New TamperedChef Malware Hides in Signed Productivity Apps – What You Need to Know

New TamperedChef Malware Hides in Signed Productivity Apps – What You Need to Know

A new malware campaign dubbed TamperedChef is making the rounds by repackaging legitimate, signed productivity applications with hidden stealer and remote access trojan (RAT) payloads. Because the installers carry valid code-signing certificates, they can bypass some security checks and appear trustworthy. This article explains how the attack works, which apps are being targeted, and what you can do to avoid infection.

What Happened

According to a report from CyberSecurityNews published May 21, 2026, the TamperedChef campaign uses trojanized versions of popular collaboration tools – including Microsoft Teams, Slack, and Notion – to deliver information-stealing malware and remote access trojans. The attackers either host these fake installers on lookalike download pages or distribute them via phishing emails that urge users to install an update or a required plugin.

The key trick is that the malicious installers are signed with legitimate code-signing certificates. That means they pass a basic signature check in Windows or macOS, and appear to come from a trusted developer. Once installed, the payload silently runs in the background: stealers siphon browser credentials, cryptocurrency wallets, and saved passwords, while RATs give attackers remote control over the infected machine.

Although the full list of payloads is still being analysed, early reports indicate that the campaign deploys known families such as ValleyRAT and other common stealers. The attackers appear to be after credentials and financial data, but a RAT can also be used to drop additional malware or move laterally within a network.

Why It Matters

Most people have been taught to look for a digital signature or to only download software from official sources. TamperedChef exploits that trust directly. A signed app no longer guarantees safety – the certificate may have been stolen, issued fraudulently, or simply used to sign a malicious re-packaging of a legitimate program.

For everyday users, the danger is that a seemingly innocent update to Teams or Slack could hand over your login credentials, browser history, or even full remote access to your computer. In a business setting, a single infected workstation can lead to a broader breach, especially if the malware steals corporate VPN credentials or uses remote control to hop to other systems.

The campaign also underscores how quickly attackers adapt: instead of developing novel exploits, they corrupt trusted software delivery channels and rely on people’s habit of clicking “download” without second thoughts.

What Readers Can Do

1. Download from official sources only.
   Go directly to the developer’s website (e.g., microsoft.com for Teams, slack.com for Slack) or use the official app store for your operating system. Avoid third-party download sites, sponsored search results, or emailed links.

2. Verify the publisher and signature.
   Before running an installer, right-click the file, select Properties (Windows) or Get Info (macOS), and check the digital signature tab. Ensure the publisher name matches the official developer. If the signature is missing or says “unknown publisher,” do not run the file.

3. Match the file hash.
   If you are particularly cautious, compare the SHA-256 hash of the downloaded installer with the hash published on the official developer’s support page. This is not practical for most users, but it is a reliable way to spot tampering.

4. Keep endpoint protection turned on.
   A good antivirus or endpoint detection and response (EDR) product can detect suspicious behaviour even if the file is signed. Enable real-time scanning and consider using a tool that flags unusual process launches.

5. Use multi-factor authentication (MFA).
   A stealer might grab your password, but if you have MFA enabled on your accounts, the attacker still needs the second factor. This is one of the most effective safety nets.

6. Be sceptical of urgent update prompts.
   If an email or a pop-up tells you to update Teams or another app immediately, pause and navigate to the app directly to check for updates instead of clicking the link.

Sources

• CyberSecurityNews, “TamperedChef Malware Uses Signed Productivity Apps to Deliver Stealers and RATs,” May 21, 2026.
• Additional reporting on ValleyRAT and signed malware campaigns from the same publication (May 2026).

Stay informed, but stay sceptical. A signed app is not the same as a safe app.