Microsoft says it disrupted a malware-signing service that abused Azure Artifact Signing to create fraudulent certificates used in ransomware and malware attacks.
The Fox Tempest operation allegedly helped cybercriminals distribute malware disguised as trusted software to evade Windows defenses and fool users.
“Fox Tempest doesn’t directly target victims but instead provides supporting services that enable ransomware operations by other threat actors,” Microsoft said in its advisory.
Key takeaways from the Fox Tempest operation
- Microsoft disrupted the Fox Tempest malware-signing service that abused Azure Artifact Signing to create fraudulent code-signing certificates.
- The operation allegedly helped ransomware groups distribute malware disguised as trusted software, such as Microsoft Teams and AnyDesk.
- Microsoft said the group used stolen identities and short-lived certificates to bypass verification controls and evade detection.
- The service expanded into a hosted malware-signing infrastructure, allowing customers to upload malware and receive signed binaries directly.
- Microsoft warned that trusted digital signatures alone are no longer reliable indicators of software legitimacy.
Inside the Fox Tempest malware operation
Microsoft said attackers abused its Azure Artifact Signing service to generate legitimate-looking certificates used to distribute malware through a large-scale malware-signing-as-a-service (MSaaS) operation known as Fox Tempest.
The campaign was tied to malware families, including Oyster, Lumma Stealer, and Vidar, as well as ransomware groups such as Rhysida, Akira, INC, Qilin, and BlackByte.
Threat actors associated with Vanilla Tempest, Storm-0501, Storm-2561, and Storm-0249 reportedly used the signed malware in attacks targeting organizations worldwide.
Signed malware disguised as trusted software
Customers of the platform could upload malicious binaries and receive digitally signed malware using fraudulently obtained certificates generated through Azure Artifact Signing.
The malware itself was often disguised as trusted enterprise software such as Microsoft Teams, AnyDesk, PuTTY, and Webex to reduce suspicion and improve delivery success rates.
In one example, fake Microsoft Teams installers deployed Oyster malware before ultimately delivering Rhysida ransomware to victim systems.
Stolen identities and short-lived certificates
Researchers believe the operators likely relied on stolen identities from the United States and Canada to bypass Microsoft’s identity verification requirements and gain access to the signing service.
Microsoft also said Fox Tempest frequently used short-lived certificates valid for only 72 hours, allowing the group to rotate certificates quickly and reduce the effectiveness of traditional revocation efforts.
Malware-signing service expanded operations
Earlier this year, the operation reportedly expanded beyond certificate issuance to include preconfigured virtual machine environments hosted on Cloudzy’s infrastructure.
Customers could upload malware directly to hosted systems and receive signed binaries, thereby streamlining malware deployment for ransomware operators and other cybercriminals.
The service was openly promoted through a Telegram channel called “EV Certs for Sale by SamCodeSign,” with access reportedly priced between $5,000 and $9,000 in bitcoin.
Microsoft said the operation generated millions of dollars in profit and demonstrated the hallmarks of a mature cybercriminal enterprise that manages infrastructure, financial transactions, operational security, and customer support at scale.
Must-read security coverage
Reducing risk from trusted software abuse
Trusted digital signatures are no longer a guarantee of software safety.
As attackers abuse cloud signing services and trusted applications to evade detection, organizations need stronger controls around software validation, identity management, and infrastructure segmentation.
- Strengthen application allowlisting and endpoint detection policies to identify suspicious behavior from signed binaries, installers, and trusted software impersonation attempts.
- Enforce strong identity verification, multi-factor authentication (MFA), and least-privilege access controls across certificate issuance systems, Azure tenants, and cloud-signing environments.
- Segment build, signing, and production infrastructure to limit lateral movement opportunities and reduce exposure if signing environments or certificates are compromised.
- Monitor Azure tenant creation, virtual machine provisioning, and certificate activity for anomalous behavior, such as excessive issuance of short-lived certificates or suspicious infrastructure deployment patterns.
- Implement certificate reputation monitoring, behavioral sandboxing, and secondary validation checks for newly signed executables before allowing them to run in enterprise environments.
- Continuously review and revoke unused signing credentials, API tokens, and cloud identities, while restricting access to signing systems through privileged access management and hardware-backed key protection.
- Test incident response and trusted software abuse playbooks regularly to ensure teams can quickly isolate signed malware, revoke compromised certificates, contain malicious infrastructure, and recover affected systems.
Together, these steps can help organizations build resilience against trusted software abuse while reducing overall exposure to compromised certificates, malicious infrastructure, and signed malware attacks.
Editor’s note: This article originally appeared on our sister publication, eSecurityPlanet.
Read the full article here
