Microsoft’s Digital Crimes Unit (DCU) disrupted a malware-signing-as-a-service operation that gave ransomware crews legitimate-looking code-signing certificates straight from Microsoft’s Azure Artifact Signing platform, according to the BleepingComputer report. Buyers paid $5,000 to $9,000 in bitcoin to a Telegram seller called SamCodeSign and walked away with signed binaries that Windows treated as trusted software.
- Fox Tempest, the financially motivated crew Microsoft says ran the service, created more than 1,000 fraudulent code-signing certificates and stood up hundreds of Azure tenants and subscriptions to issue them.
- The signed payloads were used in Rhysida, Akira, INC, Qilin, and BlackByte ransomware intrusions, plus Oyster, Lumma Stealer, and Vidar campaigns.
- Microsoft seized signspace[.]cloud, took the supporting Cloudzy-hosted virtual machines offline, revoked the certificates, and named Vanilla Tempest (INC ransomware) as a co-conspirator in a sealed action filed in the Southern District of New York.
Inside the signspace[.]cloud takedown
Microsoft’s complaint describes a working production line, not a one-off abuse case. Fox Tempest used stolen United States and Canadian identities to clear Artifact Signing’s identity-verification step, then minted certificates valid for only 72 hours so revocation telemetry would not catch up before the binaries had spread.
Earlier this year the operation matured into a hosted offering. Customers uploaded their malware into pre-configured virtual machines built on top of Cloudzy infrastructure, and got back signed binaries that impersonated Microsoft Teams, AnyDesk, PuTTY, and Webex installers. In one chain Microsoft cites in the complaint, a falsely signed Microsoft Teams installer dropped an Oyster loader that ultimately deployed Rhysida ransomware. Because Oyster carried a certificate from Microsoft’s own Artifact Signing service, Windows recognized the loader as legitimate and SmartScreen and Defender prompts that would normally fire stayed quiet. The same pattern keeps surfacing in prior reporting on ransomware affiliates paying for detection-evasion services on Windows.
Why short-lived code-signing certificates blunted Defender
The reflex defense for stolen or fraudulently issued certificates is revocation, but revocation assumes the defender finds out in time. Fox Tempest reduced that window by design. A 72-hour certificate is too short to land on certificate-transparency monitoring radar, and too short to enter vendor blocklists before the campaign has moved on. By the time the abuse is reported, the certificate has expired on its own.
The deeper failure here is not a Microsoft bug but a trust-model assumption. Code-signing as a control was designed to answer whether a binary comes from a verified developer, and most endpoint policies still grant signed binaries quieter handling than unsigned ones. Fox Tempest did not break the cryptography; it bought the verification. As long as a paid service can move identity-verification artifacts faster than the platform can detect abuse, signature-based trust elevates the attacker’s payload by default.
What CISOs should do this week about code-signing certificates
The takedown removes one supplier, not the model. SmartScreen and Defender will continue to weight signed Windows binaries more leniently, and other actors will revive the playbook with different intake channels. The work for security teams is to stop treating signed as a clean signal and start treating signing identity, issuer history, and certificate age as the signal.
Add issuer and certificate age to allowlisting policy. Application-control products including Microsoft App Control for Business and equivalents accept signer-plus-issuer rules. Flag or block binaries signed under Microsoft Artifact Signing if the certificate is under 7 days old and the publisher identity is not on an approved internal list. The 72-hour certificate window Fox Tempest exploited is exactly the slice this rule catches.
Pull a code-signing certificate baseline for your environment. Run Sysmon Event ID 1 or EDR telemetry over the last 90 days and produce a frequency-ranked list of signer subjects executing on production endpoints. New signer subjects appearing with low prevalence and recent certificate issuance dates are the candidates for hunt review.
Treat signed Microsoft Teams, AnyDesk, PuTTY, and Webex installers with installer-source verification. The four impersonated brands Microsoft cited share a profile: legitimate user-pulled software where the install path is often outside MDM. Require these binaries to come from internal software-distribution channels or vetted vendor URLs, and alert on any execution of a signed installer for one of them that did not pass through that channel. Read more on the role of patch and software-distribution management in keeping that channel clean.
Subscribe SOC analysts to Microsoft Threat Intelligence’s Fox Tempest indicator feed. Microsoft is publishing the seized certificate thumbprints and infrastructure indicators alongside the legal action; route those into the SIEM and detonate any historical match. Storm-0501, Storm-2561, Storm-0249, and Vanilla Tempest activity in the past six months is the first place to look.
Fox Tempest’s signspace[.]cloud now redirects to a Microsoft seizure page, but the code-signing certificates it issued sat on endpoints for hours before they expired. The cleanup is retrospective hunting through that 72-hour window, not a forward block.
Join our LinkedIn group Information Security Community!
