Full Report
Microsoft says it has disrupted a malware-signing-as-a-service (MSaaS) operation that abused the company's Artifact Signing service to generate fraudulent code-signing certificates used by ransomware gangs and other cybercriminals. [...]
Analysis Summary
# Incident Report: Fox Tempest Malware-Signing-as-a-Service (MSaaS)
## Executive Summary
Microsoft disrupted a sophisticated Malware-Signing-as-a-service (MSaaS) operation, tracked as Fox Tempest, which abused Microsoft’s Artifact Signing service. The group used fraudulent identities to obtain legitimate code-signing certificates, allowing various ransomware gangs to bypass security controls by presenting malicious binaries as trusted software. The disruption involved a combination of technical takedowns and a successful legal injunction in the U.S. District Court.
## Incident Details
- **Discovery Date:** March 2025 (Initial public reporting of abuse)
- **Incident Date:** Ongoing through May 2026
- **Affected Organization:** Microsoft (Abuse of "Artifact Signing" / "Trusted Signing" service)
- **Sector:** Technology / Cybercrime Infrastructure
- **Geography:** Global (infrastructure linked to UAE-based Cloudzy; identities stolen from US/Canada)
## Timeline of Events
### Initial Access
- **Date/Time:** Circa 2024–2025
- **Vector:** Identity Theft
- **Details:** Attackers used stolen identities from the United States and Canada to pass identity verification requirements for the Microsoft Artifact Signing service.
### Lateral Movement
- **Details:** The threat actor established hundreds of Azure tenants and subscriptions and deployed hundreds of virtual machines (VMs) to host the malware-signing infrastructure.
### Data Exfiltration/Impact
- **Impact:** Over 1,000 fraudulent certificates were generated and used to sign malware including Oyster, Lumma Stealer, and Vidar. This facilitated major ransomware attacks (Rhysida, Akira, INC, Qilin, BlackByte).
### Detection & Response
- **March 2025:** Security researchers identify initial abuse of the service in crypto-theft campaigns.
- **May 2026:** Microsoft Digital Crimes Unit (DCU) unseals a legal case via the U.S. District Court for the Southern District of New York.
- **May 19, 2026:** Official disruption of infrastructure (VMs, domains, and certificates).
## Attack Methodology
- **Initial Access:** Fraudulent registration using stolen PII to meet identity verification standards.
- **Persistence:** Creation of multiple Azure tenants and subscriptions to ensure redundancy.
- **Defense Evasion:** Use of short-lived certificates (72-hour validity) to minimize the window for detection and revocation. Malware was packaged to impersonate legitimate apps like MS Teams, AnyDesk, and PuTTY.
- **Impact:** Signed malware bypassed Windows OS security warnings, leading to high-impact ransomware deployments.
## Impact Assessment
- **Financial:** Revenue generated for attackers estimated in the millions (subscriptions sold for $5,000 - $9,000 USD via Bitcoin).
- **Data Breach:** Indirect; facilitate the breach of numerous organizations via ransomware partners.
- **Operational:** Disruption of over 1,000 fraudulent certificates and seizure of the signspace[.]cloud domain.
- **Reputational:** Significant brand risk as attackers misused a trusted Microsoft security service to validate malware.
## Indicators of Compromise
- **Network indicators:**
- signspace[.]cloud (Seized)
- **File indicators:**
- Certificates (1,000+ revoked; hashes vary per signed malware instance)
- **Behavioral indicators:**
- Use of Azure Artifact Signing for binaries valid for exactly 72 hours.
- Software installers for MS Teams or AnyDesk signed by unusual/non-standard entities.
## Response Actions
- **Containment:** Blocked access to signspace[.]cloud and infrastructure hosting the platform.
- **Eradication:** Revoked over 1,000 code-signing certificates; took hundreds of VMs offline.
- **Recovery:** Redirected seized domains to a Microsoft legal notice site.
## Lessons Learned
- **The "Validation Gap":** Automated identity verification can be bypassed by sophisticated threat actors using high-quality stolen PII.
- **Service Misuse:** Cloud-based security services (like code-signing) can be weaponized if the barrier to entry is not strictly monitored for behavioral anomalies.
- **Efficiency of Short-lived Certs:** Attackers successfully utilized 72-hour certificates to stay ahead of revocation lists (CRLs).
## Recommendations
- **Enhanced Vetting:** Implement stricter, multi-factor, or manual identity verification for organizations requesting code-signing privileges.
- **Anomalous Usage Monitoring:** Alert on accounts that create an unusually high volume of certificates with very short lifespans.
- **Endpoint Protection:** Ensure EDR/AV solutions do not solely rely on the "Trusted" status of a certificate but also perform behavioral analysis of the binary itself.