Signed Productivity Apps Used to Spread Malware: How to Stay Safe
A new malware campaign is exploiting a common trust signal: the digital signature that appears when you install software. Dubbed TamperedChef by researchers, the malware uses stolen or purchased code signing certificates to make fake versions of popular free tools like Notepad++ and 7-Zip look legitimate. Once installed, it delivers information stealers and remote access trojans (RATs) that can give attackers full control of your machine.
Here is what happened, why it matters, and what you can do to avoid falling victim.
What Happened
According to a report published on May 21, 2026, by CyberSecurityNews, the TamperedChef campaign relies on signed executables that appear to come from well-known publishers. The attackers either buy code signing certificates on underground markets or steal them from legitimate developers. They then package malware inside copies of productivity applications that many people download from third-party download sites or unofficial mirrors.
When a user runs the installer, the operating system shows a verified publisher name, which reduces the normal suspicion that might accompany a download from an unknown source. Behind the scenes, the installer drops a stealer (which can harvest saved passwords, browser cookies, and cryptocurrency wallets) and a RAT (remote access trojan) that allows the attacker to browse files, record keystrokes, and even turn on webcams.
The exact scale of infections is not yet known, but the technique of abusing code signing is long‑standing and frequently successful.
Why It Matters
Most computer users have been told to only run software that is digitally signed. The assumption is that a valid signature guarantees the software came from the stated developer and has not been tampered with. TamperedChef shows that this assumption is no longer safe by itself.
A digital signature only proves that the file was signed with a particular certificate at some point in time. If the certificate was stolen, that proof means nothing. It is possible for an attacker to sign malicious files that pass standard signature checks. Many security products also trust signed software more, so the malware may avoid detection at the moment of installation.
For everyday users who rely on free tools like Notepad++ for text editing, 7-Zip for file compression, or similar utilities, the risk is real. These applications are widely mirrored on thousands of sites, and it is easy to click a download link without checking the source.
What Readers Can Do
You do not need to stop using productivity apps. But you should adjust how you decide which download is safe.
Always download from the official website. For Notepad++, use notepad-plus-plus.org. For 7-Zip, use 7-zip.org. Bookmark these addresses. Do not rely on search engine results that may show ads or sponsored links pointing to fake sites.
Check the publisher name during installation. If the installer says the publisher is something unrelated (e.g., “FastDownloader LLC” when you expected the official developer), cancel the installation immediately.
Verify file hashes when security is important. Many official sites publish MD5, SHA-1, or SHA-256 hashes. After downloading, you can calculate the hash of the file you have (using a tool like HashCheck or the PowerShell command Get-FileHash) and compare it. If they differ, the file has been modified.
Enable additional protections in Windows. Windows Defender can be configured to use reputation‑based protection. Go to Windows Security > App & browser control > Reputation‑based protection and turn on the options for potentially unwanted app blocking and SmartScreen for Microsoft Store apps. This will warn you about low‑reputation files even if they are signed.
Use sandboxing for risky downloads. If you must download a tool from an unfamiliar source, run it in a virtual machine or with Windows Sandbox (available in Windows 10/11 Pro and Enterprise). This prevents the malware from reaching your main system.
What to do if you think you are infected. Disconnect from the internet. Run a full scan with Windows Defender or another reputable antivirus. Change passwords for any accounts you accessed after the infection started, using a clean device. Monitor accounts for unusual activity, especially bank and email accounts. If you find a RAT, consider a full system reset to be safe.
The TamperedChef campaign is a reminder that trust signals can be gamed. Staying safe means being careful about where you get your software, not just about whether the file has a signature.
Sources
- “TamperedChef Malware Uses Signed Productivity Apps to Deliver Stealers and RATs,” CyberSecurityNews, May 21, 2026.
- References to code signing certificate theft and abuse are based on the same report and are consistent with known attack patterns documented by security vendors.