New TamperedChef Malware Hides in Signed Productivity Apps – What to Watch For
You’ve probably been told that a digital signature on a download is a sign it’s safe. It’s common advice: only install software that’s signed by a trusted publisher. But a recently discovered malware campaign called TamperedChef shows that even signed apps can be dangerous.
Here’s what’s happening, which apps are affected, and how you can avoid getting infected.
What Happened
In May 2026, cybersecurity researchers reported a new malware campaign that repackages legitimate productivity applications – such as Notepad++, 7-Zip, and various PDF editors – with malware inside. The attackers then sign these tampered installers using stolen or fraudulently obtained digital certificates. To a user or even an antivirus program, the installer looks authentic: the signature is valid, the app name appears correct, and the publisher field shows a company you might recognise.
Once installed, the malware delivers information stealers and remote access trojans (RATs). That means an attacker could steal saved passwords, browser cookies, files, and in some cases take remote control of your computer. The campaign has been named TamperedChef by researchers tracking it.
Why It Matters
Most people rely on visual cues when deciding whether software is trustworthy. A signed installer is one of the strongest cues. But if attackers can obtain a valid certificate – either by stealing one from a legitimate developer or by buying one from a shady reseller – they can bypass that trust. This isn’t a theoretical risk: the TamperedChef campaign proves it’s happening now.
The apps targeted are popular, free, and widely used. Notepad++ for text editing, 7-Zip for file compression, and common PDF tools are downloaded millions of times. If you’ve recently grabbed one of these from a site other than the official publisher’s homepage, or even from a third‑party download portal, you could have been exposed.
What You Can Do Right Now
You don’t need to panic, but you should take a few practical steps.
1. Check the digital signature yourself.
Before running any installer, right‑click the file, select Properties, then go to the Digital Signatures tab. Look at the “Signer” name. For Notepad++, the signer should be “Notepad++” or its developer. For 7‑Zip, it should be “Igor Pavlov”. If the signer is a generic name or a company you don’t recognise, do not run the installer. Also, click “Details” and verify that the certificate is current and issued by a known certificate authority (such as DigiCert or Sectigo). A warning that the certificate has been revoked is a red flag.
2. Download only from official sources.
Even though TamperedChef uses signed installers, the safest approach is to get software directly from the developer’s official website. Bookmark those URLs. Avoid “download” aggregators, mirror sites, or links in emails and ads. Official sites are less likely to host tampered files because the developers control those downloads.
3. Keep antivirus and operating system updated.
No security software is perfect, but modern antivirus tools can detect malware even when the installer is signed. Update your antivirus definitions frequently and run a full scan at least once a week. If you use Windows, make sure Windows Defender is enabled and up to date.
4. Watch for unusual behaviour after installation.
After installing any new software, pay attention to slow performance, unexpected pop‑ups, unknown processes in Task Manager, or excessive network activity. If something feels off, disconnect from the internet and run a malware scan with a second opinion tool like Malwarebytes or HitmanPro.
5. If you suspect infection, act quickly.
Remove the suspected software via Control Panel (or Settings > Apps). Run a full antivirus scan. Change passwords for your important accounts (email, banking, social media) from a clean device. Enable two‑factor authentication wherever possible. If you used the same password on multiple sites, change all of them.
Sources
- Cybersecurity researchers reported the TamperedChef campaign in May 2026. (Details available in security news outlets covering the initial disclosure.)
- The malware is known to include information stealers and remote access trojans, as documented in technical analyses published by threat intelligence firms.
- App signatures were verified as valid at the time of installation, according to researchers, indicating stolen certificates were involved.
Stay cautious. Even a signed app isn’t a guarantee of safety anymore.