Microsoft shuts down illegal code-signing operation used by ransomware crims to mask their malware

Microsoft shuts down illegal code-signing operation used by ransomware crims to mask their malware

Briefly

"Microsoft seized websites and took down hundreds of virtual machines running a cybercrime service that allegedly sold code-signing certificates to ransomware gangs, thus making their malware look like legitimate software - and allowing criminals to infect thousands of machines in the US, including at least 12 owned and operated by the Windows giant."

"The malware signing-as-a-service operation called Fox Tempest has been around since May 2025, and abuses Microsoft's Artifact Signing code-signing service. This service allows developers to digitally sign their software applications, signaling to the Windows operating system and end-user that the software is authentic, and hasn't been tampered with."

"Since May 2025, the Fox Tempest crew - referred to as John Doe 1 and 2 in court documents unsealed on Tuesday - used fake identities and impersonated real organizations, allowing them to create more than 580 fraudulent Microsoft accounts. They then used these accounts to abuse Microsoft's Artifact Signing service and obtain real code-signing credentials, then sold the code-signing certificates to other criminals for thousands of dollars."

"According to Microsoft, Fox Tempest's customers included a ransomware group Redmond tracks as Vanilla Tempest (aka Vice Spider, Vice Society, Rhysida), which allegedly used the certificates to digitally sign malware and make it appear legitimate to Windows and users. This also allowed the ransomware slingers "to more easily deploy the malware onto the computers of unsuspecting victims without their consent," according to the court documents [PDF]."