{"id":60689,"date":"2026-05-19T21:56:18","date_gmt":"2026-05-19T21:56:18","guid":{"rendered":"https:\/\/www.theregister.com\/a\/5243013"},"modified":"2026-05-19T21:56:18","modified_gmt":"2026-05-19T21:56:18","slug":"microsoft-shuts-down-illegal-code-signing-operation-used-by-ransomware-crims-to-mask-their-malware","status":"publish","type":"post","link":"https:\/\/www.threatshub.org\/blog\/microsoft-shuts-down-illegal-code-signing-operation-used-by-ransomware-crims-to-mask-their-malware\/","title":{"rendered":"Microsoft shuts down illegal code-signing operation used by ransomware crims to mask their malware"},"content":{"rendered":"<div><img decoding=\"async\" src=\"https:\/\/image.theregister.com\/5243050.jpg?imageId=5243050&amp;x=0&amp;y=0&amp;cropw=100&amp;croph=100&amp;panox=0&amp;panoy=0&amp;panow=100&amp;panoh=100&amp;width=1200&amp;height=683\" class=\"ff-og-image-inserted\"><\/div>\n<div data-element-guid=\"d11159dd-82a3-4c53-901c-d41dec75505c\" readability=\"32.259842519685\">\n<p class=\"kicker \">Security<\/p>\n<p class=\"subtitle \">&#8216;Thousands&#8217; of US victims, including 12+ machines owned and operated by Redmond<\/p>\n<\/p><\/div>\n<div data-element-guid=\"4c9dc5d9-c886-4348-bf4a-01d0dc71377d\" readability=\"123.01007194245\">\n<p>Microsoft seized websites and took down hundreds of virtual machines running a cybercrime service that allegedly sold code-signing certificates to ransomware gangs, thus making their malware look like legitimate software \u2013 and allowing criminals to infect thousands of machines in the US, including at least 12 owned and operated by the Windows giant.<\/p>\n<p>The malware signing-as-a-service operation called Fox Tempest has been around since May 2025, and abuses Microsoft\u2019s Artifact Signing code-signing service. This service allows developers to digitally sign their software applications, signaling to the Windows operating system and end-user that the software is authentic, and hasn\u2019t been tampered with.<\/p>\n<p>Since May 2025, the Fox Tempest crew \u2013 referred to as John Doe 1 and 2 in court documents unsealed on Tuesday \u2013 used fake identities and impersonated real organizations, allowing them to create more than 580 fraudulent Microsoft accounts.<\/p>\n<div data-element-guid=\"afe083ca-6701-48e9-9bd8-f8827dd7fb42\" class=\"lab4 column articleList layout_vertical imageLayout_left small-12 large-4 small-abs-12 large-abs-4 abs_grid_4 desktop-floatLeft mobile-floatLeft grid-vas-start mobile-grid-vas-start\">\n<div class=\"content border_width_0 border_width_mobile_0 border-radius-48 border-radius-mobile_48\">\n<h2 class=\"article-list-title t19 font-RobotoCondensed\">MORE CONTEXT<\/h2>\n<\/p><\/div>\n<\/div>\n<p>They then used these accounts to abuse Microsoft\u2019s Artifact Signing service and obtain real code-signing credentials, then sold the code-signing certificates to other criminals for thousands of dollars.&nbsp;<\/p>\n<p>According to Microsoft, Fox Tempest\u2019s customers included a ransomware group Redmond tracks as <a href=\"https:\/\/www.theregister.com\/special-features\/2025\/10\/31\/ransomware-gang-runs-ads-for-microsoft-teams-to-pwn-victims\/323506\">Vanilla Tempest<\/a> (aka Vice Spider, Vice Society, Rhysida), which allegedly used the certificates to digitally sign malware and make it appear legitimate to Windows and users.<\/p>\n<p>This also allowed the ransomware slingers \u201cto more easily deploy the malware onto the computers of unsuspecting victims without their consent,\u201d according to the <a href=\"https:\/\/www.noticeofpleadings.net\/OpFauxSign\/files\/COMPLAINT\/ii.%20Civil%20Complaint.pdf\" rel=\"nofollow\">court documents<\/a> [PDF]. Malware included Windows backdoor Oyster, infostealers Lumma and Vidar, and <a href=\"https:\/\/www.theregister.com\/security\/2025\/03\/10\/two-rhysida-healthcare-attacks-pwned-300k-patients-data\/1408697\">Rhysida ransomware<\/a>.<\/p>\n<p>Vanilla Tempest \u201cunlawfully accessed victims\u2019 computers and devices, exfiltrated and stole the personal and confidential information of victims, deployed ransomware designed to encrypt victims\u2019 files and systems, and extorted victims by demanding payment in exchange for restoring access to, or suppressing, their data,\u201d the civil complaint continues, adding that the criminal activity remains ongoing.<\/p>\n<p>In a subsequent <a href=\"https:\/\/blogs.microsoft.com\/on-the-issues\/2026\/05\/19\/disrupting-fox-tempest-a-cybercrime-service\/\" rel=\"nofollow\">blog<\/a>&nbsp;post,&nbsp;Microsoft Digital Crimes Unit attorney Steven Masada said the tech company&#8217;s investigation \u201cfurther linked Fox Tempest to various additional ransomware affiliates and families, including INC, Qilin, Akira, and others.\u201d<\/p>\n<p>Between February and March, the Digital Crimes Unit (DCU), working with \u201ca cooperating source,\u201d anonymously bought and tested the code signing service from John Doe 2, aka SamCodeSign.&nbsp;<\/p>\n<p>\u201cThese test purchases allowed DCU investigators to observe first-hand how Fox Tempest Defendants operate the service, the information a purchaser is provided, and the instructions given by SamCodeSign to connect to the service and sign the test software created by Microsoft,\u201d the court documents say. \u201cAdditionally, the test purchases allowed DCU to identify cryptocurrency wallets used by Fox Tempest Defendants.\u201d<\/p>\n<p>During the first test purchase, the source filled out a Google Form asking them to select how quickly they needed the certificates. Standard costs $5,000, while priority runs $7,500 and expedited carries a hefty $9,500 price tag.&nbsp;<\/p>\n<p>SamCodeSign then sent a direct message to the source and requested the $7,500 payment to be sent to a bitcoin wallet, according to screenshots (translated from Russian) in the court documents.&nbsp;<\/p>\n<p>After the source paid up, SamCodeSign sent instructions on how to access the virtual machine and complete the code signing process.<\/p>\n<p>\u201cMicrosoft has identified thousands of customer machines, including more than a dozen machines owned and operated by Microsoft, in the United States that have been impacted by malware signed with certificates originating from the tenants created by Fox Tempest Defendants,\u201d the complaint says.&nbsp;\u00ae<\/p>\n<\/p><\/div>\n<p><img decoding=\"async\" src=\"https:\/\/image.theregister.com\/?imageId=5243050&#038;width=800\">READ MORE <a href=\"https:\/\/www.theregister.com\/security\/2026\/05\/19\/microsoft-disrupts-alleged-malware-signing-operation-used-by-ransomware-gangs\/5243013\">HERE<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p> &#8216;Thousands&#8217; of US victims, including 12+ machines owned and operated by Redmond READ MORE HERE&#8230;<\/p>\n","protected":false},"author":2,"featured_media":60690,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"colormag_page_layout":"default_layout","footnotes":""},"categories":[63],"tags":[307],"class_list":["post-60689","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-the-register","tag-security"],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v27.6 - https:\/\/yoast.com\/product\/yoast-seo-wordpress\/ -->\n<title>Microsoft shuts down illegal code-signing operation used by ransomware crims to mask their malware 2026 | ThreatsHub Cybersecurity News<\/title>\n<meta name=\"description\" content=\"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security &amp; Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.threatshub.org\/blog\/microsoft-shuts-down-illegal-code-signing-operation-used-by-ransomware-crims-to-mask-their-malware\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Microsoft shuts down illegal code-signing operation used by ransomware crims to mask their malware 2026 | ThreatsHub Cybersecurity News\" \/>\n<meta property=\"og:description\" content=\"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security &amp; Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.threatshub.org\/blog\/microsoft-shuts-down-illegal-code-signing-operation-used-by-ransomware-crims-to-mask-their-malware\/\" \/>\n<meta property=\"og:site_name\" content=\"ThreatsHub Cybersecurity News\" \/>\n<meta property=\"article:published_time\" content=\"2026-05-19T21:56:18+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/image.theregister.com\/5243050.jpg?imageId=5243050&amp;x=0&amp;y=0&amp;cropw=100&amp;croph=100&amp;panox=0&amp;panoy=0&amp;panow=100&amp;panoh=100&amp;width=1200&amp;height=683\" \/>\n<meta name=\"author\" content=\"TH Author\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:creator\" content=\"@threatshub\" \/>\n<meta name=\"twitter:site\" content=\"@threatshub\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"TH Author\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"3 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\\\/\\\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/microsoft-shuts-down-illegal-code-signing-operation-used-by-ransomware-crims-to-mask-their-malware\\\/#article\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/microsoft-shuts-down-illegal-code-signing-operation-used-by-ransomware-crims-to-mask-their-malware\\\/\"},\"author\":{\"name\":\"TH Author\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#\\\/schema\\\/person\\\/12e0a8671ff89a863584f193e7062476\"},\"headline\":\"Microsoft shuts down illegal code-signing operation used by ransomware crims to mask their malware\",\"datePublished\":\"2026-05-19T21:56:18+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/microsoft-shuts-down-illegal-code-signing-operation-used-by-ransomware-crims-to-mask-their-malware\\\/\"},\"wordCount\":584,\"publisher\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#organization\"},\"image\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/microsoft-shuts-down-illegal-code-signing-operation-used-by-ransomware-crims-to-mask-their-malware\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2026\\\/05\\\/microsoft-shuts-down-illegal-code-signing-operation-used-by-ransomware-crims-to-mask-their-malware.jpg\",\"keywords\":[\"Security\"],\"articleSection\":[\"The Register\"],\"inLanguage\":\"en-US\"},{\"@type\":\"WebPage\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/microsoft-shuts-down-illegal-code-signing-operation-used-by-ransomware-crims-to-mask-their-malware\\\/\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/microsoft-shuts-down-illegal-code-signing-operation-used-by-ransomware-crims-to-mask-their-malware\\\/\",\"name\":\"Microsoft shuts down illegal code-signing operation used by ransomware crims to mask their malware 2026 | ThreatsHub Cybersecurity News\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/microsoft-shuts-down-illegal-code-signing-operation-used-by-ransomware-crims-to-mask-their-malware\\\/#primaryimage\"},\"image\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/microsoft-shuts-down-illegal-code-signing-operation-used-by-ransomware-crims-to-mask-their-malware\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2026\\\/05\\\/microsoft-shuts-down-illegal-code-signing-operation-used-by-ransomware-crims-to-mask-their-malware.jpg\",\"datePublished\":\"2026-05-19T21:56:18+00:00\",\"description\":\"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.\",\"breadcrumb\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/microsoft-shuts-down-illegal-code-signing-operation-used-by-ransomware-crims-to-mask-their-malware\\\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/microsoft-shuts-down-illegal-code-signing-operation-used-by-ransomware-crims-to-mask-their-malware\\\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/microsoft-shuts-down-illegal-code-signing-operation-used-by-ransomware-crims-to-mask-their-malware\\\/#primaryimage\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2026\\\/05\\\/microsoft-shuts-down-illegal-code-signing-operation-used-by-ransomware-crims-to-mask-their-malware.jpg\",\"contentUrl\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2026\\\/05\\\/microsoft-shuts-down-illegal-code-signing-operation-used-by-ransomware-crims-to-mask-their-malware.jpg\",\"width\":100,\"height\":68},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/microsoft-shuts-down-illegal-code-signing-operation-used-by-ransomware-crims-to-mask-their-malware\\\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Security\",\"item\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/tag\\\/security\\\/\"},{\"@type\":\"ListItem\",\"position\":3,\"name\":\"Microsoft shuts down illegal code-signing operation used by ransomware crims to mask their malware\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#website\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/\",\"name\":\"ThreatsHub Cybersecurity News\",\"description\":\"%%focuskw%% Threat Intel \u2013 Threat Intel Services \u2013 CyberIntelligence \u2013 Cyber Threat Intelligence - Threat Intelligence Feeds - Threat Intelligence Reports - CyberSecurity Report \u2013 Cyber Security PDF \u2013 Cybersecurity Trends - Cloud Sandbox \u2013- Threat IntelligencePortal \u2013 Incident Response \u2013 Threat Hunting \u2013 IOC - Yara - Security Operations Center \u2013 SecurityOperation Center \u2013 Security SOC \u2013 SOC Services - Advanced Threat - Threat Detection - TargetedAttack \u2013 APT \u2013 Anti-APT \u2013 Advanced Protection \u2013 Cyber Security Services \u2013 Cybersecurity Services -Threat Intelligence Platform\",\"publisher\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#organization\"},\"alternateName\":\"Threatshub.org\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#organization\",\"name\":\"ThreatsHub.org\",\"alternateName\":\"Threatshub.org\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#\\\/schema\\\/logo\\\/image\\\/\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2025\\\/05\\\/Threatshub_Favicon1.jpg\",\"contentUrl\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2025\\\/05\\\/Threatshub_Favicon1.jpg\",\"width\":432,\"height\":435,\"caption\":\"ThreatsHub.org\"},\"image\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#\\\/schema\\\/logo\\\/image\\\/\"},\"sameAs\":[\"https:\\\/\\\/x.com\\\/threatshub\"]},{\"@type\":\"Person\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#\\\/schema\\\/person\\\/12e0a8671ff89a863584f193e7062476\",\"name\":\"TH Author\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g\",\"url\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g\",\"contentUrl\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g\",\"caption\":\"TH Author\"}}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Microsoft shuts down illegal code-signing operation used by ransomware crims to mask their malware 2026 | ThreatsHub Cybersecurity News","description":"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.threatshub.org\/blog\/microsoft-shuts-down-illegal-code-signing-operation-used-by-ransomware-crims-to-mask-their-malware\/","og_locale":"en_US","og_type":"article","og_title":"Microsoft shuts down illegal code-signing operation used by ransomware crims to mask their malware 2026 | ThreatsHub Cybersecurity News","og_description":"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.","og_url":"https:\/\/www.threatshub.org\/blog\/microsoft-shuts-down-illegal-code-signing-operation-used-by-ransomware-crims-to-mask-their-malware\/","og_site_name":"ThreatsHub Cybersecurity News","article_published_time":"2026-05-19T21:56:18+00:00","og_image":[{"url":"https:\/\/image.theregister.com\/5243050.jpg?imageId=5243050&amp;x=0&amp;y=0&amp;cropw=100&amp;croph=100&amp;panox=0&amp;panoy=0&amp;panow=100&amp;panoh=100&amp;width=1200&amp;height=683","type":"","width":"","height":""}],"author":"TH Author","twitter_card":"summary_large_image","twitter_creator":"@threatshub","twitter_site":"@threatshub","twitter_misc":{"Written by":"TH Author","Est. reading time":"3 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/www.threatshub.org\/blog\/microsoft-shuts-down-illegal-code-signing-operation-used-by-ransomware-crims-to-mask-their-malware\/#article","isPartOf":{"@id":"https:\/\/www.threatshub.org\/blog\/microsoft-shuts-down-illegal-code-signing-operation-used-by-ransomware-crims-to-mask-their-malware\/"},"author":{"name":"TH Author","@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/person\/12e0a8671ff89a863584f193e7062476"},"headline":"Microsoft shuts down illegal code-signing operation used by ransomware crims to mask their malware","datePublished":"2026-05-19T21:56:18+00:00","mainEntityOfPage":{"@id":"https:\/\/www.threatshub.org\/blog\/microsoft-shuts-down-illegal-code-signing-operation-used-by-ransomware-crims-to-mask-their-malware\/"},"wordCount":584,"publisher":{"@id":"https:\/\/www.threatshub.org\/blog\/#organization"},"image":{"@id":"https:\/\/www.threatshub.org\/blog\/microsoft-shuts-down-illegal-code-signing-operation-used-by-ransomware-crims-to-mask-their-malware\/#primaryimage"},"thumbnailUrl":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2026\/05\/microsoft-shuts-down-illegal-code-signing-operation-used-by-ransomware-crims-to-mask-their-malware.jpg","keywords":["Security"],"articleSection":["The Register"],"inLanguage":"en-US"},{"@type":"WebPage","@id":"https:\/\/www.threatshub.org\/blog\/microsoft-shuts-down-illegal-code-signing-operation-used-by-ransomware-crims-to-mask-their-malware\/","url":"https:\/\/www.threatshub.org\/blog\/microsoft-shuts-down-illegal-code-signing-operation-used-by-ransomware-crims-to-mask-their-malware\/","name":"Microsoft shuts down illegal code-signing operation used by ransomware crims to mask their malware 2026 | ThreatsHub Cybersecurity News","isPartOf":{"@id":"https:\/\/www.threatshub.org\/blog\/#website"},"primaryImageOfPage":{"@id":"https:\/\/www.threatshub.org\/blog\/microsoft-shuts-down-illegal-code-signing-operation-used-by-ransomware-crims-to-mask-their-malware\/#primaryimage"},"image":{"@id":"https:\/\/www.threatshub.org\/blog\/microsoft-shuts-down-illegal-code-signing-operation-used-by-ransomware-crims-to-mask-their-malware\/#primaryimage"},"thumbnailUrl":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2026\/05\/microsoft-shuts-down-illegal-code-signing-operation-used-by-ransomware-crims-to-mask-their-malware.jpg","datePublished":"2026-05-19T21:56:18+00:00","description":"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.","breadcrumb":{"@id":"https:\/\/www.threatshub.org\/blog\/microsoft-shuts-down-illegal-code-signing-operation-used-by-ransomware-crims-to-mask-their-malware\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.threatshub.org\/blog\/microsoft-shuts-down-illegal-code-signing-operation-used-by-ransomware-crims-to-mask-their-malware\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.threatshub.org\/blog\/microsoft-shuts-down-illegal-code-signing-operation-used-by-ransomware-crims-to-mask-their-malware\/#primaryimage","url":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2026\/05\/microsoft-shuts-down-illegal-code-signing-operation-used-by-ransomware-crims-to-mask-their-malware.jpg","contentUrl":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2026\/05\/microsoft-shuts-down-illegal-code-signing-operation-used-by-ransomware-crims-to-mask-their-malware.jpg","width":100,"height":68},{"@type":"BreadcrumbList","@id":"https:\/\/www.threatshub.org\/blog\/microsoft-shuts-down-illegal-code-signing-operation-used-by-ransomware-crims-to-mask-their-malware\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/www.threatshub.org\/blog\/"},{"@type":"ListItem","position":2,"name":"Security","item":"https:\/\/www.threatshub.org\/blog\/tag\/security\/"},{"@type":"ListItem","position":3,"name":"Microsoft shuts down illegal code-signing operation used by ransomware crims to mask their malware"}]},{"@type":"WebSite","@id":"https:\/\/www.threatshub.org\/blog\/#website","url":"https:\/\/www.threatshub.org\/blog\/","name":"ThreatsHub Cybersecurity News","description":"%%focuskw%% Threat Intel \u2013 Threat Intel Services \u2013 CyberIntelligence \u2013 Cyber Threat Intelligence - Threat Intelligence Feeds - Threat Intelligence Reports - CyberSecurity Report \u2013 Cyber Security PDF \u2013 Cybersecurity Trends - Cloud Sandbox \u2013- Threat IntelligencePortal \u2013 Incident Response \u2013 Threat Hunting \u2013 IOC - Yara - Security Operations Center \u2013 SecurityOperation Center \u2013 Security SOC \u2013 SOC Services - Advanced Threat - Threat Detection - TargetedAttack \u2013 APT \u2013 Anti-APT \u2013 Advanced Protection \u2013 Cyber Security Services \u2013 Cybersecurity Services -Threat Intelligence Platform","publisher":{"@id":"https:\/\/www.threatshub.org\/blog\/#organization"},"alternateName":"Threatshub.org","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.threatshub.org\/blog\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/www.threatshub.org\/blog\/#organization","name":"ThreatsHub.org","alternateName":"Threatshub.org","url":"https:\/\/www.threatshub.org\/blog\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/logo\/image\/","url":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2025\/05\/Threatshub_Favicon1.jpg","contentUrl":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2025\/05\/Threatshub_Favicon1.jpg","width":432,"height":435,"caption":"ThreatsHub.org"},"image":{"@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/logo\/image\/"},"sameAs":["https:\/\/x.com\/threatshub"]},{"@type":"Person","@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/person\/12e0a8671ff89a863584f193e7062476","name":"TH Author","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/secure.gravatar.com\/avatar\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g","url":"https:\/\/secure.gravatar.com\/avatar\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g","caption":"TH Author"}}]}},"_links":{"self":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/posts\/60689","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/comments?post=60689"}],"version-history":[{"count":0,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/posts\/60689\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/media\/60690"}],"wp:attachment":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/media?parent=60689"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/categories?post=60689"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/tags?post=60689"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}