Microsoft says it has disrupted a malware-signing-as-a-service (MSaaS) operation that abused the company’s Artifact Signing service to generate fraudulent code-signing certificates used by ransomware gangs and other cybercriminals.
According to a report published today by Microsoft Threat Intelligence, the threat actor tracked as Fox Tempest used the Microsoft Artifact Signing platform to create short-lived certificates that allowed malware to be digitally signed and trusted as legitimate software by both users and operating systems.
Azure Artifact Signing (previously Trusted Signing) is a cloud-based service launched by Microsoft in 2024 that allows developers to easily have their programs signed by Microsoft.
Microsoft says the financially motivated threat actor created more than 1,000 certificates and hundreds of Azure tenants and subscriptions as part of the operation. Today, Microsoft also unsealed a legal case in the U.S. District Court for the Southern District of New York targeting the cybercrime operation.
“Fox Tempest has created over a thousand certificates and established hundreds of Azure tenants and subscriptions to support its operations. Microsoft has revoked over one thousand code signing certificates attributed to Fox Tempest,” Microsoft said.
“In May 2026, Microsoft’s Digital Crimes Unit (DCU), with support from industry partners, disrupted Fox Tempest’s MSaaS offering, targeting the infrastructure and access model that enables its broader criminal use.”
Microsoft says it seized the signspace[.]cloud domain used by the service, took hundreds of virtual machines tied to the operation offline, and blocked access to infrastructure hosting the cybercrime platform.
The site now redirects visitors to a Microsoft-operated site that explains that the company seized the domain as part of a lawsuit against the malware-signing-as-a-service scheme.
The operation was linked to numerous malware and ransomware campaigns involving Oyster, Lumma Stealer, Vidar, as well as the Rhysida, Akira, INC, Qilin, and BlackByte ransomware operations. Microsoft says threat actors, including Vanilla Tempest (INC Ransomware members), Storm-0501, Storm-2561, and Storm-0249, used the signed malware in their attacks.
Microsoft also named the Vanilla Tempest ransomware operation as a co-conspirator in the legal action, stating that the group used the service to distribute malware and ransomware in attacks targeting organizations worldwide.
Microsoft says the MaaS was operated through signspace[.]cloud and allowed cybercriminal customers to upload malicious files for code-signing using fraudulently obtained certificates.
Source: Microsoft’s complaint
These signed malware files were then used by threat actors to impersonate legitimate software such as Microsoft Teams, AnyDesk, PuTTY, and Webex, and were used to add legitimacy to the downloads.
“When unsuspecting victims executed the falsely named Microsoft Teams installer files, those files delivered a malicious loader, which in turn installed the fraudulently signed Oyster
malware and ultimately deployed Rhysida ransomware,” reads Microsoft’s complaint.
“Because the Oyster malware was signed by a certificate from Microsoft’s Artifact Signing service, the Windows operating system initially recognized the malware as legitimate software, when it would otherwise be flagged as suspicious or blocked entirely by security controls in the Windows operating system.”
Microsoft believes the operators likely used stolen identities from the United States and Canada to pass Artifact Signing identity verification requirements and obtain the signing credentials.
When obtaining certificates, the threat actors reportedly used only short-lived certificates valid for 72 hours to reduce the risk of detection.
BleepingComputer previously reported in March 2025 on threat actors abusing Microsoft’s Trusted Signing service to sign malware used in a Crazy Evil Traffers crypto-theft campaign [VirusTotal] and a Lumma Stealer [VirusTotal] campaign.
While those malware were also signed with 3-day certificates, it is unclear if they were signed by the Fox Tempest cybercrime platform.
Microsoft also detailed how Fox Tempest evolved its operation earlier this year by providing customers with pre-configured virtual machines hosted through Cloudzy infrastructure. Customers uploaded malware to the VM environments and received signed binaries using Fox Tempest-controlled certificates.
The malware-signing platform was promoted on a Telegram channel named “EV Certs for Sale by SamCodeSign,” with pricing ranging from $5,000 to $9,000 in bitcoin for access to the platform.
Microsoft says the operation generated millions of dollars in profits and is a well-resourced group capable of managing infrastructure, customer relations, and financial transactions.
Automated pentesting tools deliver real value, but they were built to answer one question: can an attacker move through the network? They were not built to test whether your controls block threats, your detection rules fire, or your cloud configs hold.
This guide covers the 6 surfaces you actually need to validate.
