TamperedChef Malware: How Signed Productivity Apps Are Delivering Stealers and RATs

A new malware campaign called TamperedChef is making it harder to tell safe app installers from dangerous ones. Attackers are using digitally signed installers that look exactly like popular productivity software—Zoom, Microsoft Teams, Slack—but actually contain credential stealers and remote access trojans (RATs). The campaign was detailed by CyberSecurityNews on May 21, 2026, and it’s a reminder that even a “verified publisher” warning in Windows isn’t a guarantee of safety.

What Happened

Security researchers discovered that TamperedChef operators are obtaining valid code signing certificates through theft or abuse. They then sign malicious installers so that the files appear legitimate to both users and security software that trusts signed applications. Once installed, the malware silently extracts saved passwords, browser cookies, and other sensitive data, and in some cases gives attackers full remote control of the infected machine.

The campaign targets anyone downloading common workplace tools. Because these apps are updated frequently and often redistributed through unofficial mirrors, users can accidentally pick up a tampered version without realizing it. The use of real digital signatures makes the malicious files especially hard to detect—standard antivirus programs often trust signed executables by default.

Why It Matters

For everyday users, digital signatures have long been a reliable indicator of authenticity. You see a “Microsoft Corporation” or “Zoom Video Communications” certificate and assume the file is safe. TamperedChef exploits that trust.

Infostealers can harvest login details for email, banking, and social media accounts. RATs allow attackers to spy on your screen, record keystrokes, and even turn on your webcam. Because the malware uses a signed installer, it may not trigger any red flags until it’s too late.

The threat isn’t limited to Windows either. Similar campaigns could target macOS or Linux users, depending on the certificate’s scope. The key point: a valid signature no longer means the software is clean.

What You Can Do

This situation is worrying, but there are practical steps you can take to reduce your risk:

  1. Only download from official sources. The safest place to get Zoom, Teams, Slack, or any other productivity app is the developer’s own website or an official app store (Microsoft Store, Mac App Store, etc.). Avoid third-party download sites, even if they appear in search results.

  2. Check the digital signature before running an installer. On Windows, right-click the installer file, select Properties, and go to the Digital Signatures tab. Verify that the signer name matches the expected publisher (e.g., “Zoom Video Communications, Inc.”) and that the certificate is issued by a trusted root authority. If the signature says “Unknown” or shows a publisher you don’t recognize, do not run the file.

  3. Use an antivirus with behavior-based detection. Traditional signature-based antivirus may miss signed malware. Modern security tools that monitor application behavior—such as Windows Defender with cloud-delivered protection enabled, or third-party suites with behavioral analytics—are better at catching suspicious activity even when the file is signed.

  4. Keep your software updated. Attackers often exploit vulnerabilities in outdated apps to gain initial access. Enable automatic updates for your operating system and all installed applications.

  5. Consider using an app reputation service. Some antivirus programs include a reputation check for newly downloaded files, scoring them based on prevalence and history. If a file is rarely seen or comes from an untrusted source, it will be flagged even if it’s signed.

If you suspect you’ve already installed a tampered app, act quickly:

  • Run a full system scan with your antivirus.
  • Change passwords for all critical accounts (email, banking, social media) from a different, clean device.
  • Enable two-factor authentication on every account that supports it.
  • Check for any new accounts or unfamiliar devices in your online accounts.

Sources

  • “TamperedChef Malware Uses Signed Productivity Apps to Deliver Stealers and RATs,” CyberSecurityNews, May 21, 2026. (Note: This article is the primary source for the campaign details; citations are based on the news piece referenced in the topic briefing.)