New Malware Hides Inside Fake Signed Productivity Apps—Here’s How to Spot Them

If you’ve ever searched for a free download of Microsoft Teams, Slack, or Zoom outside the official channels, you might have stumbled upon something that looks legitimate but isn’t. A new malware campaign called TamperedChef is using fake versions of these productivity apps—and what makes them particularly dangerous is that they are cryptographically signed, which can fool both users and basic security checks.

Here’s what happened, why it matters, and how you can protect yourself.

What Happened

Security researchers have identified a campaign in which attackers are distributing counterfeit installer files for popular collaboration tools. The malware is signed with valid code-signing certificates, meaning the file will appear to come from a trusted publisher when you check its digital signature. This bypasses some initial warnings that operating systems and antivirus programs might otherwise flag.

The fake apps are being served through malicious advertisements in search results and through copycat download sites designed to look like official pages. Once installed, the malware delivers information stealers and remote access trojans (RATs), giving criminals the ability to steal passwords, browse files, or take control of the affected computer.

Targeted apps according to reports include Microsoft Teams, Slack, and Zoom. Given the widespread use of these tools in both professional and personal settings, the potential reach of the campaign is large.

Why It Matters

Most people know to avoid suspicious files from unknown senders. But a digitally signed application feels safer—even to experienced users. The TamperedChef campaign exploits that trust. Attackers have invested in acquiring legitimate certificates, likely through theft or by registering as legitimate companies, which makes the malware harder to detect.

The consequences of infection can be serious: credential theft, data exfiltration, and long-term remote access that can be used for further attacks. Because the malware is signed, it may also persist longer before being noticed.

What Readers Can Do

You don’t need to be a security expert to reduce your risk. Here are concrete steps that work:

Download from official sources only

Always get software directly from the developer’s website or from the official app store (Microsoft Store, Slack’s website, Zoom’s download page). Avoid third-party download sites, even if they appear high in search results.

Inspect the digital signature

On Windows, right-click the installer file, select Properties, and go to the Digital Signatures tab. Check that the signer is the actual vendor (e.g., “Microsoft Corporation” for Teams). If the signer is something generic or unknown, do not run the file. On macOS, look for the “Developer ID” in Gatekeeper details.

Watch for red flags in the installer

Fake apps often have typos in the setup window, oddly placed logos, or request unusual permissions (e.g., asking for access to your camera or microphone when it’s not needed). If something feels off, close the installer and do a quick online search.

Use antivirus and keep it updated

Modern antivirus software can detect many known strains of stealers and RATs. Make sure real-time protection is enabled and that you run occasional full scans.

Be cautious with free “cracked” versions

Many malware campaigns target users looking for paid software for free. Avoiding these downloads entirely is the simplest way to stay safe.

What to Do If You Think You Downloaded a Fake App

If you suspect you’ve installed a fraudulent productivity app, act quickly:

  1. Disconnect from the internet to prevent the malware from communicating with its controller.
  2. Run a full antivirus scan using a reputable tool (Windows Defender is a good start).
  3. Change your passwords from a clean device—especially for email, banking, and work accounts.
  4. Enable two-factor authentication on any accounts that support it.
  5. Monitor your accounts for unauthorized activity over the next few weeks.

You may also want to run a second opinion scanner, such as Malwarebytes, to catch anything the primary antivirus might have missed.

Staying Vigilant

The TamperedChef campaign is a reminder that malware continues to evolve and that even signed software should be treated with caution. By sticking to official sources, checking signatures, and staying alert to unusual behavior, you can avoid becoming the next victim.

If you come across a suspicious download or a site impersonating a known product, consider reporting it to the developer or to your country’s cybercrime reporting platform. Every report helps reduce the reach of these scams.

Sources: Reports on the TamperedChef campaign from CyberSecurityNews and related security industry coverage (May 2026).