Microsoft shuts down illegal code-signing operation used by ransomware crims to mask their malware
Security
‘Thousands’ of US victims, including 12+ machines owned and operated by Redmond
Microsoft seized websites and took down hundreds of virtual machines running a cybercrime service that allegedly sold code-signing certificates to ransomware gangs, thus making their malware look like legitimate software – and allowing criminals to infect thousands of machines in the US, including at least 12 owned and operated by the Windows giant.
The malware signing-as-a-service operation called Fox Tempest has been around since May 2025, and abuses Microsoft’s Artifact Signing code-signing service. This service allows developers to digitally sign their software applications, signaling to the Windows operating system and end-user that the software is authentic, and hasn’t been tampered with.
Since May 2025, the Fox Tempest crew – referred to as John Doe 1 and 2 in court documents unsealed on Tuesday – used fake identities and impersonated real organizations, allowing them to create more than 580 fraudulent Microsoft accounts.
MORE CONTEXT
They then used these accounts to abuse Microsoft’s Artifact Signing service and obtain real code-signing credentials, then sold the code-signing certificates to other criminals for thousands of dollars.
According to Microsoft, Fox Tempest’s customers included a ransomware group Redmond tracks as Vanilla Tempest (aka Vice Spider, Vice Society, Rhysida), which allegedly used the certificates to digitally sign malware and make it appear legitimate to Windows and users.
This also allowed the ransomware slingers “to more easily deploy the malware onto the computers of unsuspecting victims without their consent,” according to the court documents [PDF]. Malware included Windows backdoor Oyster, infostealers Lumma and Vidar, and Rhysida ransomware.
Vanilla Tempest “unlawfully accessed victims’ computers and devices, exfiltrated and stole the personal and confidential information of victims, deployed ransomware designed to encrypt victims’ files and systems, and extorted victims by demanding payment in exchange for restoring access to, or suppressing, their data,” the civil complaint continues, adding that the criminal activity remains ongoing.
In a subsequent blog post, Microsoft Digital Crimes Unit attorney Steven Masada said the tech company’s investigation “further linked Fox Tempest to various additional ransomware affiliates and families, including INC, Qilin, Akira, and others.”
Between February and March, the Digital Crimes Unit (DCU), working with “a cooperating source,” anonymously bought and tested the code signing service from John Doe 2, aka SamCodeSign.
“These test purchases allowed DCU investigators to observe first-hand how Fox Tempest Defendants operate the service, the information a purchaser is provided, and the instructions given by SamCodeSign to connect to the service and sign the test software created by Microsoft,” the court documents say. “Additionally, the test purchases allowed DCU to identify cryptocurrency wallets used by Fox Tempest Defendants.”
During the first test purchase, the source filled out a Google Form asking them to select how quickly they needed the certificates. Standard costs $5,000, while priority runs $7,500 and expedited carries a hefty $9,500 price tag.
SamCodeSign then sent a direct message to the source and requested the $7,500 payment to be sent to a bitcoin wallet, according to screenshots (translated from Russian) in the court documents.
After the source paid up, SamCodeSign sent instructions on how to access the virtual machine and complete the code signing process.
“Microsoft has identified thousands of customer machines, including more than a dozen machines owned and operated by Microsoft, in the United States that have been impacted by malware signed with certificates originating from the tenants created by Fox Tempest Defendants,” the complaint says. ®
