Microsoft has taken down a malware-signing-as-a-service (MSaaS) scheme that exploited the company’s Artifact Signing platform to produce fake code-signing certificates. These certificates were then used by ransomware groups and other cybercriminals to make their malicious software appear trustworthy.
A report released today by Microsoft Threat Intelligence reveals that a threat group known as Fox Tempest leveraged the Microsoft Artifact Signing service to generate short-lived certificates. These certificates enabled malware to be digitally signed, causing both users and operating systems to treat it as legitimate software.
Azure Artifact Signing (formerly called Trusted Signing) is a cloud-based tool introduced by Microsoft in 2024 that lets developers get their applications signed by Microsoft with minimal effort.
Microsoft reports that this financially driven threat actor produced over 1,000 certificates and set up hundreds of Azure tenants and subscriptions to fuel the operation. Today, Microsoft also filed a legal case in the U.S. District Court for the Southern District of New York aimed at dismantling this cybercrime network.
“Fox Tempest generated more than a thousand certificates and built hundreds of Azure tenants and subscriptions to support its activities. Microsoft has revoked over one thousand code signing certificates linked to Fox Tempest,” Microsoft stated.
“In May 2026, Microsoft’s Digital Crimes Unit (DCU), with assistance from industry partners, disrupted Fox Tempest’s MSaaS service, going after the infrastructure and access model that powers its wider criminal use.”
Microsoft says it seized the signspace[.]cloud domain used by the service, shut down hundreds of virtual machines connected to the operation, and cut off access to the infrastructure hosting the cybercrime platform.
The domain now redirects visitors to a Microsoft-run page explaining that the company took control of the domain as part of a lawsuit against the malware-signing-as-a-service operation.
The scheme was tied to multiple malware and ransomware campaigns involving Oyster, Lumma Stealer, Vidar, as well as the Rhysida, Akira, INC, Qilin, and BlackByte ransomware groups. Microsoft says threat actors including Vanilla Tempest (members of INC Ransomware), Storm-0501, Storm-2561, and Storm-0249 used the signed malware in their attacks.
Microsoft also identified the Vanilla Tempest ransomware group as a co-conspirator in the legal action, stating that the group relied on the service to spread malware and ransomware in attacks targeting organizations around the globe.
Microsoft says the MSaaS was run through signspace[.]cloud and allowed cybercriminal customers to upload malicious files for code-signing using fraudulently obtained certificates.
Source: Microsoft’s complaint
These signed malware files were then used by threat actors to impersonate legitimate software such as Microsoft Teams, AnyDesk, PuTTY, and Webex, giving the downloads an appearance of legitimacy.
“When unsuspecting victims ran the falsely labeled Microsoft Teams installer files, those files delivered a malicious loader, which then installed the fraudulently signed Oyster
malware and ultimately deployed Rhysida ransomware,” Microsoft’s complaint explains.
“Because the Oyster malware was signed with a certificate from Microsoft’s Artifact Signing service, the Windows operating system initially accepted the malware as legitimate software, when it would otherwise have been flagged as suspicious or completely blocked by Windows security controls.”
Microsoft believes the operators likely used stolen identities from the United States and Canada to pass Artifact Signing’s identity verification checks and obtain the signing credentials.
When acquiring certificates, the threat actors reportedly used only short-lived certificates valid for 72 hours to minimize the chances of being detected.
BleepingComputer previously reported in March 2025 on threat actors abusing Microsoft’s Trusted Signing service to sign malware used in a Crazy Evil Traffers crypto-theft campaign [VirusTotal] and a Lumma Stealer [VirusTotal] campaign.
While those malware samples were also signed with 3-day certificates, it remains unclear whether they were signed through the Fox Tempest cybercrime platform.
Microsoft also outlined how Fox Tempest upgraded its operation earlier this year by providing customers with pre-configured virtual machines hosted on Cloudzy infrastructure. Customers uploaded malware to the VM environments and received signed binaries using certificates controlled by Fox Tempest.
The malware-signing service was advertised on a Telegram channel called “EV Certs for Sale by SamCodeSign,” with prices ranging from $5,000 to $9,000 in bitcoin for access to the platform.
Microsoft says the operation generated millions of dollars in revenue and is a well-funded group capable of managing infrastructure, customer relations, and financial transactions.
Automated pentesting tools deliver real value, but they were built to answer one question: can an attacker move through the network? They were not built to test whether your controls block threats, your detection rules fire, or your cloud configs hold.
This guide covers the 6 surfaces you actually need to validate.
Download Now
