TamperedChef Malware: How Signed Productivity Apps Are Spreading Stealers and RATs

A new malware campaign called TamperedChef is making the rounds, and it has a trick worth understanding if you download software from anywhere other than an official store. The attackers are taking popular productivity applications, modifying them, and then signing them with seemingly valid digital certificates. That signature helps the malware slip past initial security checks, at least for a while. Once installed, the payloads include information stealers and remote access trojans (RATs). The primary entry point appears to be cracked or “free” versions of paid software downloaded from unofficial sites.

What happened

Security researchers have observed a campaign where attackers distribute modified versions of legitimate productivity apps—things like office suites, project management tools, or note-taking software. Instead of simply bundling malware with the installer, the attackers have gone a step further: they sign the modified executables with a digital certificate that appears authentic. Digital signatures are normally a sign that the software has not been tampered with, but in this case the signing process has been compromised, either through stolen certificates or by using self-signed certificates that mimic trusted names.

Once a user installs the tampered app, the malware quietly drops a secondary payload, often an information stealer that harvests passwords, browser cookies, and cryptocurrency wallet files. It can also install a remote access trojan (RAT) that gives the attacker persistent control over the machine. Because the initial installer is signed, some antivirus engines may initially treat it as benign, though behavioral detection tools can still catch it after execution.

Why it matters

For the average consumer, this campaign highlights a weakness in how we often judge software safety. Many people see a green checkmark or a “signed by” notice and assume an app is legitimate. TamperedChef exploits that trust by using valid-looking signatures. The heavy reliance on cracked software also means that people who try to avoid paying for apps are putting themselves at higher risk. Once an attacker has access to a machine, they can steal sensitive information, install additional malware, or use the device as part of a botnet.

The campaign is still active, and because the attackers can rotate certificates and change the apps they target, it’s not a single malware strain you can simply block by name. Instead, it’s a method that requires a different kind of vigilance.

What readers can do

If you already use productivity apps—especially ones you may have downloaded from a third-party site or a torrent—here are practical steps to reduce risk.

Check the source before downloading

Only download software from the developer’s official website or from a trusted app store (Microsoft Store, Mac App Store, official Linux repos). If an app is normally paid and you find a “free” version on a forum or file-sharing site, assume it is malicious. Cracked apps are the primary vector for TamperedChef.

Verify digital signatures carefully

On Windows, right-click the installer file, select Properties, and go to the Digital Signatures tab. Look at the signer name. If it says “Unknown” or something generic, avoid it. Even if it lists a known company name, check that the certificate was issued by a major certificate authority (like DigiCert, Sectigo, or GlobalSign). Some attackers use self-signed certificates that list a fake company name. On macOS, check the signature via codesign -dvv /path/to/app in Terminal. If the app is not signed by Apple or the developer, don’t run it.

Use antivirus with behavioral detection

Traditional signature-based antivirus may not catch a signed malicious file immediately. Look for security software that includes behavioral analysis—tools that monitor what an app does after installation, such as unusual network connections, file modifications, or attempts to access sensitive data. Many mainstream suites (Windows Defender, Bitdefender, Kaspersky) include this now, but make sure the feature is enabled.

Watch for unusual behavior

After installing any new app, especially one that seems too good to be true, watch for:

  • Unexplained high CPU or disk usage
  • New browser extensions you didn’t install
  • Saved passwords suddenly going missing or being changed
  • Strange network traffic (you can use a simple tool like GlassWire to monitor)
  • Pop-ups or alerts from an unknown program

If you notice any of these, assume the app is compromised. Disconnect from the internet immediately and run a full scan with an updated antivirus. For severe cases, consider backing up only essential documents to an external drive (after scanning them) and doing a clean reinstall of the operating system.

Long-term best practices

  • Keep your operating system and software updated to close vulnerabilities that malware could exploit.
  • Use a password manager and enable two-factor authentication wherever possible, so stolen passwords are less useful.
  • Regularly review installed apps and remove anything you no longer use or trust.
  • If you must use a cracked app for some reason (not recommended), run it in a virtual machine or an isolated environment with no access to personal data.

No single measure is perfect, but combining careful sourcing, signature verification, and behavioral monitoring makes it much harder for TamperedChef to succeed.

Sources

  • CyberSecurityNews – “TamperedChef Malware Uses Signed Productivity Apps to Deliver Stealers and RATs” (May 21, 2026)
  • Various security vendor reports on signed malware campaigns (details anonymized due to ongoing investigation)