{"id":8211,"date":"2026-05-20T00:45:54","date_gmt":"2026-05-20T00:45:54","guid":{"rendered":"https:\/\/cybersecurityinfocus.com\/?p=8211"},"modified":"2026-05-20T00:45:54","modified_gmt":"2026-05-20T00:45:54","slug":"microsoft-disrupts-malware-code-signing-service-used-by-ransomware-gangs","status":"publish","type":"post","link":"https:\/\/cybersecurityinfocus.com\/?p=8211","title":{"rendered":"Microsoft disrupts malware code-signing service used by ransomware gangs"},"content":{"rendered":"<div>\n<div class=\"grid grid--cols-10@md grid--cols-8@lg article-column\">\n<div class=\"col-12 col-10@md col-6@lg col-start-3@lg\">\n<div class=\"article-column__content\">\n<div class=\"container\"><\/div>\n<p>Microsoft has disrupted the infrastructure powering the largest malware code-signing service used to help ransomware groups and other cybercriminals make malicious programs harder to detect on Windows. The threat actors behind the service used stolen identities and impersonated legitimate organizations to obtain more than 1,000 code-signing certificates.<\/p>\n<p>Microsoft seized the group\u2019s website, signspace[.]cloud, revoked the abused certificates, which were obtained through its Artifact Signing service, and took offline hundreds of virtual machines set up by the attackers on Azure. Cybercriminals paid between $5,000 and $9,000 to use the malware signing as a service (MSaaS), highlighting its effectiveness.<\/p>\n<p>Microsoft\u2019s researchers have established clear links between the group running this operation, which it calls <a href=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2026\/05\/19\/exposing-fox-tempest-a-malware-signing-service-operation\/\">Fox Tempest<\/a>, and ransomware affiliates who worked with gangs such as INC, Qilin, Akira, and Rhysida.<\/p>\n<p>One ransomware group tracked as Vanilla Tempest used the code-signing service to create malcious installers for common enterprise software, such as AnyDesk, Microsoft Teams, Putty, and Webex. These fake but digitally signed installers were distributed via SEO poisoning and malvertising and were used to deploy a variety of backdoors, infostealers, and ransomware programs.<\/p>\n<p>\u201cThis case points to how cybercrime is changing,\u201d Steven Masada, assistant general counsel with Microsoft\u2019s Digital Crimes Unit, said in <a href=\"https:\/\/blogs.microsoft.com\/on-the-issues\/2026\/05\/19\/disrupting-fox-tempest-a-cybercrime-service\/\">a blog post<\/a>. \u201cWhat once required a single group to carry out an attack from start to finish is now broken into a modular ecosystem where services are bought and sold and work interchangeably with one another. Some services are inexpensive and widely used. Others, like Fox Tempest, are highly specialized and expensive because they remove friction or bypass obstacles that make attacks fail, making them both more reliable and harder to detect.\u201d<\/p>\n<h2 class=\"wp-block-heading\">Code signing at scale<\/h2>\n<p>The value of digitally signing executable files is that <a href=\"http:\/\/learn.microsoft.com\/en-us\/windows\/apps\/package-and-deploy\/smartscreen-reputation\">Microsoft Defender SmartScreen<\/a> will display weaker warnings for downloaded files, or no warning at all if the file has built up a clean reputation over time. For attacks that rely on users executing rogue installers that masquerade as popular applications, having no scary warnings is a big advantage.<\/p>\n<p>For a digital signature to be valid, it needs to be created by a code-signing certificate that was issued by one of the trusted Certificate Authorities in the Windows Trust Store. Microsoft offers such a service under Azure called <a href=\"https:\/\/learn.microsoft.com\/en-us\/azure\/artifact-signing\/overview\">Artifact Signing<\/a> through which developers can obtain short-lived certificates for their applications, but this process requires identity verification.<\/p>\n<p>Fox Tempest likely used stolen identities to pass the verification process and created hundreds of Azure accounts and tenants for use in its operation. The group then built its service on top of these subscriptions and provided code-signing services to the cybercrime ecosystem since at least May 2025.<\/p>\n<p>More recently the group started providing preconfigured VMs hosted on a VPS provider that enabled threat actors to upload malicious files directly and receive signed binaries in return.<\/p>\n<p>\u201cIllicit code-signing certificates have been sold and trafficked for more than a decade,\u201d Masada said. \u201cThat includes its use by nation-state actors to target critical infrastructure organizations in Europe. What\u2019s changed is how this activity is marketed, packaged, and sold as a service, along with the scale at which it is now used across ransomware campaigns. Instead of buying certificates one-by-one, criminals upload their malware to a service that signs it for them.\u201d<\/p>\n<\/div>\n<\/div>\n<\/div>\n<\/div>","protected":false},"excerpt":{"rendered":"<p>Microsoft has disrupted the infrastructure powering the largest malware code-signing service used to help ransomware groups and other cybercriminals make malicious programs harder to detect on Windows. The threat actors behind the service used stolen identities and impersonated legitimate organizations to obtain more than 1,000 code-signing certificates. Microsoft seized the group\u2019s website, signspace[.]cloud, revoked the [&hellip;]<\/p>\n","protected":false},"author":0,"featured_media":8212,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[],"class_list":["post-8211","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-education"],"_links":{"self":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/8211"}],"collection":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"replies":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=8211"}],"version-history":[{"count":0,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/8211\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/media\/8212"}],"wp:attachment":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=8211"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=8211"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=8211"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}