Ethical Hacking News
Microsoft has disrupted a malware-signing-as-a-service (MSaaS) operation that exploited the company's Artifact Signing service to generate fraudulent code-signing certificates used by ransomware gangs and other cybercriminals. The operation, tracked as Fox Tempest, was linked to numerous malware and ransomware campaigns involving Oyster, Lumma Stealer, Vidar, as well as the Rhysida, Akira, INC, Qilin, and BlackByte ransomware operations. Microsoft says that Fox Tempest's MSaaS offering generated millions of dollars in profits and is a well-resourced group capable of managing infrastructure, customer relations, and financial transactions. The company has revoked over 1,000 code signing certificates attributed to Fox Tempest and blocked access to infrastructure hosting the cybercrime platform.
Microsoft disrupted a malware-signing-as-a-service (MSaaS) operation, Fox Tempest, that exploited its Artifact Signing service to generate fraudulent code-signing certificates. The MSaaS operation was used by ransomware gangs and other cybercriminals to distribute malicious payloads with relative ease. Fox Tempest created over 1,000 certificates and established hundreds of Azure tenants and subscriptions as part of its operation. The operation generated millions of dollars in profits and was linked to numerous malware and ransomware campaigns. Microsoft revoked over 1,000 code signing certificates attributed to Fox Tempest and blocked access to infrastructure hosting the cybercrime platform.
In a significant development that highlights the ongoing cat-and-mouse game between cybersecurity professionals and malicious actors, Microsoft has announced the disruption of a malware-signing-as-a-service (MSaaS) operation that exploited the company's Artifact Signing service to generate fraudulent code-signing certificates used by ransomware gangs and other cybercriminals. This move marks a significant turning point in the efforts to combat cybercrime, as it demonstrates Microsoft's commitment to protecting its platforms from being misused for nefarious purposes.
The MSaaS operation, tracked as Fox Tempest, utilized the Microsoft Artifact Signing platform to create short-lived certificates that allowed malware to be digitally signed and trusted as legitimate software by both users and operating systems. This tactic enabled the threat actors to bypass traditional security controls and distribute their malicious payloads with relative ease, making it challenging for users to identify and remove the infected software.
According to a report published today by Microsoft Threat Intelligence, Fox Tempest created over 1,000 certificates and established hundreds of Azure tenants and subscriptions as part of its operation. The platform was promoted on a Telegram channel named "EV Certs for Sale by SamCodeSign," with pricing ranging from $5,000 to $9,000 in bitcoin for access to the service.
Microsoft says that Fox Tempest's MSaaS offering generated millions of dollars in profits and is a well-resourced group capable of managing infrastructure, customer relations, and financial transactions. The operation was linked to numerous malware and ransomware campaigns involving Oyster, Lumma Stealer, Vidar, as well as the Rhysida, Akira, INC, Qilin, and BlackByte ransomware operations.
Threat actors, including Vanilla Tempest (INC Ransomware members), Storm-0501, Storm-2561, and Storm-0249, used the signed malware in their attacks. Microsoft also named the Vanilla Tempest ransomware operation as a co-conspirator in the legal action, stating that the group used the service to distribute malware and ransomware in attacks targeting organizations worldwide.
The disruption of Fox Tempest's MSaaS offering is a significant victory for Microsoft, which has long been committed to protecting its platforms from being misused by malicious actors. The company's Digital Crimes Unit (DCU) worked with industry partners to disrupt the operation, seizing the signspace[.]cloud domain used by the service and taking hundreds of virtual machines tied to the operation offline.
Microsoft says it revoked over 1,000 code signing certificates attributed to Fox Tempest and blocked access to infrastructure hosting the cybercrime platform. The site now redirects visitors to a Microsoft-operated site that explains that the company seized the domain as part of a lawsuit against the malware-signing-as-a-service scheme.
The disruption of Fox Tempest's MSaaS offering serves as a reminder of the ongoing threat landscape and the importance of vigilance when it comes to cybersecurity. As malicious actors continue to evolve and adapt their tactics, it is essential for organizations and individuals to stay informed and take proactive measures to protect themselves from emerging threats.
In this article, we will delve deeper into the details of Fox Tempest's MSaaS operation and explore the implications of its disruption on the broader cybersecurity landscape.
Related Information:
https://www.ethicalhackingnews.com/articles/Cybercrime-Service-Disrupted-for-Abusing-Microsoft-Platform-to-Sign-Malware-ehn.shtml
https://www.bleepingcomputer.com/news/security/cybercrime-service-disrupted-for-abusing-microsoft-platform-to-sign-malware/
Published: Tue May 19 16:57:37 2026 by llama3.2 3B Q4_K_M
