New Malware Pretends to Be Productivity Apps, and Bypasses Security with Real Signatures

Attackers behind a campaign tracked as TamperedChef are distributing malware through fake installers of widely used productivity apps such as Microsoft Teams, Zoom, and Slack. What makes this campaign especially hard to spot is that the malicious installers carry valid digital signatures, often from stolen or misused code-signing certificates. This allows the malware to bypass some standard security checks that users and antivirus software rely on to distinguish legitimate software from harmful files.

The campaign, reported by CyberSecurityNews in May 2026, appears to target both individuals and organizations. Victims are lured to phishing websites or tricked by malicious advertisements that mimic official download pages. Once downloaded and executed, the trojanized installer delivers a range of malware, including information stealers like RedLine and remote access trojans (RATs) such as ValleyRAT. The result can be full system compromise, credential theft, and unauthorized remote control of the affected device.

What Happened

TamperedChef is not a single piece of malware but a distribution campaign. Attackers obtained or forged code-signing certificates to digitally sign the malicious installers. A valid digital signature normally acts as a guarantee that the software has not been tampered with and comes from a verified publisher. By abusing this trust mechanism, the attackers can make the malware appear legitimate to both users and some security products.

The campaign specifically targets productivity applications that are commonly downloaded outside official app stores. Instead of getting Teams from Microsoft’s own website, a user might search for a download link and land on a compromised page or a lookalike site. The installer then runs with a valid signature, reducing the likelihood of triggering warnings. Once installed, the malware executes quietly in the background, often stealing browser passwords, cryptocurrency wallets, and other sensitive data. ValleyRAT, a remote access tool, gives attackers the ability to take screenshots, record keystrokes, and control the machine remotely.

Why It Matters

Digitally signed malware is particularly dangerous because it erodes the fundamental trust users place in code-signing. Many people have been taught to look for a “verified publisher” or a signed installer as a safety indicator. Campaigns like TamperedChef show that this indicator can be bypassed. Even experienced IT professionals who verify digital signatures may be deceived if the certificate is valid but stolen.

The impact extends beyond individual users. If an employee in an organization downloads a signed malicious app, the attacker could gain a foothold inside the corporate network. The use of signed installers also makes detection harder for traditional antivirus tools that rely on signature-based checks. Behavioral detection might still catch the malware after execution, but by then the damage may already be done.

Another concern is the persistence of the threat. Attackers can reuse stolen certificates until they are revoked, and revocation can take days or weeks. During that window, the signed malware continues to appear authentic.

What Readers Can Do

No single precaution will guarantee safety, but a few habits greatly reduce the risk of falling victim to campaigns like TamperedChef.

Download only from official sources. This seems obvious, but it is the most effective step. Rather than clicking on search ads or third-party download sites, go directly to the software vendor’s website (for example, microsoft.com for Teams, zoom.us for Zoom). Bookmark these pages so you are less likely to follow a phishing link.

Verify software signatures, but be aware of limits. On Windows, you can right-click an installer, select Properties, and look at the Digital Signatures tab. Check that the signer is the legitimate company. However, remember that a valid signature does not guarantee the software is safe—it only proves the certificate was used. If possible, cross-check the certificate’s issuer and look up whether the certificate has been reported as stolen.

Enable behavioral detection in your antivirus. Many security products now include real-time behavioral analysis that monitors what an application does after installation, not just what its signature says. Keep your antivirus and operating system updated. Consider using endpoint detection and response (EDR) tools if you are managing multiple machines.

Avoid pirated or “cracked” software. These are a frequent vector for signed malware. Even if the installer looks legitimate, the activation methods or patches often contain backdoors.

Monitor for signs of infection. If your computer suddenly runs slowly, your internet connection seems busier than normal, or you see unexpected logins on your online accounts, run a full antivirus scan and consider using a dedicated malware removal tool.

Change passwords and enable multi-factor authentication. If you suspect you may have downloaded a trojanized app, change passwords for all critical accounts, especially email, banking, and work systems. Enable MFA wherever possible to limit the value of stolen credentials.

The TamperedChef campaign is a reminder that trust in digital signatures is not absolute. By sticking to official download channels and maintaining a skeptical eye even for signed software, users can stay ahead of this and similar threats.

Sources: CyberSecurityNews, May 2026. Reporting on the TamperedChef malware campaign and related security analysis.