New ‘TamperedChef’ Malware Hides Inside Signed Productivity Apps – Here’s How to Stay Safe
A new malware campaign, dubbed TamperedChef, is circulating through versions of popular productivity applications that have been digitally signed with legitimate certificates. Security researchers reported the campaign on May 21, 2026. The malware delivers credential stealers and remote access trojans (RATs) that can give attackers full control over an infected device.
What Happened
According to CyberSecurityNews, attackers obtained or generated valid code signing certificates and used them to sign trojanized installers of well-known productivity apps. Because the executables carry a valid digital signature, they appear trustworthy to both operating system security checks and users who glance at the certificate details. Once installed, the malicious payload extracts a stealer component that harvests saved passwords, browser cookies, and cryptocurrency wallets, and a RAT that allows remote control of the machine.
The campaign is still active. Researchers have not disclosed the full list of apps used, but they note that the method works because many users rely on the presence of a digital signature as a shortcut to trust an application.
Why It Matters
For years, security advice has included “only download software from official sources” and “check for a valid digital signature.” The TamperedChef campaign shows that even a verified signature is no longer a guarantee of safety. Attackers are obtaining certificates through compromised developer accounts, stolen keys, or by registering as legitimate developers themselves. The result is that malware can bypass antivirus detections that rely on trust lists for signed binaries.
The payloads in this campaign are particularly dangerous because stealers extract credentials that can be used to access email, banking, social media, and corporate accounts. A RAT gives attackers persistent access, which they can later use to deploy ransomware or further compromise a network.
What Readers Can Do
General users can take several practical steps to reduce the risk from this and similar threats.
Download only from official app stores or publisher websites. Even then, verify the URL. A signed app that appears on a third-party download site is more likely to be tampered with. Use the Microsoft Store or the publisher’s own site, not a search engine result.
Check the certificate details. On Windows, right-click the installer, go to Properties > Digital Signatures, and verify that the signer name matches the expected publisher. On macOS, the signed app will show a Developer ID in the security settings. If the signer is unfamiliar or the certificate was issued recently to a company you don’t recognize, treat it with caution.
Enable multi-factor authentication (MFA) on important accounts. Even if a stealer captures your password, MFA can block the attacker from logging in. Use app-based or hardware tokens rather than SMS if possible.
Keep security software updated. While signed malware may skirt some defenses, updated antivirus engines that use behavioral analysis can still detect malicious activity after the app runs.
Watch for unusual behavior. Productivity apps should not suddenly ask for additional permissions, prompt for credentials, or generate unexpected network traffic. If an app behaves oddly after installation, run a full system scan with a reputable security tool.
If you suspect infection: Disconnect the device from the internet immediately. Change passwords for any accounts accessed on that device, using a different clean device. Run a thorough malware scan (multiple scanners if possible). Consider backing up important files offline and, if needed, reinstalling the operating system.
Sources
- CyberSecurityNews, “TamperedChef Malware Uses Signed Productivity Apps to Deliver Stealers and RATs,” May 21, 2026.
This article is based on reports available as of the publication date. New details may emerge as the investigation continues.