Microsoft Disrupts Malware Signing Service Used By Ransomware Groups

Microsoft says it has disrupted a large malware-signing-as-a-service operation that abused the company’s own Artifact Signing platform to make malicious software appear trustworthy on Windows systems.

The operation, tracked by Microsoft as Fox Tempest, allegedly created more than 1,000 fraudulent code-signing certificates and supported cybercriminal campaigns tied to ransomware, information stealers, and malware loaders.

According to Microsoft, the attackers used the certificates to digitally sign malware, so Windows and security tools would initially treat the files as legitimate software instead of flagging them as suspicious.

Microsoft revokes more than 1,000 fraudulent certificates

Microsoft’s Digital Crimes Unit said it disrupted the operation in May 2026 and revoked more than 1,000 code-signing certificates connected to the scheme.

The company also unsealed a lawsuit in the Southern District of New York and seized the domain signspace[.]cloud, which allegedly supported the malware-signing service. Microsoft says it additionally took hundreds of virtual machines offline as part of the enforcement action.

The seized domain now redirects visitors to a Microsoft legal notice explaining the takedown.

Microsoft believes the attackers used stolen identities from the United States and Canada to pass verification checks for Artifact Signing accounts. The operation reportedly relied on short-lived certificates valid for only 72 hours, helping attackers reduce detection risk and rotate infrastructure quickly.

Malware disguised as trusted software

Microsoft says cybercriminal customers uploaded malicious files to the Fox Tempest platform, where the malware was signed using fraudulently obtained certificates.

The signed files were then disguised as legitimate software installers and applications, including fake versions of Microsoft Teams, AnyDesk, PuTTY, and Webex.

One example attack described by Microsoft involved fake Microsoft Teams installers delivering a malicious loader that later deployed signed Oyster malware before eventually leading to Rhysida ransomware infections.

The signed malware operation is also linked to threats such as Oyster, Lumma Stealer, and Vidar malware campaigns.

Multiple ransomware groups connected to the operation

Microsoft says several ransomware and cybercrime groups used malware signed through the service.

The list includes Akira, INC, Qilin, and BlackByte. Microsoft also connected activity to threat actors it tracks internally as Vanilla Tempest, Storm-0501, Storm-2561, and Storm-0249.

The company says the operation functioned like a professional criminal business with organized infrastructure, customer support, payment handling systems, and Telegram promotion channels.

Access to the malware-signing service reportedly cost between $5,000 and $9,000 in bitcoin, depending on the service package and certificate requirements.

Why signed malware creates a serious security problem

Digitally signed malware often bypasses security warnings because operating systems trust signed executables more than unsigned files.

Microsoft says the fraudulent certificates allowed malicious software to appear authentic during installation and execution. Without those certificates, many of the malware samples may have triggered warnings or been blocked entirely by Windows security protections and endpoint security tools.

The case also highlights how attackers continue abusing legitimate cloud infrastructure and identity verification systems to scale cybercrime operations.

More malware threats continue targeting Microsoft users

The disruption comes as several other security threats continue circulating across enterprise and Windows environments.

Researchers recently disclosed the MiniPlasma exploit alongside new malware known as YellowKey and GreenPlasma. Meanwhile, Microsoft Teams remains a frequent target for attackers, with recent campaigns using the platform to distribute ModeloRAT malware through phishing and fake support schemes.

Via Bleeping Computer