Think Signed Apps Are Safe? This New Malware Hides Inside Them

Think Signed Apps Are Safe? This New Malware Hides Inside Them

A fresh wave of malware is making its rounds by masquerading as legitimate productivity software. Dubbed “TamperedChef” by researchers, the campaign uses signed installers for apps like Microsoft Teams and Zoom to deliver password stealers and remote access trojans (RATs). If you’re someone who regularly downloads collaboration tools from a quick Google search or a shared link, this is worth understanding — because even a digitally signed application can be dangerous.

What Happened

According to reporting from CyberSecurityNews, the TamperedChef campaign was observed in late May 2026. Attackers distributed fake installers for widely used productivity apps — primarily Microsoft Teams, Outlook, and Zoom — that carried valid digital signatures. These signatures came from stolen or misused code-signing certificates, meaning the malware passed standard checks that many users and even some security tools rely on.

Once installed, the payloads included information stealers (capable of harvesting browser passwords, cookies, and emails) and RATs that gave attackers remote control over the victim’s machine. The campaign appears to have targeted both individuals and organizations, likely through phishing emails or fake download pages that mimicked official vendor sites.

Why It Matters

Code signing has long been considered a strong indicator that software is legitimate and hasn’t been tampered with. A signed file from a trusted publisher means the code hasn’t been altered since it left the developer’s hands — provided the certificate itself is legitimate and not misused. TamperedChef exploits exactly that trust. By obtaining or stealing valid certificates, attackers can bypass many email filters, browser warnings, and even some antimalware engines that approve signed binaries.

This isn’t a theoretical risk. Stolen or fraudulently obtained certificates have been used in past high-profile campaigns, such as those involving signed kernel drivers or signed Adobe flash installers. The core takeaway: a valid digital signature does not guarantee the software is safe. It only tells you the file was signed by whoever holds that certificate — and certificates can be stolen, misused, or issued to companies that don’t exist anymore.

What You Can Do

You don’t need to become a forensic analyst to stay safe, but a few habits can reduce the risk of running signed malware.

1. Download only from the official source.
Always go directly to the vendor’s website (e.g., microsoft.com for Teams, zoom.us for Zoom). Avoid third-party download sites, links in unsolicited emails, or search results that look slightly off. Look for the correct URL, not a lookalike domain.

2. Verify the publisher before running an installer.
Before double-clicking, right-click the file, choose Properties, and click the Digital Signatures tab. Check that the name of the signer matches the expected company (e.g., “Microsoft Corporation” for Teams). If the certificate says something generic or unfamiliar, do not run the file.

3. Be skeptical of unexpected downloads.
If you receive a message telling you to update Teams or install a meeting plugin out of the blue, pause. Contact the person who sent it via a separate channel to verify.

4. Use antivirus and keep it updated.
While TamperedChef might evade some scanners, modern endpoint protection can detect malicious behavior. Make sure your security software is active and up to date.

5. Enable Controlled Folder Access or similar features.
On Windows, you can limit what apps can modify certain folders (like Documents). This won’t stop installation, but it can slow down data exfiltration.

6. Report suspicious files.
If you think you’ve come across a signed malware sample, submit it to your antivirus vendor and notify the software company whose certificate is being abused.

Sources

• “TamperedChef Malware Uses Signed Productivity Apps to Deliver Stealers and RATs” — CyberSecurityNews (May 21, 2026)
• “Hackers Use Fake Microsoft Teams Downloads to Deploy ValleyRAT Malware” — CyberSecurityNews (May 21, 2026)

These reports are based on research by security analysts. The exact scale of the campaign and the full list of compromised certificates are still being investigated. As always, caution is your best defense.