TamperedChef Malware: How Signed Apps Are Being Used to Steal Your Data

A new malware campaign is taking advantage of a trust mechanism most users rely on: digital signatures. Called TamperedChef, it hides inside legitimate-looking copies of popular productivity software. If you use tools like Notepad++, 7‑Zip, or other free utilities, it is worth understanding how this works and what you can do to stay safe.

What Happened

On May 21, 2026, researchers reported that attackers are distributing versions of well‑known productivity apps that appear to be properly signed. Signed software generally carries a digital certificate that says it came from a legitimate developer. In this campaign, the criminals used either stolen or fraudulent code‑signing certificates to make their malware look authentic.

Once a user installs the tampered app, the malware delivers two types of payloads: a stealer that captures credentials, browser data, and other sensitive information, and a remote access trojan (RAT) that gives the attacker full control of the machine. The apps being spoofed include common free utilities that many people download to open compressed files, edit text, or view PDFs.

At this point, the full list of affected apps has not been disclosed, but the campaign appears to focus on software that is widely used and often obtained from third‑party download sites rather than the official developer’s site.

Why It Matters

Many users assume that if a file is digitally signed, it is safe. That is not always true. Signatures only indicate that the code was signed with a particular certificate, not that the certificate itself is legitimate. Attackers can buy stolen certificates on underground markets or create fraudulent ones if they find weaknesses in the verification process.

This kind of attack is a form of supply‑chain compromise: rather than breaking into a developer’s own servers, the attackers piggyback on the trust users have in common tools. The result is that even cautious users who avoid clicking on shady email attachments can still be infected simply by installing a program they think is legitimate.

The malware can steal saved passwords, banking details, and cryptocurrency wallets, and the RAT component can be used to spy on the victim, install additional malware, or pull the machine into a botnet.

What Readers Can Do

You do not need to stop using productivity apps, but you can take a few simple precautions.

Download only from official sources. The safest place to get Notepad++ is from its own website (notepad-plus-plus.org). For 7‑Zip, go to 7-zip.org. Avoid third‑party download aggregators, which are a common source of repackaged malware.

Be wary of unexpected update prompts. Malware often masquerades as an update for a program you already have. If your browser shows a pop‑up telling you to update a tool, close the browser and open the application’s own update feature inside the program itself.

Use antivirus software and keep it current. Modern security tools can detect many variants of stealers and RATs, even if the initial file is signed. Enable real‑time scanning and let the software update automatically.

Check digital signatures if you know how. On Windows, right‑click the installer, select Properties, and go to the Digital Signatures tab. Look for the signer name and make sure it matches the developer (e.g., “Notepad++” or “Igor Pavlov” for 7‑Zip). If there is no signature, or if the signer is unknown, do not run the file.

Consider verifying file hashes. Some developers publish checksums (MD5, SHA‑256) on their official site. After downloading, you can generate the hash of the file and compare it. This is extra effort, but it is the most reliable way to confirm the file has not been tampered with.

Finally, be cautious about any program that asks for administrator privileges or makes unusual network connections. When in doubt, scan the file with an online malware analysis tool before installing.

Sources

This article is based on reporting from CyberSecurityNews published on May 21, 2026. The campaign is still being investigated, and more details about the specific apps and certificates used may emerge in the coming days. Always verify advice against your own security needs and consider consulting a cybersecurity professional if you suspect an infection.