Signed Malware: Why a Verified Digital Certificate No Longer Guarantees Safety
If you’ve ever downloaded a software installer and seen a message that says “Verified publisher: Microsoft Corporation,” you probably felt reasonably confident it was safe. That confidence is exactly what hackers are now exploiting. A recently reported campaign called TamperedChef is using legitimate-looking, digitally signed versions of popular productivity apps to deliver malware that steals credentials and grants remote access to attackers.
Here’s what happened, why it matters for anyone using Windows, and—most importantly—what you can actually do about it.
What Happened
According to cybersecurity researchers, the TamperedChef campaign distributes malware through installers that appear to be signed copies of apps like Microsoft Teams, Slack, and Zoom. These installers carry valid digital signatures—either stolen from the original developers or obtained through fraudulent certificate applications—so they pass many automated security checks.
Once installed, the payload includes information stealers and remote access trojans (RATs). A related operation, reported separately, used fake Microsoft Teams downloads to deliver a RAT called ValleyRAT. The key technique in both cases is the same: signed code that looks trustworthy to both users and security software.
Why It Matters
For years, digital signatures were considered a strong indicator of software integrity. If a file was signed by a reputable publisher, you could be reasonably sure it hadn’t been tampered with after signing. But that assumption has cracks. Code signing certificates can be compromised, and some certificate authorities issue them without rigorous checks.
The practical effect is that even careful users who always download from official sites can still be fooled—because the attackers set up convincing fake download pages that offer signed installers. Security software that trusts any signed file will let the malware run without objection. The old rule of “only install something if it has a valid signature” no longer holds by itself.
What You Can Do to Stay Safer
You don’t need to become a security expert to reduce your risk. A few straightforward habits can help:
1. Check the publisher name—and think about whether it makes sense. If you’re downloading Microsoft Teams and the publisher is listed as “Mićrosoft Corporation” (note the accented i) or “Teams Software Ltd,” that’s a red flag. Genuine Microsoft products are signed by “Microsoft Corporation” or “Microsoft Windows Publisher.” For other apps, you can look up the official publisher name on the vendor’s website.
2. Verify the certificate details. On Windows, right-click the installer, select Properties, then the Digital Signatures tab. Click the signature entry and choose Details. Look at the “Issued by” field—legitimate certificates are issued by well-known certificate authorities like DigiCert, GlobalSign, or Sectigo. If the issuer is unfamiliar, or if the certificate shows “Pending” or “Expired,” be suspicious.
3. Download only from the official vendor website or a trusted app store. This sounds obvious, but many people search for “Microsoft Teams download” and click the first result. Attackers buy ads that appear above real links. Bookmark the official download page. For apps like Slack or Zoom, use the store in your operating system (Microsoft Store, Mac App Store) when available.
4. Enable app reputation checks in Windows Security. In Windows 10 and 11, go to Windows Security > App & browser control > Reputation-based protection. Turn on “Check apps and files.” This uses Microsoft’s cloud-based reputation data, which can flag a signed file that hasn’t been seen before or is known to be abusive.
5. Use antivirus with behavioral detection, not just signature scanning. Traditional antivirus that only checks signatures will often pass a signed malware file. Tools that monitor behavior—what a program does after it runs—can catch suspicious actions like modifying system files, connecting to unknown servers, or trying to extract passwords. Windows Defender includes behavioral detection by default, but make sure it’s up to date.
6. Be skeptical of urgency or free offers. Many of these campaigns use phishing emails or social media messages that urge you to “update Teams immediately” or “download this free productivity tool.” If the message pressures you, pause and verify through a separate channel.
The Bottom Line
Signed malware is not a new threat, but the TamperedChef campaign shows it remains an effective one. A digital signature is still useful—it confirms that the file hasn’t been modified since signing—but it does not guarantee the file is safe. Treat every download with care, even if it looks official. Combine signature checks with source verification and a healthy dose of skepticism.
Sources:
- “TamperedChef Malware Uses Signed Productivity Apps to Deliver Stealers and RATs,” CyberSecurityNews, May 21, 2026.
- “Hackers Use Fake Microsoft Teams Downloads to Deploy ValleyRAT Malware,” CyberSecurityNews, May 21, 2026.