New ‘TamperedChef’ Malware Targets Productivity Apps: What You Need to Know

New ‘TamperedChef’ Malware Targets Productivity Apps: What You Need to Know

If you rely on Microsoft Teams, Slack, or Zoom for daily work, a new malware campaign called TamperedChef is worth your attention. It’s not another phishing link—it’s a more subtle trick: fake or compromised versions of those apps, signed with legitimate-looking code certificates, that quietly drop credential-stealers and remote access tools onto your machine.

Here’s what’s happening, why it’s a problem, and a few practical steps to reduce your risk.

What Happened

In late May 2026, multiple cybersecurity outlets reported an active campaign where attackers distributed altered installers for popular productivity applications. These installers were signed using code-signing certificates that appeared genuine—either stolen, misappropriated, or from compromised developer accounts. Once installed, the malware (dubbed TamperedChef by some researchers) delivered info-stealers that harvest passwords, cookies, and saved credentials, along with remote access trojans (RATs) that give attackers persistent control over the system.

The specific apps being impersonated include Microsoft Teams, Slack, and Zoom—tools that millions of professionals download weekly. The malicious copies are hosted on lookalike sites, on third‑party download portals, and sometimes even pushed through search ads that appear official.

Why Signed Apps Are Dangerous

It’s not surprising that malware tries to look legitimate. What makes TamperedChef more concerning is its use of valid code‑signing certificates. Antivirus and endpoint security tools often treat signed code as trustworthy. A signed application is less likely to trigger alerts, and on some systems it can bypass certain security checks entirely. Attackers know this and are increasingly abusing the trust that signing certificates grant.

This isn’t an entirely new tactic, but the scale and the specific choice of productivity apps show that cybercriminals are shifting toward channels that remote workers trust implicitly. Once the malware is in place, it can steal sensitive business data, install further payloads, or give an attacker a foothold inside a network.

What You Can Do About It

You don’t need to become a malware analyst to stay safer. Here are concrete steps:

1. Download only from official sources.
Get Teams from Microsoft’s website or the Microsoft Store, Slack from slack.com, Zoom from zoom.us. Avoid third‑party download sites and never click “download” from a pop‑up ad.

2. Verify the digital signature before running any installer.
On Windows, right‑click the installer file, go to Properties > Digital Signatures, and check that the signer matches the publisher you’d expect (for example, “Microsoft Corporation” for Teams). If the signer is unknown or the certificate is expired, don’t run it.

3. Enable app reputation checks in your operating system.
Windows SmartScreen, macOS Gatekeeper, and similar features can flag unsigned or suspicious installers. Make sure they are turned on and not disabled by group policy.

4. Keep your productivity apps updated through automatic updates.
The safest copy of an app is the one you already have, updated by its own updater. Resist the urge to manually re‑download an installer from a search result.

5. Use endpoint detection tools if you’re an organization.
Tell your IT or security team about this campaign. Many enterprise tools can block installers that don’t match known‑good hashes or that originate from untrusted URLs.

If you suspect you’ve installed a malicious version:

• Disconnect the machine from the network immediately.
• Scan with a reputable antivirus or a second‑opinion scanner (like Malwarebytes or Microsoft Defender Offline).
• Change passwords for all accounts accessed from that device, using a known‑clean machine.
• Notify your IT security team if this is a work device—they may need to investigate lateral movement.

Sources

Reports on the TamperedChef campaign began circulating on May 21, 2026, with coverage from outlets including CyberSecurityNews. Additional coverage around the same time highlighted related tactics using fake Teams downloads to deliver ValleyRAT. The information in this article is based on those public reports; specific attribution can be found in the original articles linked below.

• “TamperedChef Malware Uses Signed Productivity Apps to Deliver Stealers and RATs” – CyberSecurityNews, May 21, 2026.
• “Hackers Use Fake Microsoft Teams Downloads to Deploy ValleyRAT Malware” – CyberSecurityNews, May 21, 2026.