Vulnerabilities

Microsoft Disrupts Malware Signing Service

May 20, 2026 00:04 · 12 min read

Microsoft Disrupts Malware Signing Service

Microsoft has disrupted a malware-signing-as-a-service (MSaaS) operation that abused the company's Artifact Signing service to generate fraudulent code-signing certificates used by ransomware gangs and other cybercriminals.

According to a report published by Microsoft Threat Intelligence, the threat actor tracked as Fox Tempest used the Microsoft Artifact Signing platform to create short-lived certificates that allowed malware to be digitally signed and trusted as legitimate software by both users and operating systems.

Azure Artifact Signing Service

Azure Artifact Signing (previously Trusted Signing) is a cloud-based service launched by Microsoft in 2024 that allows developers to easily have their programs signed by Microsoft.

Microsoft says the financially motivated threat actor created more than 1,000 certificates and hundreds of Azure tenants and subscriptions as part of the operation. Today, Microsoft also unsealed a legal case in the U.S. District Court for the Southern District of New York targeting the cybercrime operation.

Fox Tempest has created over a thousand certificates and established hundreds of Azure tenants and subscriptions to support its operations. Microsoft has revoked over one thousand code signing certificates attributed to Fox Tempest.

In May 2026, Microsoft's Digital Crimes Unit (DCU), with support from industry partners, disrupted Fox Tempest's MSaaS offering, targeting the infrastructure and access model that enables its broader criminal use.

Disruption of the Operation

Microsoft says it seized the signspace[.]cloud domain used by the service, took hundreds of virtual machines tied to the operation offline, and blocked access to infrastructure hosting the cybercrime platform.

The site now redirects visitors to a Microsoft-operated site that explains that the company seized the domain as part of a lawsuit against the malware-signing-as-a-service scheme.

Linked Malware and Ransomware Campaigns

The operation was linked to numerous malware and ransomware campaigns involving Oyster, Lumma Stealer, Vidar, as well as the Rhysida, Akira, INC, Qilin, and BlackByte ransomware operations.

Microsoft says threat actors, including Vanilla Tempest (INC Ransomware members), Storm-0501, Storm-2561, and Storm-0249, used the signed malware in their attacks.

Malware Signing Process

Microsoft says the MaaS was operated through signspace[.]cloud and allowed cybercriminal customers to upload malicious files for code-signing using fraudulently obtained certificates.

These signed malware files were then used by threat actors to impersonate legitimate software such as Microsoft Teams, AnyDesk, PuTTY, and Webex, and were used to add legitimacy to the downloads.

When unsuspecting victims executed the falsely named Microsoft Teams installer files, those files delivered a malicious loader, which in turn installed the fraudulently signed Oyster malware and ultimately deployed Rhysida ransomware.

Because the Oyster malware was signed by a certificate from Microsoft's Artifact Signing service, the Windows operating system initially recognized the malware as legitimate software, when it would otherwise be flagged as suspicious or blocked entirely by security controls in the Windows operating system.

Identity Verification and Certificate Obtaining

Microsoft believes the operators likely used stolen identities from the United States and Canada to pass Artifact Signing identity verification requirements and obtain the signing credentials.

When obtaining certificates, the threat actors reportedly used only short-lived certificates valid for 72 hours to reduce the risk of detection.

Evolution of the Operation

Microsoft also detailed how Fox Tempest evolved its operation earlier this year by providing customers with pre-configured virtual machines hosted through Cloudzy infrastructure.

Customers uploaded malware to the VM environments and received signed binaries using Fox Tempest-controlled certificates.

The malware-signing platform was promoted on a Telegram channel named 'EV Certs for Sale by SamCodeSign,' with pricing ranging from $5,000 to $9,000 in bitcoin for access to the platform.

Microsoft says the operation generated millions of dollars in profits and is a well-resourced group capable of managing infrastructure, customer relations, and financial transactions.

Source: BleepingComputer

Source: BleepingComputer

Powered by ZeroBot

Protect your website from bots, scrapers, and automated threats.

Try ZeroBot Free

Related Articles

🐛 Vulnerabilities

CISA Expands Vulnerability Reporting

CISA has created a new pathway for researchers to report vulnerabilities to its Known Exploited Vulnerabilities catalog, enhancing its ability to identify and share critical threat information.

May 22, 2026 04:01 · The Record 12 min read
🐛 Vulnerabilities

Open-Source Vulnerabilities Concern CISA Chief

CISA acting director Nick Andersen warns of the risks posed by open-source vulnerabilities and the need for urgent security improvements to prevent widespread attacks.

May 22, 2026 00:07 · CyberScoop 10 min read
🐛 Vulnerabilities

Chromium Flaw Exposes Browsers to Remote Code Execution

Google accidentally leaked details of an unfixed Chromium flaw that allows remote code execution on devices, impacting all Chromium-based browsers.

May 22, 2026 00:06 · BleepingComputer 12 min read