This New Malware Hides in Signed Productivity Apps – Here’s How to Stay Safe
If you’ve ever downloaded a free copy of Notepad++, 7-Zip, or a PDF reader from a random download site, you’re not alone. These tools are essential, and many people grab the first link they see in search results. But a recent malware campaign called TamperedChef is exploiting that habit by using valid digital signatures to make malicious installers look completely trustworthy.
Here’s what you need to know about this threat, and more importantly, how to avoid becoming a victim.
What Happened: Signed Malware That Bypasses Security
Cybersecurity researchers recently identified a campaign where attackers obtained legitimate code-signing certificates—either stolen or misused—and used them to sign malware. The malware, dubbed TamperedChef, is delivered through fake versions of popular productivity applications. Because the files carry a valid digital signature, Windows Defender and many antivirus programs treat them as safe, allowing the malware to install without triggering alerts.
Once installed, TamperedChef acts as a loader, dropping credential stealers and remote access trojans (RATs) onto the victim’s machine. That means attackers can steal saved passwords, browser cookies, and other sensitive data, and even take remote control of the computer.
The campaign primarily spreads through search engine ads and third-party download sites. A user searching for “7-Zip free download” might click a sponsored link that leads to a site offering a seemingly legitimate installer. The file is digitally signed, so Windows shows no warning, and the user proceeds with installation.
Why It Matters for Everyday Users
Most people assume that if a program is digitally signed, it’s safe. That’s generally true—but only when the signature is issued to the actual software publisher and hasn’t been compromised. In the TamperedChef case, the signatures belong to legitimate developers whose certificates were either stolen or repurposed without authorization.
This is a dangerous evolution in malware tactics. It undermines one of the primary trust signals that consumers rely on. Even security software that checks for signed binaries can be fooled if the signature is valid and hasn’t been revoked.
The apps being impersonated are not exotic. Notepad++, 7-Zip, PDF readers, and other widely used free utilities are common targets. That means the risk is broad: anyone who has downloaded a free tool in the past few months could potentially have encountered a malicious version.
What You Can Do: Practical Steps to Protect Yourself
You don’t need to be a cybersecurity expert to stay safe from this type of threat. A few straightforward habits can make a significant difference.
Always download from the official source. This is the single most effective measure. Instead of searching for “Notepad++ download,” type the official website directly into your browser. For example, Notepad++ is available at notepad-plus-plus.org, 7-Zip at 7-zip.org. Bookmark these sites. Avoid third-party download portals like Download.com, Softonic, or random file hosting sites.
Check the digital signature before installing. After downloading, right-click the installer file, select Properties, then go to the Digital Signatures tab. Look at the signer name. It should match the actual publisher (e.g., “Notepad++” or “Igor Pavlov” for 7-Zip). If the signer is an unfamiliar company or a generic name, don’t run the file. You can also click Details and check the certificate’s validity status. A warning that the certificate is not trusted or has been revoked is a red flag.
Pay attention to the file size and behavior. Signed malware often results in installer files that are significantly larger than the real ones because they carry extra payload. If an installer for a small utility is 100 MB or more, be suspicious. Also, if the installer requests unusual permissions (like accessing your contacts or reading browser data), cancel the installation.
Use app reputation features. Some antivirus products, including Microsoft Defender, offer cloud-delivered protection that checks file reputation even if the file is signed. Ensure this feature is enabled. In Windows, go to Virus & threat protection settings and turn on “Cloud-delivered protection” and “Automatic sample submission.”
Enable certificate revocation checks. Make sure your system checks for revoked certificates. In Windows, this is typically on by default, but you can verify: open Internet Options, go to the Advanced tab, and under Security, ensure “Check for server certificate revocation” is checked.
If You Think You’ve Installed Malware
If you suspect you’ve run a malicious installer, act quickly. Run a full scan with updated antivirus software. If you have a second opinion scanner like Malwarebytes, use that as well. Change passwords for any accounts you accessed on that computer, especially email and financial accounts. Enable two-factor authentication (2FA) on every service that offers it. For high-value accounts, consider using a password manager to generate and store strong, unique passwords.
If you continue to see strange behavior—unexpected pop-ups, slow performance, or unknown programs running—consider backing up important files and performing a clean reinstall of Windows. That’s the most thorough way to remove persistent malware.
Staying Ahead of the Game
The TamperedChef campaign is a reminder that no single security measure is foolproof. Stolen code-signing certificates are a growing problem, and while they are not yet widespread, incidents like this will likely become more common. The best defense is a combination of cautious downloading habits, signature verification, and layered security software.
Keep your operating system and antivirus up to date. Pay attention to security news about certificate revocations. And remember: the safest download is always the one you get directly from the developer.
Sources: CyberSecurityNews report on TamperedChef; industry analysis of signed malware campaigns; Microsoft documentation on digital signatures and certificate revocation.