Microsoft disrupts code-signing cybercrime service

Microsoft halts service selling fraudulent code-signing certificates to ransomware groups

Microsoft disrupts code-signing cybercrime service

Microsoft has recently dismantled a code-signing cybercrime service, tracked as Fox Tempest, that abused software verification systems en masse. This disruption is significant for organisations relying on code-signing trust to verify software authenticity. Understanding the scale and methods of this attack helps professionals better protect their networks and users.

How Fox Tempest exploited code-signing systems

Fraudulent certificates and malware distribution

Fox Tempest created and sold more than 1,000 fraudulent code-signing certificates, allowing cybercriminals to disguise malicious software as trusted applications. These certificates made malware appear legitimate and enabled it to bypass security controls.

The threat group operated a malware-signing-as-a-service, catering to ransomware gangs and infostealer operators. Customers paid up to $9,500 per certificate, making it a lucrative business that supported attacks such as extortion, phishing, SEO poisoning and malvertising.

Abuse of Microsoft’s software verification process

Fox Tempest exploited Microsoft’s Artifact Signing system by fabricating identities and impersonating legitimate organisations. Using these fake credentials, they gained access to code-signing services and generated certificates for malicious code.

The operation was sophisticated, offering an authenticated portal with a drag-and-drop feature for easy malware signing. Even experts struggled to distinguish these fake certificates from genuine ones, highlighting the precision of the counterfeit process.

  • Over 1,000 fraudulent certificates issued
  • Malware families signed included Oyster, Lumma Stealer, MuddyWater and Vidar
  • Ransomware affiliates for INC, Qilin, Akira and more used these certificates
  • Global impact: healthcare, education, government and financial services sectors affected

Why code-signing cybercrime matters to organisations

Risks of trusting software verification alone

Traditionally, organisations have relied on code-signing certificates to verify the authenticity of software. However, Fox Tempest’s operation shows that code-signing trust can be abused, allowing malware to bypass standard security checks.

This shift means attackers are not only exploiting user behaviour but also manipulating systems meant to guarantee safety. Malicious software signed with fake certificates often escapes detection, leading to ransomware infections, data theft and financial losses.

Broader impact across sectors

The Fox Tempest operation targeted multiple sectors worldwide, with the United States, France, India and China most affected. Victims included healthcare providers, educational institutions, government agencies and financial firms. The use of SEO poisoning and malvertising increased the reach of these attacks, drawing in unsuspecting users who downloaded what appeared to be legitimate applications.

  • Ransomware and infostealer infections can disrupt operations
  • Data breaches and extortion threaten sensitive information
  • Phishing attacks become more convincing with signed malware
  • Trust in digital verification systems is undermined

Protecting your organisation from code-signing threats

Review application controls and download policies

Given the abuse of code-signing systems, organisations should not rely solely on certificate-based trust. It is essential to implement stringent application controls and review download sources. Restricting which applications can run and where they can be downloaded from helps block malware before it enters the network.

Strengthen detection and response capabilities

  • Use endpoint protection tools that inspect file behaviour, not just digital signatures
  • Monitor for unusual certificate activity and suspicious downloads
  • Regularly audit application whitelists and update policies as threats evolve
  • Educate staff about risks of downloading software from search results or ads

Collaborate and stay informed

Organisations should collaborate with software vendors, security providers and industry groups to stay ahead of emerging threats. Sharing threat intelligence can help detect abused certificates and malicious applications early. Regularly review advisories from trusted sources, including Microsoft, to understand new attack techniques.

Lessons from Microsoft’s disruption of Fox Tempest

Security systems must adapt to evolving threats

Fox Tempest’s ability to abuse code-signing shows that attackers are targeting upstream systems, not just end users. Security teams must adapt their strategies, combining application controls, behavioural detection and user education to mitigate risks.

Microsoft’s action demonstrates the importance of continuous monitoring and proactive disruption. While technical controls are essential, legal and investigative responses also play a critical role in dismantling cybercrime infrastructure.

  • Do not rely on code-signing trust alone
  • Audit and monitor certificate use within your organisation
  • Update policies to reflect current threats
  • Foster a culture of vigilance around software downloads

Key takeaways

  • Attackers are abusing systems meant to guarantee software safety
  • Mass fraud in certificate issuance can enable large-scale malware campaigns
  • Organisations must strengthen controls beyond traditional verification
  • Regular updates, staff training and cross-industry collaboration are vital

Originally reported by cyberscoop.com.

Share this bulletin

About the Author

Headshot of Jonny Pelter, leading cyber security expert in the UK and CISO

Jonny Pelter

Partner

  • CIPM
  • CIPP/E
  • CISSP
  • CISM
  • CRISC
  • ISO27001
  • Prince2
  • MSc
  • BSc

Jonny Pelter

Jonny is a Founding Partner at CyPro and executive group level CISO who has worked closely with the British intelligence agencies NCSC and GCHQ.

An ex-professional rugby player and originating from KPMG and Deloitte, Jonny has a wealth of experience across numerous sectors including technology, critical national infrastructure, financial services, oil & gas, insurance, betting, pharmaceuticals and utilities.

Jonny is a leading cyber security expert in the UK, having featured on national media for his professional commentary such as BBC News, iPlayer, Telegraph and Times Radio.

View Profile
Back to Bulletins
Author
Headshot of Jonny Pelter, leading cyber security expert in the UK and CISO
Jonny Pelter
Category
Published
May 19 - 2026
Post Tags
  • code-signing
  • cybercrime
  • malware
  • ransomware
  • security controls
Cypro firewall showing robust network security
Secure your business.
Elevate your security, accelerate your growth. We take care of cyber security for high-growth companies, at every stage of their journey.
Get in touch

Related News

Exploited Vulnerabilities Overtake as Top Breach Entry Point

Shadow AI surge in the workplace: 4x increase in a year

GitHub Credential Leak Highlights Cybersecurity Risks

Fox Tempest Ransomware Signing Tool Takedown by Microsoft

Microsoft disrupts code-signing cybercrime service

Data breach compensation: PSNI staff paid £40m

Sophos: WantToCry ransomware uses SMB brute force and remote encryption

jlr cyber attack: sector risk and lessons for manufacturers

Zara Data Breach: Phishing Risks for 200,000 Customers

Foxconn Cyber Attack: Ransomware and Data Exfiltration Risks

TanStack supply chain attack exposes OpenAI API keys

Sandworm Hackers Pivot to Critical OT Assets

Chinese Spy Group Shadow-Earth-053 Exploits Exchange Flaws

UK business cyber breach rates: phishing leads the pack

Trellix data breach: source code repository compromised

cPanel 0-Day Authentication Bypass Vulnerability Explained

Cisco firewall vulnerabilities: persistent malware threat

AI-Assisted Credential Harvesting: React2Shell Server Exposed

APT28 DNS Hijacking: How Exploited Routers Enable Credential Theft

Microsoft Defender 0-Day Vulnerability: Privilege Escalation Risk

Fortinet SQL Injection Vulnerability: CISA Warning

New Research Shows the Vulnerability Exploitation Window is Shrinking Fast

BlueHammer Windows Defender Exploit: Understanding the Threat

AI Phishing Attacks: Unravelling the New Age of Deceit

Axios NPM Supply Chain Attack: What Happened and How to Respond

Cisco Firewall 0-Day: What You Need to Know About This Ransomware Threat

Citrix NetScaler Vulnerability: What You Need to Know

Chrome Remote Code Execution: What the Latest Security Update Fixes

Cisco SD-WAN Vulnerabilities: What Professionals Need to Know

Understanding the Microsoft SharePoint Vulnerability and Its Risks

Chrome Remote Code Execution: 8 Vulnerabilities Fixed in Urgent Update

CyPro Cookie Consent

Hmmm cookies...

Our delicious cookies make your experience smooth and secure.

Privacy PolicyOkay, got it!

We use cookies to enhance your experience, analyse site traffic, and for marketing purposes. For more information on how we handle your personal data, please see our Privacy Policy.

Schedule a Call