Ethical Hacking News
Microsoft has shut down a malicious code-signing operation used by ransomware gangs, marking an important step in the company's efforts to combat the use of code-signing services for malicious purposes. The Fox Tempest operation had been in place since May 2025 and allowed attackers to create over 580 fraudulent Microsoft accounts, which they then used to obtain real code-signing credentials and sell them to other criminals for thousands of dollars.
Microsoft shut down an illicit code-signing operation called Fox Tempest, used by ransomware gangs to mask malicious software. The operation allowed attackers to create over 580 fraudulent Microsoft accounts and sell them for thousands of dollars. The crew impersonated real organizations and abused Microsoft's Artifact Signing code-signing service to digitally sign malware. The malware included Windows backdoor Oyster, infostealers Lumma and Vidar, and Rhysida ransomware. Microsoft's Digital Crimes Unit led the investigation, working with a cooperating source to test the code-signing service and identify thousands of impacted machines. The Fox Tempest operation was shut down as part of Microsoft's efforts to strengthen its code-signing services and improve detection and response to malicious activity.
Microsoft, the tech giant, has taken significant steps to shut down an illicit code-signing operation that was being used by ransomware gangs to mask their malicious software. The operation, known as Fox Tempest, had been in place since May 2025 and allowed attackers to create over 580 fraudulent Microsoft accounts, which they then used to obtain real code-signing credentials and sell them to other criminals for thousands of dollars.
According to the US Department of Justice, the Fox Tempest crew, referred to as John Doe 1 and 2 in court documents, had been impersonating real organizations and using fake identities to create these fraudulent accounts. The operation allowed the attackers to abuse Microsoft's Artifact Signing code-signing service, which is used by developers to digitally sign their software applications, signaling to the Windows operating system and end-user that the software is authentic and hasn't been tampered with.
The Fox Tempest crew would then use these certificates to digitally sign malware, making it appear legitimate to Windows and users. This allowed them to more easily deploy the malware onto unsuspecting victims' computers without their consent. The malware included Windows backdoor Oyster, infostealers Lumma and Vidar, and Rhysida ransomware, which were used by a ransomware group known as Vanilla Tempest (also referred to as Vice Spider, Vice Society, and Rhysida).
Microsoft's investigation into the Fox Tempest operation was led by its Digital Crimes Unit, which worked with "a cooperating source" to anonymously buy and test the code-signing service. These test purchases allowed DCU investigators to observe how the attackers operated the service, including how they provided information to customers and instructions on how to access virtual machines and complete the code signing process.
During these tests, it was discovered that the Fox Tempest crew would sell the code-signing certificates for thousands of dollars, with standard prices ranging from $5,000 to $9,500. The attackers also used cryptocurrency wallets to facilitate these transactions.
As a result of Microsoft's investigation, it has identified thousands of customer machines in the United States, including over 12 machines owned and operated by Redmond (Microsoft), that have been impacted by malware signed with certificates originating from the Fox Tempest operation.
In addition to its efforts to shut down the Fox Tempest operation, Microsoft has also taken steps to strengthen its code-signing services and improve its ability to detect and respond to malicious activity. The company's Digital Crimes Unit is continuing to work on this issue, with attorney Steven Masada stating that further investigation had linked Fox Tempest to various additional ransomware affiliates and families.
The shutdown of the Fox Tempest operation marks an important step in Microsoft's efforts to combat the use of code-signing services for malicious purposes. The incident highlights the importance of robust security measures and the need for companies like Microsoft to stay vigilant in their pursuit of malicious actors who seek to exploit vulnerabilities in these services.
Related Information:
https://www.ethicalhackingnews.com/articles/Microsoft-Shuts-Down-Malicious-Code-Signing-Operation-Used-by-Ransomware-Gangs-ehn.shtml
https://www.theregister.com/security/2026/05/19/microsoft-disrupts-alleged-malware-signing-operation-used-by-ransomware-gangs/5243013
Published: Tue May 19 17:25:09 2026 by llama3.2 3B Q4_K_M
