TamperedChef Malware: How Signed Productivity Apps Are Being Weaponized to Steal Your Data

It is easy to assume that a digitally signed application is safe. That little certificate next to the publisher name has long been a shorthand for “this software came from a legitimate source.” A new malware campaign called TamperedChef aims to exploit that trust. Instead of bypassing code-signing checks, the attackers have found ways to use valid digital signatures to make their malicious apps look legitimate.

What Happened

In May 2026, security researchers reported a campaign that delivers information stealers and remote access trojans (RATs) through productivity applications that appear to be properly signed. The attackers are not forging signatures from scratch. They are using stolen or fraudulently obtained code-signing certificates. Once installed, the malware can exfiltrate credentials, capture keystrokes, take screenshots, and give attackers remote control over the infected machine.

The apps being used as carriers include common tools such as text editors, PDF readers, and communication software. The exact list of targeted apps is not fully public yet, but the pattern is clear: the attackers choose software that many people download without a second thought, often from third‑party sites or email attachments.

Because the files carry a valid digital signature, they may bypass basic antivirus checks and operating system warnings that would normally flag unsigned downloads. The signature tells Windows (or macOS) that the file has not been tampered with since the publisher signed it. In this case, the signature itself is legitimate—but the publisher’s key was compromised.

Why It Matters

For years, security advice has included “only install software from official sources” and “check the digital signature.” The TamperedChef campaign highlights a gap in that advice: a valid signature does not guarantee the software is trustworthy if the certificate was stolen.

This matters for everyone. Small businesses and home users are often the first targets because they are less likely to verify the publisher’s identity beyond the green checkmark. IT teams also need to reconsider how they evaluate software trust. A signed executable from a known vendor like Adobe or Microsoft is one thing, but a signed installer from a lesser‑known developer requires extra scrutiny.

The attack also shows that code-signing certificates themselves have become a target for cybercriminals. Once stolen, they can be reused across multiple campaigns, making it harder for signature‑based detection tools to keep up.

What Readers Can Do

The simplest protection is to avoid downloading productivity software from unofficial sources. Use the official app store for your operating system or the vendor’s own website. If you receive a file via email or a link from a colleague, verify the publisher before running it.

Here are practical steps:

  • Check the publisher name in the digital signature details. If it says “Unknown” or a name that does not match the software, do not install it.
  • Compare the file hash with the hash listed on the vendor’s website. This is not something most users do daily, but for critical software it is worth the extra minute.
  • Watch for unusual behavior after installation. Slower performance, unexpected pop‑ups, or unexplained network activity can indicate malware even if the signature was clean.
  • Use application‑control policies in your organization. Only allow execution of software from trusted publishers whose certificates are verified through a centralized system.

For IT professionals: consider monitoring for recently signed executables from publishers that are not part of your approved list. Also, check for expired or revoked certificates—attackers sometimes use certificates that have been revoked but are still accepted by older systems.

If you suspect an infection:

  • Disconnect the device from the network immediately.
  • Run a full scan with an up‑to‑date antivirus or endpoint detection tool.
  • Change passwords for any accounts accessed from that device, especially if you used the compromised computer to log into email, banking, or work systems.
  • Report the incident to your IT department or cybersecurity team.

Sources

  • CyberSecurityNews, “TamperedChef Malware Uses Signed Productivity Apps to Deliver Stealers and RATs,” published May 21, 2026. The article is the primary source for the campaign details described in this post.

  • Additional guidance on code‑signing certificate hygiene can be found through the National Institute of Standards and Technology (NIST) and the Cyber Security Agency of Singapore (CSA), both of which have published recommendations for certificate management and verification.