New ‘TamperedChef’ Malware Hides in Signed Productivity Apps – Here’s How to Stay Safe
Installing software that carries a valid digital signature has long been considered a green light. That certificate is supposed to mean the file came from the developer it claims to be from and hasn’t been tampered with. A newly documented malware campaign called TamperedChef is exploiting that trust by hiding inside signed versions of popular productivity apps, then delivering data stealers and remote access trojans (RATs). Understanding how this works and adjusting a few habits can help you avoid the trap.
What Happened
Security researchers have detailed a campaign in which attackers obtained legitimate code‑signing certificates and used them to sign modified installers for widely used business applications. The malware, dubbed TamperedChef, has been observed targeting apps like Microsoft Teams and Slack – tools that millions of people download, update, or reinstall regularly.
According to reports from CyberSecurityNews and gbhackers, the signed installer drops a stealer and a RAT onto the victim’s machine. Because the installer bears a valid certificate, both the operating system and many endpoint security products treat it as safe, often allowing it to run without a warning. The exact method of obtaining the certificates isn’t fully public, but it likely involves either stealing them from developers or abusing code‑signing services that don’t verify applicants thoroughly.
The payloads delivered by TamperedChef include information stealers that can harvest passwords, browser cookies, and cryptocurrency wallets, along with RATs that give attackers full remote control over an infected computer. The campaign appears to be active now, and the use of signed installers makes it harder to stop with traditional signature‑based defenses.
Why It Matters
For years, the advice has been: “Only download software from official sources, and check for a valid digital signature.” TamperedChef shows that a valid signature is no longer a reliable guarantee of safety. Attackers have found ways to get their hands on certificates and sign malicious code that looks exactly like a legitimate update.
For everyday users, this means the usual warning signs – no certificate, unknown publisher, or a browser warning – may not appear. The malware can slip past basic antivirus scans and even some advanced endpoint detection systems if those systems rely heavily on file reputation tied to the certificate.
The real danger is the silence. You might install a Teams update and see no alerts, yet behind the scenes your credentials are being siphoned off and a backdoor is being opened. Because productivity apps are often allowed through firewalls and monitored less closely than other software, the malware can operate with less risk of being caught.
What You Can Do Now
No single step will make you immune, but a combination of changes in habit and tools can greatly reduce the chance of infection.
1. Download only from official company websites or app stores.
Avoid third‑party download sites, even if they appear to offer faster downloads or older versions. For Microsoft Teams, use the official Microsoft website or the Microsoft Store. For Slack, use slack.com.
2. Look beyond the signature.
A valid certificate is not enough. Check the publisher name carefully – a certificate issued to “McGee Tech” when you expect “Microsoft Corporation” is a red flag. On Windows, right‑click the installer, go to Properties > Digital Signatures, and see who actually signed it.
3. Enable app reputation checks.
Microsoft Defender (now part of Windows Security) has a “Reputation‑based protection” feature that can flag low‑reputation apps even if they are signed. Make sure it’s turned on. Similarly, macOS Gatekeeper checks not just the signature but also the notarization status; keep it enabled.
4. Use behavior‑based detection.
Don’t rely solely on antivirus signatures. Consider using endpoint detection and response (EDR) software if you’re an IT administrator. For personal use, free tools like Malwarebytes or the built‑in Windows Defender can detect unusual behavior even if the file itself is signed.
5. Be skeptical of update prompts.
If your system or browser suddenly shows a notification to “Update Microsoft Teams” that looks different from the usual process, close it and manually check for updates inside the app. Legitimate updates usually come through the app’s own updater, not via a downloaded .exe from an email or pop‑up.
6. Isolate high‑risk installations.
If you must install software from a less‑trusted source, run it in a virtual machine or an isolated environment first. This is especially relevant for IT teams who need to test updates before rolling them out to the whole organization.
Sources
- “TamperedChef Malware Uses Signed Productivity Apps to Deliver Stealers and RATs,” CyberSecurityNews, May 21, 2026.
- “TamperedChef Malware Hides in Signed Apps to Drop Stealers and RATs,” gbhackers, May 21, 2026.