Microsoft disrupts cybercrime service that abused software verification systems en masse
Microsoft seized infrastructure and disrupted a cybercrime service that created and sold more than 1,000 code-signing certificates that other cybercriminals used to make malware-riddled software appear trusted and legitimate for follow-on cyberattacks, including ransomware, the company said Tuesday.
The financially-motivated threat group, which Microsoft tracks as Fox Tempest, provided the malware-signing-as-a-service to multiple ransomware groups, including Rhysida, Vanilla Tempest, Storm-0501, Storm-2561 and Storm-0249 for at least a year before Microsoft was granted a court order to dismantle the operation.
Fox Tempest, which Microsoft has been tracking since September 2025, abused Microsoft’s Artifact Signing system by fabricating identities and impersonating legitimate organizations to access the code-signing services of Microsoft, Steven Masada, assistant general counsel at Microsoft Digital Crimes Unit, said during a media briefing Monday.
Cybercriminals paid Fox Tempest up to $9,500 to get their malicious code signed, allowing them to slip software through defenses and bypass controls designed to confirm programs are authentic and linked to a trusted source.
“This isn’t the obvious knockoff you might find on a street corner. It’s more like a counterfeit product that’s so precise that even the experts have trouble distinguishing it from the real thing,” Masada said. “It acts as a fake ID that lets cybercriminals get into systems by walking right through the front door.”
While attackers and defenders have historically focused on the entry points of attacks, Fox Tempest’s operation exemplifies a broader move upstream to how attacks are built in the first place, he added.
“It’s no longer just about tricking users to click on a link, it’s about exploiting the very systems that we rely on to decide what is and what isn’t safe,” Masada said.
Cybercriminals have been reselling code-signing certificates for a least a decade, but Fox Tempest’s operation was unique in providing a massively scalable service for extortion, phishing, SEO poisoning or malware-laced advertising, said Maurice Mason, who led the investigation into Fox Tempest as principal cybercrime investigator at Microsoft’s DCU.
Mason said ransomware operators and other threat groups primarily deployed these fraudulent certificates in ads or SEO poisoning, which brought their malicious software and infostealers to the top of search rankings, ensnaring unsuspecting victims who thought they were downloading and running legitimate applications.
Fox Tempest’s operation, which included an authenticated portal and a drag-and-drop feature that allowed customers to get their code signed, was directly linked to the deployment of dozens of malware families, including Oyster, Lumma Stealer, MuddyWater and Vidar, he added.
Microsoft said the threat group is also linked to ransomware affiliates for INC, Qilin, Akira and others. The operation had a global impact, resulting in attacks on the healthcare, education, government and financial services sectors, and most heavily targeted organizations and people in the United States, France, India and China.
“Why wouldn’t you pay those thousands of dollars if you’re a threat actor and you’re getting it back in extortion and ransomware worth millions? This is like chump change to you,” Mason said.
Microsoft said it evicted or deleted more than 1,000 accounts and subscriptions Fox Tempest used to provide its services. The company also seized the threat group’s website, took hundreds of virtual machines offline and blocked access to a site hosting the underlying code.
“This disruption likely is going to raise the cost for attackers, and we’re hoping that they move off of using these services,” Mason said. “Obviously it’s just a disruption and there’s other things that they’ll probably move to, or someone might try to do this a different way next time.”
Fox Tempest is an example of the fully developed cybercrime economy defenders confront now, Masada said.
“In many cases, an actor no longer needs to build an attack from scratch. They can simply assemble one by purchasing its components — a phish kit from one vendor, malware from another, infrastructure and optimization tools from yet others, and so on,” he said.
“As we focus more of our recent disruptions on marketplaces and service providers, we’re getting a much clearer picture of how the economy actually functions, and what’s emerging is a stratified ecosystem,” Masada added.
“At one end, you have commoditized tools that are mass produced and built for scale, things like turnkey phishing kits or credential harvesting services,” he said. “But above that, we’re seeing a more sophisticated tier of operators, highly specialized services focused on evasion, durability, and optimization. These are not just enabling attacks, they’re engineering them to succeed against modern defenses.”
