Microsoft Disrupts Malware-Signing Service Used by Ransomware Gangs

Microsoft Disrupts Malware-Signing Service Used by Ransomware Gangs

Microsoft Disrupts Malware-Signing Service Used by Ransomware Gangs

Image: FAMILY STOCK/Adobe

Microsoft disrupted Fox Tempest, a malware-signing service accused of abusing Azure certificates to disguise ransomware and malware as trusted software.

Écrit par
Ken Underhill
Ken Underhill
May 20, 2026

Microsoft says it disrupted a malware-signing service that abused Azure Artifact Signing to create fraudulent certificates used in ransomware and malware attacks.

The Fox Tempest operation allegedly helped cybercriminals distribute malware disguised as trusted software to evade Windows defenses and fool users.

“Fox Tempest doesn’t directly target victims but instead provides supporting services that enable ransomware operations by other threat actors,” Microsoft said in its advisory.

Key takeaways from the Fox Tempest operation

  • Microsoft disrupted the Fox Tempest malware-signing service that abused Azure Artifact Signing to create fraudulent code-signing certificates.
  • The operation allegedly helped ransomware groups distribute malware disguised as trusted software, such as Microsoft Teams and AnyDesk.
  • Microsoft said the group used stolen identities and short-lived certificates to bypass verification controls and evade detection.
  • The service expanded into a hosted malware-signing infrastructure, allowing customers to upload malware and receive signed binaries directly.
  • Microsoft warned that trusted digital signatures alone are no longer reliable indicators of software legitimacy.

Inside the Fox Tempest malware operation

Microsoft said attackers abused its Azure Artifact Signing service to generate legitimate-looking certificates used to distribute malware through a large-scale malware-signing-as-a-service (MSaaS) operation known as Fox Tempest.

The campaign was tied to malware families, including Oyster, Lumma Stealer, and Vidar, as well as ransomware groups such as Rhysida, Akira, INC, Qilin, and BlackByte.

Threat actors associated with Vanilla Tempest, Storm-0501, Storm-2561, and Storm-0249 reportedly used the signed malware in attacks targeting organizations worldwide.

Signed malware disguised as trusted software

Customers of the platform could upload malicious binaries and receive digitally signed malware using fraudulently obtained certificates generated through Azure Artifact Signing.

The malware itself was often disguised as trusted enterprise software such as Microsoft Teams, AnyDesk, PuTTY, and Webex to reduce suspicion and improve delivery success rates.

In one example, fake Microsoft Teams installers deployed Oyster malware before ultimately delivering Rhysida ransomware to victim systems.

Advertisement

Stolen identities and short-lived certificates

Researchers believe the operators likely relied on stolen identities from the United States and Canada to bypass Microsoft’s identity verification requirements and gain access to the signing service.

Microsoft also said Fox Tempest frequently used short-lived certificates valid for only 72 hours, allowing the group to rotate certificates quickly and reduce the effectiveness of traditional revocation efforts.

Malware-signing service expanded operations

Earlier this year, the operation reportedly expanded beyond certificate issuance to include preconfigured virtual machine environments hosted on Cloudzy’s infrastructure.

Customers could upload malware directly to hosted systems and receive signed binaries, thereby streamlining malware deployment for ransomware operators and other cybercriminals.

The service was openly promoted through a Telegram channel called “EV Certs for Sale by SamCodeSign,” with access reportedly priced between $5,000 and $9,000 in bitcoin.

Microsoft said the operation generated millions of dollars in profit and demonstrated the hallmarks of a mature cybercriminal enterprise that manages infrastructure, financial transactions, operational security, and customer support at scale.

Must-read security coverage

Reducing risk from trusted software abuse

Trusted digital signatures are no longer a guarantee of software safety.

As attackers abuse cloud signing services and trusted applications to evade detection, organizations need stronger controls around software validation, identity management, and infrastructure segmentation.

  • Strengthen application allowlisting and endpoint detection policies to identify suspicious behavior from signed binaries, installers, and trusted software impersonation attempts.
  • Enforce strong identity verification, multi-factor authentication (MFA), and least-privilege access controls across certificate issuance systems, Azure tenants, and cloud-signing environments.
  • Segment build, signing, and production infrastructure to limit lateral movement opportunities and reduce exposure if signing environments or certificates are compromised.
  • Monitor Azure tenant creation, virtual machine provisioning, and certificate activity for anomalous behavior, such as excessive issuance of short-lived certificates or suspicious infrastructure deployment patterns.
  • Implement certificate reputation monitoring, behavioral sandboxing, and secondary validation checks for newly signed executables before allowing them to run in enterprise environments.
  • Continuously review and revoke unused signing credentials, API tokens, and cloud identities, while restricting access to signing systems through privileged access management and hardware-backed key protection.
  • Test incident response and trusted software abuse playbooks regularly to ensure teams can quickly isolate signed malware, revoke compromised certificates, contain malicious infrastructure, and recover affected systems.

Together, these steps can help organizations build resilience against trusted software abuse while reducing overall exposure to compromised certificates, malicious infrastructure, and signed malware attacks.

Editor’s note: This article originally appeared on our sister publication, eSecurityPlanet.

Ken Underhill

Ken Underhill is an award-winning cybersecurity professional, bestselling author, and technology leader with more than 25 years of experience in IT, cybersecurity, and risk management. His career spans network administration, incident response, penetration testing, and entrepreneurship, giving him firsthand experience helping organizations reduce risk and ensure compliance. Ken is also a former nurse and combat medic and he uses this background to break down complex cybersecurity topics into digestible content for a broad, global audience. A multi-exit cybersecurity founder, Ken has spent decades helping organizations strengthen their security posture, manage risk, and navigate complex technology challenges. His expertise includes overall cybersecurity strategy, cloud security, incident response, risk management, security awareness, and emerging threats affecting businesses. Ken is also an advisor to multiple startups on AI security and risk. In addition to his hands-on industry experience, Ken is a cybersecurity newsletter writer for TechnologyAdvice, where he covers cybersecurity news/trends and actionable best practices for business and IT professionals. Ken is also an educator with over 2 million people going through his courses over the years. He has won the Global Cybersecurity 40 under 40 (2x winner), the Cyber Champion award from Women's Society of Cyberjutsu, and the 2019 SC Media award for Outstanding Educator. Ken is also a volunteer with organizations like Minorities in Cybersecurity, Black Girls Hack, and the Whole Cyber Human Initiative, which helps veterans transition into security careers. Ken holds a Master of Science in Cybersecurity and Information Assurance from Western Governors University and a Bachelor of Science in Information Systems, with a major in Cybersecurity Management, from Strayer University. His certifications include the Certificate of Cloud Security Knowledge (CCSK), Certified Ethical Hacker (CEH), and Computer Hacking Forensic Investigator (CHFI) and he is a former adjunct professor of Digital Forensics. Ken also had a streaming cybersecurity television show from 2020-2022 that reached over 200K monthly viewers around the world. His work and expertise have been featured in Forbes, Reader's Digest, Medium, TechRepublic, Fox, NBC, CBS, Dark Reading, MSN Money, and other leading publications and media outlets, making him a trusted voice on cybersecurity, election security, and privacy.