Don’t Get Tricked by Fake Productivity Apps: What to Know About the TamperedChef Malware Campaign

If you’ve ever downloaded a quick installer for Microsoft Teams, Zoom, or Slack from a third-party site, you’re not alone. Many people take shortcuts when they need a collaboration tool in a hurry. But that shortcut can lead straight into a malware trap. A recently uncovered campaign called TamperedChef is actively distributing information stealers and remote access trojans (RATs) through fake versions of popular productivity apps—and the worst part is that the malicious installers appear to be digitally signed, which makes them look legitimate.

Here’s what you need to know about the threat and, more importantly, how to avoid it.

What Happened?

According to reports from cybersecurity news outlets in late May 2026, attackers behind TamperedChef are using stolen or fraudulently obtained code‑signing certificates to sign their malware installers. Code signing is normally a good thing—it tells your operating system that the software comes from a verified publisher and hasn’t been tampered with. The TamperedChef campaign abuses this trust by making fake setup files for apps like Microsoft Teams, Slack, and Zoom appear as though they were published by a reputable company.

Once installed, the malware delivers payloads such as information stealers (that can harvest passwords, cookies, and saved credentials) and RATs (which give attackers remote control over the infected machine). The fraudulent installers have been spotted on third‑party download sites and in some cases distributed through spear‑phishing emails that direct users to lookalike download pages.

The malicious programs are signed under names that mimic real developers, or use certificates that were either stolen or issued with fraudulent documents. Because the signature checks out at the operating system level, antivirus tools may not flag the file as suspicious right away.

Why It Matters

For the average user, a signed installer is a strong signal that the software is safe. TamperedChef exploits that trust to bypass first‑line defenses. Once a stealer or RAT is on your computer, attackers can do everything from exfiltrating your files to using your machine as part of a larger botnet. For professionals who use these apps for work, a compromised device can expose company credentials, client data, and internal communications.

What makes this campaign especially concerning is that it targets some of the most widely used productivity tools. People are conditioned to download these apps frequently, and many don’t think twice about the source as long as the setup file runs without warnings. The signed nature of the malware means that even careful users can be fooled.

What You Can Do

You don’t need to be a security expert to protect yourself. The steps are straightforward and don’t take much time.

Always download from official app stores or the vendor’s own website.
The safest place to get Microsoft Teams is from Microsoft’s site; the safest place for Zoom is zoom.us. Avoid third‑party download portals like Download.com, Softonic, or random mirrors. When in doubt, type the vendor’s URL manually rather than clicking a search result.

Check the publisher name before you run the installer.
On Windows, right‑click the installer file, go to Properties, then the Digital Signatures tab. Look at the name of the signer. Is it “Microsoft Corporation” or something vague like “Software Solutions Inc.”? If the publisher doesn’t match the app you’re trying to install, don’t run it. Mac users can check the signed developer in the security settings after attempting to open the file.

Watch for red flags in the download itself.
Unexpected file sizes (a 500 MB installer for a messaging app that should be under 100 MB), requests for unusual permissions (like “allow this app to access your files” when the real app never does), or prompts to disable security software are all warning signs. The legitimate versions of these apps do not ask you to turn off antivirus.

Use endpoint protection and keep it updated.
Modern antivirus and security suites should catch most variants of known stealers and RATs, even if the file is signed. Make sure automatic updates are enabled. Consider using a free tool like Malwarebytes as a second opinion scanner.

Keep your operating system and apps patched.
Attackers often exploit known vulnerabilities to load their payloads after the initial infection. Staying current with Microsoft and Apple updates closes those gaps.

What to Do If You Think You’ve Installed a Fake App

If you downloaded a productivity app from an unofficial source recently, or if you notice unusual behavior (sluggish performance, unexpected pop‑ups, new toolbars, or your antivirus suddenly disabled), take these steps:

  1. Disconnect from the internet to prevent data exfiltration and remote control.
  2. Run a full system scan with your installed antivirus, then follow up with a dedicated malware removal tool.
  3. Change passwords for any accounts you accessed on that device—especially email, banking, and work credentials. Use a different computer if possible.
  4. Enable multi‑factor authentication on every account that supports it.
  5. Monitor your financial accounts and credit for signs of fraud for the next few months.

The Bottom Line

The TamperedChef campaign is a reminder that even signed software should be treated with skepticism if it comes from an unusual source. Digital signatures are a useful trust indicator, but they can be misused. By sticking to official app stores and vendor websites, verifying the publisher, and keeping your security tools up to date, you can stay ahead of this threat.

Sources: Reports from CyberSecurityNews (May 2026) covering the TamperedChef campaign, including details about signed fake apps delivering stealers and RATs, and related coverage on fake Microsoft Teams downloads distributing ValleyRAT.