New Malware ‘TamperedChef’ Hides in Signed Productivity Apps to Steal Your Data

Introduction

A new malware strain called TamperedChef is making the rounds, and it has a twist that makes it especially hard to spot: it’s delivered inside productivity applications that are digitally signed. That signature—usually a sign of authenticity—is being used to lull users and security software into a false sense of safety. Reports from cybersecurity news outlets indicate that attackers are repackaging or tampering with signed installers of apps like Microsoft Teams, Slack, and Zoom to inject information stealers and remote access trojans (RATs).

If you regularly download software updates or install productivity tools from anywhere other than the developer’s official website or your device’s app store, this campaign is worth understanding.

What Happened

According to coverage from CyberSecurityNews, the TamperedChef malware first came to light in late May 2026. Attackers obtained or created valid code-signing certificates and used them to sign modified installer packages. Once a user runs the signed installer, the malware unpacks alongside the legitimate app. The signature means that Windows and macOS security warnings—the ones that say “unknown publisher”—never appear.

The malware is designed to:

  • Steal saved passwords and browser credentials.
  • Capture screenshots and keystrokes.
  • Download and execute additional payloads, turning the infected machine into a foothold for further attacks.

Because the signed app looks genuine and the installer passes basic validation, even experienced users can be tricked. The campaign appears to target workers who use productivity apps, likely because those tools are widely deployed in business environments and often require administrative privileges to install.

Why It Matters

Most people assume that a signed app is safe. That assumption is what TamperedChef exploits. Code signing is a technical guarantee that the software hasn’t been tampered with after the developer signed it—but it says nothing about the developer’s intentions. If a certificate is stolen, misused, or issued to a fraudulent entity, the signature is still valid.

The practical risk is plain: you can’t rely on the “verified publisher” badge alone. Attackers have been known to buy or compromise signing certificates on underground markets. For this campaign, the specific certificates used are still under investigation, but the pattern isn’t new. What makes TamperedChef notable is its focus on popular collaboration tools and the apparent sophistication of the distribution chain.

Beyond credential theft, a RAT can give attackers persistent remote control of your device, allowing them to move laterally across a network, deploy ransomware, or exfiltrate sensitive company data. For home users, the immediate danger is identity theft and financial loss.

What Readers Can Do

You don’t need to be a cybersecurity expert to reduce your exposure. Here are practical steps, none of which require advanced technical skills:

1. Download only from official sources.
Always get software from the developer’s official website or from the official app store for your operating system (Microsoft Store, Apple App Store, or your distribution’s package manager). Avoid third-party download sites, even if they appear legitimate.

2. Verify the installer before running it.
On Windows, right-click the installer, go to Properties > Digital Signatures, and check that the signer is the expected company. On macOS, look for a “Developer ID” in the security dialog. If the publisher name looks odd or doesn’t match the app, do not run it.

3. Keep your software updated automatically.
Enable automatic updates within the apps you use. This reduces the temptation to manually download updates from email links or pop-ups, which are common vectors for malware.

4. Use reputable antivirus or endpoint protection.
Modern security tools can detect behavior-based anomalies even if the file is signed. Ensure your antivirus is up to date and that real-time scanning is enabled.

5. Watch for unusual prompts.
If a productivity app asks you to install an update outside of its normal update mechanism, or if a download starts automatically after clicking a banner ad, be suspicious. Close the browser tab and navigate to the official site directly.

6. Enable multi-factor authentication (MFA).
While MFA won’t stop the initial infection, it can prevent stolen credentials from being used to access your accounts. Use an authenticator app or hardware key rather than SMS if possible.

Signs of Infection and Immediate Actions

If you suspect you’ve downloaded a tampered installer, watch for these symptoms:

  • Unexplained system slowdowns or high CPU usage even when no apps are open.
  • New browser toolbars, extensions, or changed default search engine.
  • Unexpected pop-ups or security warnings.
  • Unauthorized outgoing network connections (you may see this in firewall logs).

If you believe you’re infected:

  1. Disconnect from the internet immediately.
  2. Run a full system scan with an offline antivirus tool or a second-opinion scanner like Malwarebytes.
  3. Change passwords for your critical accounts (email, banking, cloud storage) from a clean device.
  4. If you’re on a corporate network, notify your IT department right away.

Sources

  • CyberSecurityNews – “TamperedChef Malware Uses Signed Productivity Apps to Deliver Stealers and RATs” (May 21, 2026)
  • Additional reporting cited by CyberSecurityNews on related fake Teams download campaigns and driver abuse (referenced in the same news feed)