TamperedChef Malware Hits Signed Productivity Apps: What You Need to Know

A new malware campaign is exploiting a trick that makes malicious software look trustworthy: it uses authentic-looking code signing certificates. Dubbed “TamperedChef,” the campaign targets users of popular productivity applications such as Notepad++ and WinSCP, delivering information stealers and remote access trojans (RATs) through what appear to be legitimate signed installers.

What Happened

According to a report published in late May 2026, security researchers identified attackers who had obtained stolen or forged code signing certificates. They used these certificates to sign modified copies of well-known freeware tools. The tampered installers were then distributed through fake download portals, search engine ads, and third-party software repositories.

When a user runs the signed installer, Windows or macOS does not display the usual “unknown publisher” warning because the digital signature appears valid. Behind the scenes, the installer drops additional payloads—typically an info-stealer that harvests browser credentials, cryptocurrency wallets, and saved passwords, or a RAT that gives the attacker remote control over the system.

The campaign is still active, and the researchers who discovered it have not yet released a full list of compromised applications. However, the named examples (Notepad++, WinSCP) are commonly downloaded from non-official sites, making them frequent targets.

Why It Matters

Signed malware is dangerous precisely because it bypasses the security heuristic most people rely on: “if Windows says the publisher is trusted, it must be safe.” Code signing is a standard defense against tampering, but certificates can be stolen (from legitimate developers or certificate authorities) or, in some cases, fraudulently issued.

Once a signed malicious binary passes the initial trust checkpoint, it can often evade antivirus detection longer than an unsigned one. The malware author can also request elevated permissions or install silently, since the system treats the signed code as more reliable.

For everyday users—especially those who download productivity tools from search engine results rather than the official app store—this means the usual green checkmark is no longer a guarantee of safety.

What Readers Can Do

You don’t need to become a security expert to reduce your risk. A few straightforward habits can help:

1. Download only from official sources.
   Go directly to the publisher’s website (e.g., notepad-plus-plus.org) or a trusted app store. Avoid “mirrors,” “download portals,” or links in ads—even if they appear at the top of search results.

2. Check the digital signature before installing.
   On Windows: right-click the installer, select Properties → Digital Signatures. The signer should match the application’s known publisher (e.g., “Notepad++” or “Don Ho” for Notepad++). If the name seems off, or the signature date is very recent for an older version of the program, stop.
   On macOS: right-click the app and choose Get Info → Mac App Store or Developer ID. A warning instead of a verified entry is a red flag.

3. Verify file hashes when available.
   Many official download pages provide a SHA-256 checksum. After downloading, generate the hash (using certutil -hashfile file.exe SHA256 on Windows, or shasum -a 256 file.dmg on macOS) and compare it. Mismatch means the file is not original.

4. Watch for unusual installer behavior.
   Legitimate productivity apps rarely ask for broad permissions like “access your files,” “modify system settings,” or “run at startup” without reason. If an installer triggers user account control repeatedly or tries to launch network connections during setup, cancel the installation.

5. Keep your antivirus updated.
   Most modern security tools now include behavioral detection that can flag signed malware that acts suspiciously. But rely on it as a safety net, not your first line of defense—signed malware can sometimes slip past scanning engines.

Sources

• CybersecurityNews: “TamperedChef Malware Uses Signed Productivity Apps to Deliver Stealers and RATs” (May 21, 2026). Link to article