New ‘TamperedChef’ Malware Hides in Signed Productivity Apps – What to Do

A recently identified malware strain, dubbed TamperedChef by security researchers, is spreading through digitally signed productivity applications. Unlike many threats that rely on unsigned or suspicious files, TamperedChef uses authentic-looking digital signatures to appear legitimate, making it harder for users and some security tools to detect. Here is what is known about the attack and how you can reduce your risk.

What Happened

According to a report from CyberSecurityNews published on May 21, 2026, TamperedChef is being distributed through fake download sites and malicious update prompts for popular productivity software—especially team collaboration tools like Microsoft Teams. The malware uses either stolen code-signing certificates or forges signatures to make the installer appear as if it comes from a trusted publisher.

Once installed, TamperedChef delivers a combination of information stealers and remote access Trojans (RATs). These payloads can capture credentials, exfiltrate files, and give attackers remote control over the infected machine. The report notes that this technique is similar to earlier campaigns that used fake Teams downloads to deploy ValleyRAT malware.

Why It Matters

For years, many users have been taught that a valid digital signature is a strong indicator of safe software. While signatures do provide some assurance when properly verified, attackers have become skilled at abusing them. Signing certificates can be stolen from legitimate developers, or attackers may purchase certificates from less stringent authorities. A signed app is not automatically safe.

The use of signed payloads also helps TamperedChef bypass some antivirus and endpoint detection rules that might otherwise flag unsigned executables. Combined with the fact that productivity apps are frequently downloaded and updated, the attack surface is large. Anyone who searches for a Teams installer or a similar tool through a search engine rather than the official source could be at risk.

What You Can Do

The core defense is to verify the source and signature of any software before you run it. Here are practical steps:

  • Download only from official app stores or vendor websites. Avoid third-party download portals, even if they appear in search results. For Microsoft Teams, always use the official Microsoft download page or the Microsoft Store.
  • Check the digital signature details after downloading. On Windows, right-click the installer file, select Properties, then go to the Digital Signatures tab. Look at the “Signer” name. If it says anything other than the expected publisher (e.g., “Microsoft Corporation” for Teams), do not run the file. Also check the “Timestamp” – an old or missing timestamp can be a red flag.
  • Compare the signature to known good examples. If you have a trusted copy of the same app from a known-safe source, compare the signature details. Differences in the signer or certificate issuer may indicate tampering.
  • Enable file extension visibility. TamperedChef may use double extensions (e.g., teams_installer.exe disguised as teams_installer.pdf.exe). Make sure your file explorer shows full file extensions so you can spot suspicious suffixes.
  • Use endpoint protection that checks behavior, not just signatures. Modern security software that includes behavioral analysis can detect malicious activity even if the initial file is signed. Keep your antivirus and operating system updated.
  • Beware of unexpected update prompts. If an app you already installed suddenly asks you to download an update from a pop-up window or a website, close it and check for updates within the application’s own settings or the official site.

What to Do If You Think You Are Infected

If you suspect a signed productivity app you installed may be malicious:

  1. Disconnect from the internet to prevent data exfiltration and further communication with the attacker.
  2. Run a full system scan with a reputable security tool. Consider using a second opinion scanner, such as Malwarebytes or Microsoft Defender Offline scan.
  3. Check for unusual processes in Task Manager. Look for executables that mention “Teams,” “Office,” or similar names but have high CPU usage or network activity.
  4. Change passwords for any accounts you used on that machine, especially work or financial accounts, after removing the malware.
  5. Contact your IT team if the device is work-managed. They can help verify the integrity of the system.

Sources

  • CyberSecurityNews. “TamperedChef Malware Uses Signed Productivity Apps to Deliver Stealers and RATs.” May 21, 2026. [Link to article]