Skip to main content
Emerging ThreatsMalware & Ransomware

Microsoft Disrupts Malware-Signing Service Used by Ransomware Gangs

Brightly-lit server rack in a cybersecurity operations center against a mid-tone background.

"Fox Tempest has created over a thousand certificates and established hundreds of Azure tenants and subscriptions to support its operations," Microsoft reported — a succinct tally that underpins a broader, industrial-scale scheme to buy trust and sell it back to cybercriminals.

Fox Tempest’s scale and approach

Microsoft Threat Intelligence says the financially motivated operator tracked as Fox Tempest created more than 1,000 code-signing certificates and established hundreds of Azure tenants and subscriptions to support a malware-signing-as-a-service (MSaaS). The operation generated "millions of dollars in profits," according to Microsoft, and was capable of managing infrastructure, customer relations, and financial transactions at scale.

Abusing Azure Artifact Signing (formerly Trusted Signing)

The service abused was Azure Artifact Signing — launched by Microsoft in 2024 and previously known as Trusted Signing — a cloud-based offering that lets developers have their programs signed by Microsoft. Microsoft says Fox Tempest used the platform to produce short-lived certificates, typically valid for 72 hours, that allowed malicious binaries to appear as legitimate software to users and to the Windows operating system.

How the malware-signing platform operated

Microsoft describes a commercialized workflow: customers uploaded malicious files to a service operating under the signspace[.]cloud domain, which then returned fraudulently signed binaries using certificates controlled by Fox Tempest. Earlier this year the operation evolved to offer pre-configured virtual machines hosted through Cloudzy infrastructure; cybercriminal customers placed malware on those VMs and received signed binaries in return.

Promotion and pricing were part of the operation. Microsoft identified a Telegram channel named "EV Certs for Sale by SamCodeSign" that advertised access to the platform for between $5,000 and $9,000 in bitcoin. Microsoft says the operators likely used stolen identities from the United States and Canada to pass Artifact Signing identity verification requirements and obtain signing credentials.

Signed malware and linked threat campaigns

Microsoft linked the platform’s output to numerous malware and ransomware campaigns. Named malware families included Oyster, Lumma Stealer, and Vidar, and ransomware operations linked to signed artifacts included Rhysida, Akira, INC, Qilin, and BlackByte. Microsoft said threat actors such as Vanilla Tempest (identified as INC Ransomware members), Storm-0501, Storm-2561, and Storm-0249 used the signed malware in their attacks.

Microsoft’s complaint provides a concrete example of the chain of harm: "When unsuspecting victims executed the falsely named Microsoft Teams installer files, those files delivered a malicious loader, which in turn installed the fraudulently signed Oyster malware and ultimately deployed Rhysida ransomware." Because the malware carried a certificate from Microsoft's Artifact Signing service, "the Windows operating system initially recognized the malware as legitimate software, when it would otherwise be flagged as suspicious or blocked entirely by security controls in the Windows operating system."

Microsoft’s disruption and legal steps

In May 2026 Microsoft’s Digital Crimes Unit, with support from industry partners, disrupted Fox Tempest’s MSaaS by targeting the platform’s infrastructure and access model. Actions taken included seizing the signspace[.]cloud domain, taking hundreds of virtual machines tied to the operation offline, blocking access to infrastructure that hosted the platform, and revoking over one thousand certificates attributed to Fox Tempest.

Microsoft also unsealed a legal case in the U.S. District Court for the Southern District of New York that names Vanilla Tempest as a co-conspirator and targets the malware-signing-as-a-service scheme. Visitors to the seized signspace[.]cloud domain are now redirected to a Microsoft-operated site explaining the domain seizure and the related lawsuit.

What this means for technologists, enterprises, and end users

  • Technologists and security teams: Signed binaries can bypass some operating-system controls when the signature chain appears valid. Teams should treat unusually named installers that impersonate tools such as Microsoft Teams, AnyDesk, PuTTY, or Webex with additional skepticism, and inspect certificate details and provenance rather than relying on signature presence alone.
  • Affected enterprises and procurement leaders: Organizations should note that attackers used short-lived, 72-hour certificates to reduce detection risk and that signed malware was distributed via impersonation of legitimate software. Procurement and incident response playbooks may need explicit checks for rapid-lived certificates and anomalous publisher identities.
  • End users and IT administrators: Files that claim to be familiar applications may still be malicious if they were signed by fraudulently obtained credentials. Microsoft’s finding that stolen U.S. and Canadian identities were likely used to pass verification underscores the need for caution around unexpected installers and for centralized validation of software sources.

Microsoft’s action closed the door on one prominent service for the moment: the domain is seized, certificates revoked, and infrastructure disrupted. But the details Microsoft provided — short-lived certificates, use of stolen identities, and an active market charging thousands for access — sketch a business model that will test detection and legal remedies going forward.

Original story