Microsoft Disrupts Malware-Signing Service Abusing Azure Artifact Signing

Microsoft has disrupted a malware-signing-as-a-service operation that abused its Artifact Signing platform to make malicious files appear like trusted software.

According to Microsoft Threat Intelligence, the threat actor tracked as Fox Tempest used Microsoft’s Artifact Signing service to generate fraudulent, short-lived code-signing certificates. These certificates allowed malware to be digitally signed, helping it bypass suspicion from users, operating systems, and some security controls.

The operation was significant in scale. Microsoft says Fox Tempest created more than 1,000 certificates and used hundreds of Azure tenants and subscriptions to support the service. In response, Microsoft revoked the certificates, seized the signspace[.]cloud domain, took related virtual machines offline, and blocked access to infrastructure tied to the cybercrime platform.

The service functioned like a professional underground signing platform. Cybercriminal customers could upload malware, have it signed with fraudulently obtained certificates, and then distribute it as if it were legitimate software. Microsoft says the signed malware was used in campaigns involving Oyster, Lumma Stealer, Vidar, and ransomware groups including Rhysida, Akira, INC, Qilin, and BlackByte.

In some attacks, threat actors disguised malicious files as trusted applications such as Microsoft Teams, AnyDesk, PuTTY, and Webex. Once executed by victims, the fake installers delivered malware loaders that could eventually lead to ransomware deployment.

Microsoft believes the operators may have used stolen identities from the United States and Canada to pass identity verification requirements for Artifact Signing. The certificates were intentionally short-lived, often valid for only 72 hours, likely to reduce the chance of detection and limit the window for investigation.

Microsoft’s Digital Crimes Unit also filed legal action in the U.S. District Court for the Southern District of New York. The company named the Vanilla Tempest ransomware operation as a co-conspirator, stating that the group used the signing service to support malware and ransomware attacks against organizations worldwide.

The operation was reportedly promoted through a Telegram channel called “EV Certs for Sale by SamCodeSign,” with access priced between $5,000 and $9,000 in bitcoin. Microsoft says the service generated millions of dollars and was run by a well-resourced group capable of managing cloud infrastructure, customer access, and payment operations.

Overall, this takedown highlights how attackers are increasingly abusing legitimate cloud and developer services to give malware a trusted appearance. Code signing is meant to help users and systems verify software authenticity, but when abused, it can become a powerful tool for making malicious payloads look legitimate.