How to Spot Malware Hiding in Signed Productivity Apps: A Guide to Staying Safe

A new malware campaign dubbed TamperedChef is making the rounds, and it has a particularly nasty trick: the malware is distributed inside digitally signed versions of legitimate productivity apps. That means the files your antivirus might normally trust—because they appear to come from a reputable publisher—could actually be carrying a stealer or a remote access trojan (RAT). This article explains how the attack works and, more importantly, what you can do to avoid falling for it.

What Happened: Signed Apps, Hidden Payloads

According to reports from mid-2026, the TamperedChef campaign uses copies of popular productivity tools (such as text editors, PDF readers, and note-taking apps) that have been tampered with and then re-signed with a valid code signing certificate. Security researchers found that the attackers either stole certificates or abused legitimate ones (for instance, by compromising a developer’s account). Because the software shows up as “signed by a verified publisher,” many users and even some security scanners let it run without a second thought. Once installed, the malware unpacks a stealer to grab credentials and a RAT to give attackers remote control of the machine.

Why It Matters: Trust in Digital Signatures Is Not Absolute

Most people know they should avoid downloading software from shady sites, but we tend to feel safe when Windows or macOS tells us the publisher is verified. That trust is exactly what the TamperedChef attackers are exploiting. A digital signature only proves that the code was signed by someone holding a certificate—it does not guarantee that the code is safe. If that certificate was stolen or misused, the signed file can be dangerous. This is not a new technique, but it is effective, and it reminds us that no single security indicator is foolproof.

What Readers Can Do: Practical Steps to Protect Yourself

The good news is that you can significantly reduce your risk with a few simple habits.

1. Verify the publisher and the signature yourself.

On Windows: right‑click the .exe or .msi file, select Properties, then go to the Digital Signatures tab. Look at the “Name of signer” and check that it matches the software’s official publisher—not a generic or misspelled name. If a free app like Notepad++ claims to be signed by a company you have never heard of, that is a red flag. You can also click Details and confirm the certificate has not expired and was issued by a known Certificate Authority.

On macOS: open the .dmg or .app, go to Applications > Utilities > Console (or use spctl --assess --verbose in Terminal) to see whether the app is notarized. The Gatekeeper check offers some protection, but it is not infallible. For any app you are unsure about, hold Option and click the app icon, then look at the information shown.

2. Download only from official app stores or the developer’s direct website.

Third‑party download portals are a common source of trojanized software. Even reputable‑looking sites sometimes host modified versions. Stick to the Microsoft Store, the Mac App Store, or the publisher’s own domain. If you must use an alternative site, check the download link’s URL carefully and read user reviews (though reviews can be faked).

3. Keep your software and operating system updated.

Attackers often exploit known vulnerabilities in outdated versions. Regular updates won’t stop a signed Trojan by itself, but they reduce the chance that a second‑stage payload can exploit a security hole to gain persistence or steal data.

4. Use behavior‑based security tools.

Traditional antivirus relies on signature detection, which can miss a signed malicious file. Consider adding a tool that watches for suspicious behavior—like unexpected outbound connections or attempts to access your password manager. Some free options include Windows Defender’s “Controlled folder access” or third‑party endpoint detection tools.

5. What to do if you think you have been infected.

If you suspect you ran a tampered app, disconnect the machine from the internet immediately. Then run a full scan with an up‑to‑date scanner, and if possible, use a second scanner (like Malwarebytes) for a cross‑check. Change passwords for any accounts you accessed on that computer, using a different device. If you find signs of a RAT or stealer, you may need to wipe the system and restore from a known‑good backup—do not assume a simple removal is enough.

The Bottom Line

The TamperedChef campaign is a reminder that even signed software can be dangerous. Digital signatures are a useful layer of trust, but they are not a guarantee. By verifying signatures yourself, sticking to official sources, and staying alert to unusual behavior, you can stay one step ahead of attackers who rely on our complacency.

Sources