Signed Apps Can Be Dangerous: How to Spot Malware Disguised as Productivity Tools

Most computer users have been told that a digital signature on a software installer means it is safe. That belief is understandable—after all, signatures are meant to verify the publisher hasn’t been tampered with. But a recent campaign called TamperedChef shows that even signed applications can carry malware.

Here is what happened and what you can do about it.

What Happened

Security researchers have identified a malware delivery operation that uses popular productivity apps—such as office suites, note-taking tools, and PDF editors—that carry valid digital signatures. The malware, named TamperedChef, works by adding malicious code to otherwise legitimate signed installers. Because the installer appears to be from a trusted publisher, antivirus programs and platform security checks often let it through.

Once installed, the malware delivers information stealers and remote access trojans (RATs). These tools can capture passwords, bank credentials, and other sensitive data, and can give attackers persistent control over the infected machine. The exact scope of the campaign is not yet fully known, but evidence suggests it has been active for several months and targets users who search for free or discounted productivity software.

Why It Matters

Digital signatures are a useful layer of trust, but they are not a guarantee of safety. Attackers can obtain stolen signing certificates, or they may compromise a developer’s build pipeline and inject malicious code before the app is signed. TamperedChef appears to use compromised certificates, meaning the software looks genuine to both Windows and macOS built-in defenses.

The real danger is that signatures create a false sense of security. When people see “Verified publisher” in a download prompt, they click without further thought. This campaign directly exploits that trust. The malware also stays under the radar because it does not trigger typical “suspicious file” alerts—the binary is signed.

What Readers Can Do

Protecting yourself does not require being a security expert. Here are concrete steps you can take:

  1. Download only from official sources. That means the developer’s own website or a trusted app store (Microsoft Store, Mac App Store, or verified publisher pages on platforms like GitHub). Avoid third-party download sites, especially those that offer “cracked” or “free premium” versions of paid software.

  2. Check the publisher’s reputation before installing. If you have never heard of the developer, search their name along with the word “malware” or “scam.” Look for recent news or discussions on reputable tech forums.

  3. Use multiple security tools. A single antivirus may not catch a signed malicious app. Consider using a behavior-based detection tool (for example, Malwarebytes or HitmanPro) alongside your main antivirus, and keep both updated.

  4. Read the installation prompts carefully. Many signed malware installers ask for suspicious permissions—access to your browser data, full disk access on macOS, or the ability to modify system files. If an installer requests more access than the app needs, cancel the installation.

  5. Keep your operating system and software updated. Patches often close vulnerabilities that malware exploits to persist after installation.

  6. If in doubt, scan with an online service. Before running a downloaded installer, upload it to VirusTotal. It will check the file against more than 60 antivirus engines. If even one engine flags it, treat it with suspicion.

What to Do If You Suspect Infection

If you think you have installed a malicious signed app, take these steps:

  • Disconnect the computer from the internet to prevent data exfiltration.
  • Run a full system scan with your primary antivirus and a second opinion scanner.
  • Change passwords for critical accounts (email, banking, social media) from a clean device.
  • Consider restoring from a clean backup if the infection seems persistent.
  • Report the signed malicious file to the relevant platform (Microsoft, Apple, or the developer whose certificate was abused) so the certificate can be revoked.

Sources

  • CyberSecurityNews: “TamperedChef Malware Uses Signed Productivity Apps to Deliver Stealers and RATs” (May 21, 2026)
  • The Hacker News: Coverage of signed malware trends (May 21, 2026)
  • Additional reporting on digital signature abuse in cyberattack campaigns

The takeaway is straightforward: a digital signature means the file has not been modified since it was signed, but it does not mean the software is safe. Always verify the source and the behavior of any program you run on your machine.