Microsoft disrupts malware code‑signing service

Microsoft said on May 19 that it disrupted a cybercrime service known as Fox Tempest that sold trusted-looking digital signatures for malware by abusing the company’s Artifact Signing platform. The operation let ransomware crews and other criminals make malicious files appear legitimately signed, which can help them pass security checks and win user trust. Microsoft said it revoked more than 1,000 certificates linked to the activity, seized the group’s signspace[.]cloud website and took hundreds of virtual machines offline. ### How did the service actually work? Microsoft’s security team said Fox Tempest used stolen identities and impersonation to create accounts and abuse Artifact Signing, a service intended to verify that software is legitimate and untampered. The result was a stream of short-lived code-signing certificates that made malware look like trusted software on Windows systems. (microsoft.com) CSO reported that customers were paying roughly $5,000 to $9,000 for signed binaries, underscoring how valuable a valid-looking signature remains in the criminal market. Microsoft said the group created over a thousand certificates and built hundreds of Azure tenants and subscriptions to support the operation. (microsoft.com) ### Why does a code signature matter so much to attackers? Code-signing is a trust mechanism. Operating systems, security tools and users often treat signed software as less suspicious than unsigned files. Microsoft said Fox Tempest’s certificates let malware “appear legitimately signed,” helping it evade some security controls. (csoonline.com) BleepingComputer and SecurityWeek reported that the service was used by ransomware operators and other cybercriminals, not just a single crew. That matters because it turns code-signing into an outsourced criminal service rather than a one-off intrusion technique. ### What did Microsoft and investigators do to stop it? (microsoft.com) Microsoft said it unsealed a legal case in the U.S. District Court for the Southern District of New York as part of the disruption. The company said it seized the signspace[.]cloud domain, blocked access to a site hosting the underlying code, disabled fraudulent accounts and worked to revoke certificates already issued. (bleepingcomputer.com) The Register reported that Microsoft also took down hundreds of virtual machines tied to the service. Microsoft said Fox Tempest had shifted in February 2026 to networks of third-party-hosted virtual machines after adapting to earlier defensive steps. ### Who was affected? Microsoft said the downstream attacks hit organizations across healthcare, education, government and financial services in the United States and other countries. (blogs.microsoft.com) The company said victims included organizations in France, India and China, and The Register reported that at least 12 affected machines were owned and operated by Microsoft itself. (theregister.com) Nextgov reported that Microsoft described the impact as attacks on a “broad range of industry sectors” in the United States and elsewhere. That account matches Microsoft’s description of Fox Tempest as a cybercrime-enabling service rather than a campaign aimed at one target set. (securityaffairs.com) ### What should defenders take from this? Microsoft’s account points to software trust chains as the issue. The company said it has added protections, revoked fraudulent certificates and introduced new detection features, but the case shows that attackers will spend real money to obtain trusted signatures if that improves delivery and evasion. (nextgov.com) For enterprise security teams, the immediate questions are whether security tools validate certificate reputation rather than signature presence alone, whether developers and vendors are protecting signing workflows, and whether short-lived signed binaries are getting extra scrutiny. Those points are an inference from Microsoft’s description of how the service worked and what it sold. (blogs.microsoft.com) Microsoft said the legal case was unsealed on May 19 in New York, and the company said its next steps include continued certificate revocations, account disruption and additional protections around Artifact Signing. (blogs.microsoft.com) (microsoft.com)