than one flags the file, you know something is wrong. You can also use browser extensions that check downloads automatically.

Keep your antivirus and real-time protection on.
Make sure Windows Defender (or your third-party antivirus) is updated and running real-time scanning. Some security tools now include “controlled folder access” which blocks unauthorized programs from modifying your documents. Turn that on.

Run as a standard user, not an administrator.
If your daily account has limited privileges, any malware that does get in will have a harder time making system-level changes. It won’t stop everything, but it can limit the damage.

Watch out for “cracked” or “free” versions.
Pirated software is a common vector for this kind of attack. The promise of a free license for a $100 app is almost never worth the risk. Stick with free alternatives like LibreOffice or the basic web versions of productivity tools if you can’t afford the paid ones.

What to Do If You Suspect an Infection

If you’ve already downloaded and run a suspicious installer, act quickly:

  1. Disconnect the device from the internet to prevent data exfiltration.
  2. Run a full offline scan with Windows Defender or your antivirus software.
  3. Look for unusual network connections using tools like Resource Monitor (resmon.exe). If you see unknown processes reaching out to unfamiliar IPs, that’s a bad sign.
  4. Consider using a dedicated malware removal tool like Malwarebytes or Emsisoft Emergency Kit.
  5. Change all passwords from a known-clean device after you’ve cleaned the infected machine. Enable two-factor authentication wherever possible.

Sources

  • “TamperedChef Malware Uses Signed Productivity Apps to Deliver Stealers and RATs,” CyberSecurityNews, May 21, 2026.
  • “ThreatsDay Bulletin: Linux Rootkits, Router 0-Day, AI Intrusions, Scam Kits and 25 New Stories,” The Hacker News, May 21, 2026.

No security tool is perfect, and attackers will keep refining their methods. But by treating every signed installer with a healthy dose of skepticism and sticking to official sources, you can avoid the vast majority of these attacks.