Search This Blog
Powered by Blogger.

Blog Archive

Labels

Footer About

Footer About

Labels

Load More
Trendy Right Now

Popular Posts

Showing posts with label Microsoft cybersecurity. Show all posts
signing service
Azure Artifact Signing Fox Tempest malware Microsoft cybersecurity ransomware attacks signing service

Microsoft Dismantles Malware-Signing Network Exploiting Azure Artifact Signing Service

 



Microsoft has announced the disruption of a large-scale malware-signing-as-a-service (MSaaS) operation that exploited its Azure Artifact Signing platform to generate fraudulent code-signing certificates. The operation enabled cybercriminals and ransomware groups to disguise malicious software as trusted applications, increasing the likelihood of successful infections.

According to a new report from Microsoft Threat Intelligence, the operation was run by a threat actor known as Fox Tempest. The group allegedly abused Microsoft's Artifact Signing service to create short-lived digital certificates that allowed malware to appear legitimate to both users and operating systems.

Azure Artifact Signing, formerly known as Trusted Signing, was introduced by Microsoft in 2024 as a cloud-based solution that helps developers digitally sign software through Microsoft's infrastructure. Investigators found that Fox Tempest leveraged the platform extensively, creating over 1,000 certificates along with hundreds of Azure tenants and subscriptions to facilitate its activities.

Microsoft has also revealed that it has initiated legal action against the cybercrime operation in the U.S. District Court for the Southern District of New York.

"Fox Tempest has created over a thousand certificates and established hundreds of Azure tenants and subscriptions to support its operations. Microsoft has revoked over one thousand code signing certificates attributed to Fox Tempest," Microsoft said.

"May 2026, Microsoft's Digital Crimes Unit (DCU), with support from industry partners, disrupted Fox Tempest's MSaaS offering, targeting the infrastructure and access model that enables its broader criminal use."

As part of the takedown effort, Microsoft seized the domain signspace[.]cloud, which was used to operate the service. The company also shut down hundreds of virtual machines linked to the operation and blocked access to infrastructure supporting the platform. Visitors attempting to access the domain are now redirected to a Microsoft-controlled page detailing the seizure and ongoing legal proceedings.

The investigation connected the service to several malware and ransomware campaigns involving Oyster, Lumma Stealer, Vidar, and ransomware families including Rhysida, Akira, INC, Qilin, and BlackByte. Microsoft stated that threat groups such as Vanilla Tempest, Storm-0501, Storm-2561, and Storm-0249 utilized malware signed through the service.

Vanilla Tempest, associated with INC Ransomware, has also been identified as a co-conspirator in Microsoft's legal complaint. The company alleges that the group used the signing platform to distribute malware and ransomware against organizations globally.

Researchers found that the malware-signing operation enabled customers to upload malicious files and receive code-signed versions using fraudulently acquired certificates. The signed files often impersonated trusted software brands such as Microsoft Teams, AnyDesk, PuTTY, and Webex, making them appear more credible to potential victims.

"When unsuspecting victims executed the falsely named Microsoft Teams installer files, those files delivered a malicious loader, which in turn installed the fraudulently signed Oyster malware and ultimately deployed Rhysida ransomware," reads Microsoft's complaint.

"Because the Oyster malware was signed by a certificate from Microsoft's Artifact Signing service, the Windows operating system initially recognized the malware as legitimate software, when it would otherwise be flagged as suspicious or blocked entirely by security controls in the Windows operating system."

Microsoft believes the operators likely relied on stolen identities from individuals in the United States and Canada to bypass identity verification requirements and obtain signing credentials. The group reportedly favored certificates with a validity period of just 72 hours, reducing the chances of detection before the certificates expired.

The company noted that similar abuse of Microsoft's signing services had previously been observed in malware campaigns involving the Crazy Evil Traffers cryptocurrency theft operation and Lumma Stealer. However, it remains unclear whether those incidents were directly linked to Fox Tempest.

Further analysis revealed that Fox Tempest expanded its offerings earlier this year by providing customers with pre-configured virtual machines hosted through Cloudzy infrastructure. Users could upload malware to these systems and receive digitally signed binaries generated through certificates controlled by the group.

The service was reportedly promoted through a Telegram channel called "EV Certs for Sale by SamCodeSign." Access to the platform was advertised at prices ranging from $5,000 to $9,000 in Bitcoin.

Microsoft estimates that the criminal enterprise generated millions of dollars in revenue. The company described Fox Tempest as a sophisticated and well-funded operation capable of maintaining extensive infrastructure, handling customer support, and processing financial transactions while facilitating cybercrime activities worldwide.

Read more »
Subscribe to: Posts (Atom)