TamperedChef Malware: How Hackers Hide Stealers Inside Signed Productivity Apps

If you download a productivity app like Zoom, Microsoft Teams, or Slack from anywhere other than the official publisher site, you might be getting more than you bargained for. A new campaign, tracked as TamperedChef, is using signed installers of these everyday tools to quietly deliver information stealers and remote access Trojans (RATs). Here’s what’s happening and how to avoid falling victim.

What happened

According to reports from cybersecurity researchers in late May 2026, attackers are distributing tampered versions of popular productivity applications. The malicious installers carry valid digital signatures — either stolen code-signing certificates or certificates bought from shady resellers — which makes them appear legitimate to Windows and many antivirus products. Once installed, the software drops payloads such as ValleyRAT and various credential stealers.

The campaign seems to rely on two main infection vectors: fake download websites that impersonate official app pages, and poisoned search ads that drive users to those sites. In some cases, attackers have also used compromised third-party software repositories. The malware then collects saved passwords, browser cookies, cryptocurrency wallet files, and other sensitive data. It can also open a backdoor for further attacks.

Why it matters

For years, security advice has included “check the digital signature” as a way to verify that software hasn’t been tampered with. TamperedChef undermines that trust. A signed application is no longer automatic proof of safety if the signature itself is stolen or misused. This especially affects people who rely on productivity tools for work — an infected machine can lead to credential theft, data leaks, or even a foothold into a corporate network.

The campaign is also notable because it targets a broad audience. Nearly every Windows user has installed Teams, Zoom, or Slack at some point. Attackers know that people often search for these apps and may click the first link they see without double-checking the source.

What readers can do

The good news is that a few straightforward habits can stop this threat before it starts.

Always download from official sources. Go directly to the publisher’s website (e.g., zoom.us, microsoft.com, slack.com) or use the Microsoft Store. Do not trust third-party download sites, no matter how polished they look.

Verify the signature — but do it properly. Right-click the installer, go to Properties, then the Digital Signatures tab. Check that the signer is the legitimate company (e.g., “Microsoft Corporation” for Teams). Also look for a “This digital signature is OK” message. If anything seems off — unknown signer, expired certificate, or a warning about the certificate not being trusted — delete the file.

Use endpoint protection. Windows Defender (now Microsoft Defender) is adequate for most home users, but make sure it’s turned on and up to date. Some third-party tools also offer behavior-based detection that can spot malicious activity even if the installer is signed.

Keep your software updated. Legitimate apps frequently push updates through their own built-in updaters. Avoid clicking update prompts on web pages or via email; use the app’s own update mechanism instead.

If you suspect an infection: Run a full system scan with Defender or a second-opinion scanner like Malwarebytes. Change passwords for any accounts that were used on the infected machine — do this from a different, clean device. Consider enabling multi-factor authentication everywhere to limit damage if credentials are stolen.

Sources