Signed but Not Safe: How TamperedChef Malware Hides in Legitimate-Looking Apps

Most of us have learned to check for a digital signature before installing software. If the publisher name looks right and the file isn’t flagged by antivirus, we feel confident clicking “Run.” A new campaign called TamperedChef exploits exactly that trust.

What Happened

In late May 2026, security researchers reported a malware operation that distributes information stealers and remote access trojans (RATs) through digitally signed versions of popular productivity applications. Attackers obtain valid code-signing certificates—sometimes by compromising legitimate developer accounts or misusing certificate authorities—and attach them to copies of apps like Zoom, Slack, Microsoft Teams, and others. The signed files pass basic integrity checks and appear genuine to users and many security tools.

Once a victim runs the installer, the signed wrapper runs normally, but a hidden payload is decompressed and executed in the background. Multiple stages unpack stealers that harvest credentials, browser cookies, and cryptocurrency wallets, followed by a RAT that gives attackers full remote control of the machine. Because the initial file carries a valid signature, the infection can evade early detection.

The campaign was first identified by cybersecurity researchers and reported by CyberSecurityNews and gbhackers.com on May 21, 2026. At this point, the full scope of compromised certificates and exact number of victims is still unclear, but the technique is not new in concept—threat actors have used signed malware before. What makes TamperedChef notable is the focus on widely used productivity tools and the multi-stage delivery of both stealers and RATs in a single attack.

Why It Matters

A digital signature is meant to verify that software comes from a specific publisher and hasn’t been tampered with. When attackers obtain a valid signature, they bypass one of the most basic safeguards that consumers and IT teams rely on. The signed file may not trigger antivirus alerts because the certificate is trusted, and manual inspection of the publisher name may show a familiar company.

The attack also relies on social engineering. Victims are typically directed to the malware through phishing emails, fake download sites, or search ads that lead to a site resembling the official vendor. For example, earlier this year researchers observed a similar campaign using fake Microsoft Teams downloads to deliver ValleyRAT. TamperedChef follows that pattern but casts a wider net across multiple apps.

For anyone who installs productivity software from the internet, this means the usual advice to “only install from official sources” needs a second look. Even if the download link appears to come from the official site, a compromised installer or a malicious advertisement can redirect to a signed copy of malware. The bar for infection has been lowered.

What Readers Can Do

There isn’t a single foolproof defense, but a combination of habits can significantly reduce risk.

  • Download only from the vendor’s official website or a trusted app store. Avoid third-party download portals, even if they appear reputable. If an ad or search result leads to a site you don’t recognize, leave it.
  • Verify the signature yourself. After downloading, right-click the installer (on Windows), select Properties, and go to the Digital Signatures tab. Check that the signer is the expected company (e.g., “Microsoft Corporation” for Teams) and that the timestamp is current. However, be aware that a stolen certificate can still produce a valid-looking signature.
  • Enable additional verification where possible. Some vendors publish file hashes (SHA-256) on their official support pages. You can compare the hash of the file you downloaded against the published value using a simple command line tool. This is more reliable than just the signature.
  • Keep security software updated and use detection features beyond basic signature scanning. Modern endpoint protection tools often include behavior-based monitoring that can spot unusual activity even when the file itself is signed.
  • Be skeptical of unsolicited emails or messages urging you to install or update software. Attackers often create urgency (“Critical security update for Zoom – install now”) to bypass careful thinking. If you weren’t expecting the message, verify through a different channel.
  • If you manage multiple devices for a team or business, restrict installation privileges and consider app whitelisting. This limits the ability of users to install unsigned or unknown software.

If You Suspect an Infection

If you notice unusual system behavior—slow performance, unexpected pop-ups, new browser extensions, outgoing network activity without your action—treat it seriously. Disconnect the device from the internet immediately. Change passwords for critical accounts using a different, known-clean device. Run a full scan with a reputable security tool. If you can, restore from a backup that predates the suspected infection. In corporate environments, involve your IT or security team as soon as possible.

Sources

  • “TamperedChef Malware Uses Signed Productivity Apps to Deliver Stealers and RATs,” CyberSecurityNews, May 21, 2026.
  • “TamperedChef Malware Hides in Signed Apps to Drop Stealers and RATs,” gbhackers.com, May 21, 2026.
  • Related coverage: “Hackers Use Fake Microsoft Teams Downloads to Deploy ValleyRAT Malware,” CyberSecurityNews, May 21, 2026.