Malware ‘TamperedChef’ Hides in Signed Productivity Apps: What to Do Now

A new malware campaign called TamperedChef is making the rounds, and it’s worth knowing how it works even if you don’t consider yourself a security expert. The short version: attackers are distributing tampered versions of popular productivity apps—think Teams, Zoom, or Slack—but these copies carry a valid digital signature. That signature tricks both the operating system and antivirus software into trusting the file, so the malware gets installed without raising obvious flags.

Here’s what’s actually happening and what steps you can take to avoid getting caught.

What happened

According to a report published by CyberSecurityNews on May 21, 2026, security researchers identified a campaign that spreads malware through what appear to be legitimate productivity applications. The twist is that the malicious installers are signed with authentic digital certificates, meaning they will not trigger the usual “untrusted publisher” warnings when you run them.

Once installed, the payload contains information stealers (designed to capture credentials, browser cookies, and other sensitive data) and remote access trojans (RATs) that give attackers control over the infected machine. The exact list of apps being mimicked has not been confirmed publicly, but based on the pattern, it is likely a set of widely used collaboration tools.

Why it matters

Most people know to be cautious about downloading software from unknown websites. A signed application, however, bypasses that instinct. When Windows or macOS shows a publisher name you recognize, the natural reaction is to trust it. The TamperedChef campaign exploits that trust.

For everyday users, the risk is straightforward: if you install a fake version of an app you rely on for work or communication, you could hand over access to your email, work accounts, financial logins, or even your home network. For businesses, a single compromised device can lead to lateral movement and a broader breach.

Signs your device might be infected

Not every slowdown or pop-up means you have malware, but some behaviors warrant a closer look:

  • The app takes unusually long to start or crashes frequently.
  • You see unexpected pop-ups, even when the app is not running.
  • Your system feels sluggish, or internet traffic spikes at odd times.
  • You notice new browser extensions or toolbars you did not install.
  • Friends or colleagues report receiving strange messages from you.

If any of these coincide with a recent installation of a productivity app, treat it with suspicion.

What you can do to stay safe

The most effective protection is to change your installation habits.

Download only from official sources. Go directly to the developer’s website or use the official app stores (Microsoft Store, Apple App Store, or the respective app’s official site). Do not click “download” buttons on third-party blogs, pop-up ads, or search results that look like sponsored links.

Verify the publisher. On Windows, right-click the installer, go to Properties > Digital Signatures, and check that the signer matches the software vendor. On macOS, open the app’s info panel and look at the “Signed by” entry. If the publisher name seems off or is missing, do not run the file.

Check app permissions after installation. For example, a video conferencing app should not need access to your password manager or browser history. If it asks for broad permissions, that is a red flag.

Keep security software active and up to date. While signed malware can sometimes bypass antivirus, modern endpoint detection tools often catch unusual behavior even if the initial file is trusted. Run regular scans.

Enable multi-factor authentication (MFA) on important accounts. Even if a stealer captures your password, MFA can block the attacker from logging in.

What to do if you think you are infected

If you suspect you have installed a tampered app:

  1. Disconnect from the internet. Unplug the Ethernet cable or turn off Wi-Fi. This limits the attacker’s ability to communicate with the malware.
  2. Run a full system scan with your antivirus software. Some scanners can also run offline from a bootable USB.
  3. Change your passwords from a clean device (like a phone or another computer).
  4. Check for unusual account activity—especially in email, banking, and cloud storage.
  5. Report the incident to your organization’s IT team if the device is work-related, or to local cybersecurity authorities if you notice fraud.

Sources

  • CyberSecurityNews, “TamperedChef Malware Uses Signed Productivity Apps to Deliver Stealers and RATs,” May 21, 2026. (Original report)