New Malware Hijacks Signed Productivity Apps to Steal Your Data—Here’s How to Stay Safe

What’s happening with TamperedChef

A malware campaign called “TamperedChef” has been active since at least mid‑May 2026. According to cybersecurity researchers, the attackers are distributing remote access trojans (RATs) and information stealers by packaging them inside copies of legitimate productivity applications. What makes this campaign especially tricky is that the malicious installers carry valid digital signatures — the same kind of code‑signing certificates that reputable software publishers use to prove a file hasn’t been tampered with.

The malware targets free productivity tools such as note‑taking apps, calendars, and office suites. Specific app names have not been publicly disclosed yet, but the general pattern is clear: a user downloads what looks like a trusted program, and behind the scenes a stealer or RAT takes hold.

Why this matters for everyday users

Most people rely on the little “signed by” notice in software installers as a shortcut for trust. If Windows or macOS says the publisher is verified, it’s easy to assume the file is safe. TamperedChef exploits that assumption. By using stolen or fraudulently obtained code‑signing certificates, the malware bypasses many of the automatic checks that security software would normally flag.

Once installed, a RAT can give attackers remote control of your computer — reading files, capturing keystrokes, recording passwords, and even turning on your webcam. An information stealer will quietly harvest saved browser credentials, credit card numbers, and any session tokens that give access to your online accounts. Because the initial infection looks like a normal app, it can go unnoticed for weeks.

Signs your device might be infected

No single symptom is definitive, but these are common red flags after a RAT or stealer infection:

  • Your computer runs noticeably slower, especially at startup.
  • Unexpected pop‑ups appear, or your browser redirects you to strange sites.
  • Programs crash more often, or you see error messages about files being modified.
  • Your mouse cursor moves or clicks on its own (less common, but possible with advanced RATs).
  • You notice unauthorized logins to your email, banking, or social media accounts.

If you experience several of these together, it’s worth running a thorough scan.

How to protect yourself

Always download apps from official sources. The safest place remains the developer’s own website or a major app store (Microsoft Store, Mac App Store, Google Play). Even a signed installer from a third‑party download site can be risky. If you’re not sure a site is legitimate, don’t download.

Inspect digital signatures before running an installer. On Windows, right‑click the .exe file, go to Properties > Digital Signatures, and check the signer name. Look for unexpected names, or signatures that say “no certificate could be verified.” On macOS, check if the app is notarized by looking under the “General” tab in the app’s Info window. A valid signature does not guarantee safety, but a suspicious one is a strong warning.

Be suspicious of unusual permission requests. If a note‑taking app asks for access to your entire file system or to control your camera, that’s a red flag. Legitimate apps only ask for permissions they actually need.

Keep your operating system and antivirus updated. Modern security software can detect malicious behavior even when the file itself is signed. Make sure automatic updates are turned on. Some antivirus products now include behavior‑based detection that watches for actions typical of RATs, such as keylogging or remote desktop access.

Use a standard user account. Avoid running day‑to‑day activities with administrator privileges. If malware does get installed, it will have a harder time making system‑wide changes.

What to do if you think you’re infected

  1. Disconnect from the internet immediately. This stops the malware from communicating with its command‑and‑control server and prevents further data theft.
  2. Run a full scan with your installed security software. If you don’t have one, Windows Defender (built into Windows 10 and 11) is a reasonable first choice.
  3. Change the passwords for all important accounts — but do this from a different, clean device (such as your phone) to avoid the malware capturing the new passwords.
  4. Enable two‑factor authentication (2FA) on every account that supports it. Even if a password is stolen, 2FA can block the attacker.
  5. If you suspect a RAT or cannot remove the infection yourself, consider reinstalling your operating system. That’s the most reliable way to ensure the malware is gone.

Sources and further reading

The initial report on TamperedChef was published by CyberSecurityNews on May 21, 2026. Details about the specific apps involved and the exact delivery method are still emerging, but the core advice above applies to any signed‑malware campaign.

For the latest information, check security blogs from reputable vendors such as Malwarebytes, KrebsOnSecurity, or the security teams at Microsoft and Google. As always, stay skeptical of anything that seems too easy — especially free downloads promising more than they should.