TamperedChef Malware: How Signed Productivity Apps Are Being Used to Spread Stealers and RATs
Intro
Recent reports describe a malware campaign called TamperedChef that delivers stealers and remote access trojans (RATs) by bundling them with seemingly legitimate productivity applications. What makes this campaign notable is that the malicious executables carry valid digital signatures—something that can trick both users and some security tools into assuming the software is safe.
If you regularly download productivity software for work or personal use, the technique is worth understanding not because it is brand new (attackers have used stolen or forged signatures for years) but because it appears to be gaining traction. In the past few weeks alone, similar attacks have been observed using fake Microsoft Teams downloads to deliver ValleyRAT malware. The common thread is that attackers are exploiting the trust users place in signed code.
What happened
According to researchers, TamperedChef malware is distributed through fake download sites and compromised update mechanisms. The malware is packaged inside installers that appear to be well-known productivity apps—things like team collaboration tools, note-taking software, or office suites. The executables carry digital signatures that, at first glance, look authentic. In some cases, the signatures may have been stolen or purchased from underground markets; in others, attackers might have used code-signing certificates issued to shell companies that resemble legitimate developers.
Once installed, the malware drops a stealer (designed to harvest credentials, cookies, and other sensitive data) and a RAT that gives attackers persistent remote access. Because the signed binary can pass initial checks by some antivirus engines, the infection may go unnoticed until the damage is done.
A parallel campaign involved fake download pages for Microsoft Teams. Victims searching for the latest version of Teams were redirected to sites that offered a signed installer, but the installer contained ValleyRAT—a trojan known for logging keystrokes and exfiltrating files.
Why it matters
The use of signed malware is significant because many users and even some IT security policies rely on the presence of a digital signature as a sign of authenticity. Standard antivirus tools often treat signed executables with lower suspicion, assuming the publisher has been vetted by a certificate authority. Attackers are capitalising on that blind spot.
This is not the first time signed malware has been used, but the scale and targeting of productivity apps make it particularly dangerous. Many people download these tools daily, often from search results that include sponsored or malicious adverts. If the file appears signed and the app name is familiar, the natural tendency is to trust it and proceed.
The technique also makes it harder for endpoint detection tools to flag the file based on static analysis alone. The malicious payload might be packed or delayed, executing only after the signed installer runs. By that point, the attacker already has a foothold.
What readers can do
You don’t need to be a security expert to reduce your risk. Here are practical steps:
Only download from official sources. This is the simplest and most effective measure. Use the developer’s own website or a trusted app store (Microsoft Store, Mac App Store, or the official GitHub repository for open-source projects). Avoid third-party download aggregators and search ads that may promote fake sites.
Verify the digital signature before installation. On Windows, right-click the installer, go to Properties, then Digital Signatures. Look at the “Signer” name and the timestamp. If the app claims to be from Microsoft but the signer is an unknown name, or if the signature says “Issued by” a certificate authority you don’t recognise, treat it as suspicious. On macOS, you can run codesign -dvv /path/to/app in Terminal to see the signing authority. The signature should match the developer’s official Apple Developer ID.
Treat unexpected update prompts with suspicion. If an app you already have suddenly asks you to download an update from a pop-up window that opens a browser to an unfamiliar URL, close it and update manually via the app’s built-in updater or the official store.
Use security software that monitors behaviour, not just signatures. Some AV products now include behavioural analysis that flags a signed executable if it starts modifying system files, injecting code, or making unusual network connections. On Windows, consider enabling Windows Defender’s cloud-delivered protection and tamper protection.
Keep everything updated. This includes your operating system, browser, and all installed software. Attackers often exploit known vulnerabilities in older versions to gain the initial foothold that signed malware later expands.
Enable two-factor authentication on your critical accounts. A stealer can grab your passwords, but if you use 2FA (especially app-based or hardware tokens), the stolen credentials alone won’t give the attacker access.
What to do if you suspect an infection
If you think you’ve installed a signed app from an untrusted source, disconnect from the internet and run a full scan with an updated antivirus tool. Windows Defender offline scan or a bootable rescue disk from a reputable vendor can catch malware that hides in memory or the boot sector. After cleaning, change the passwords for any accounts you accessed from that machine—but only after you’re reasonably sure the system is clean. Use a different, known-clean device to change critical passwords first.
If you lost saved passwords from browsers or password managers, treat all those accounts as compromised and rotate them immediately.
Sources
- CyberSecurityNews – “TamperedChef Malware Uses Signed Productivity Apps to Deliver Stealers and RATs” (May 21, 2026)
- CyberSecurityNews – “Hackers Use Fake Microsoft Teams Downloads to Deploy ValleyRAT Malware” (May 21, 2026)
These reports detail the specific campaigns and the technical indicators to watch for. The underlying advice about verifying signatures and downloading from official sources is consistent with long-standing security best practices from Microsoft, Apple, and independent research groups like the Digital Signature Trust.