New Malware Hides in Signed Productivity Apps to Steal Your Data: What to Do

A recently discovered malware family called TamperedChef is using a clever trick to bypass many common security defenses: it hides inside installer files that carry a valid digital signature. That signature makes the app look legitimate to both Windows and macOS security tools, as well as to users who check for the “signed by” notice. The payload, once installed, can steal saved passwords, browser cookies, and even give an attacker full remote control of your machine.

Here is what is happening and what you can do to avoid falling victim.

What Happened

According to a report from CyberSecurityNews (May 2026), TamperedChef malware has been found embedded in installers for popular productivity apps — PDF converters, note-taking tools, file compressors, and similar software. The attackers either obtained valid code-signing certificates through theft or by forging identity checks required by certificate authorities. Because the installer itself is digitally signed, Windows SmartScreen and macOS Gatekeeper typically pass it without a warning.

Once executed, the malware drops a stealer module that collects credentials from browsers and email clients, and a remote access trojan (RAT) that gives attackers persistent access. The spread happens through third-party download sites, ad links in search results, and sometimes through fake customer support pages.

Why It Matters

The digital signature is widely taught as a sign of safety. If an app is “signed by a verified publisher,” most people assume it is trustworthy. TamperedChef exploits that trust. Even careful users who check the publisher name can be misled if the certificate was stolen from a legitimate software company. The malware is not targeting any single operating system — both Windows and macOS environments are at risk.

In practice, this means you cannot rely solely on whether an app is signed. You need additional checks before installing any productivity tool, especially if you downloaded it from anywhere other than the official developer’s website or a major app store.

What Readers Can Do

Here are concrete steps to reduce your risk:

  • Download only from official sources. Do not use third-party aggregator sites, “cracked” software portals, or links in search ads. Go directly to the developer’s verified website or use the official app store for your platform.
  • Verify the certificate chain. On Windows, right-click the installer, select Properties, then go to Digital Signatures. Double-check the signer name matches the software publisher you expect, and click “Details” to see if the certificate is valid and issued by a well-known authority. On macOS, right-click the app and choose Get Info; look under “Signed by” and confirm the developer name.
  • Check file reputation with antivirus. Many modern antivirus tools (including Microsoft Defender) check not just the signature but the file’s reputation based on how many other users have run it. Enable cloud-delivered protection to get these checks.
  • Be skeptical of “free” versions of paid apps. If a normally paid PDF editor is offered for free on an unknown site, it is almost certainly a trap.
  • Watch for unusual behavior after installation. Apps that try to run scans or ask for excessive permissions (like access to saved passwords) right after setup are a red flag.

What to Do If You Think You Are Infected

  1. Disconnect the computer from the internet immediately.
  2. Run a full offline virus scan with your security software. On Windows, Windows Defender’s offline scan is a good starting point.
  3. Change passwords for all important accounts using a clean device (like a phone or another computer), and enable two-factor authentication wherever possible.
  4. Consider running a dedicated malware removal tool or resetting the device if the scan finds something persistent.

Sources

  • “TamperedChef Malware Uses Signed Productivity Apps to Deliver Stealers and RATs,” CyberSecurityNews, May 2026. (Original news article covering the discovery.)