Microsoft Disrupts Malware-Signing Service Used by Ransomware Groups

Microsoft Disrupts Malware-Signing Service Used by Ransomware Groups

Microsoft's Digital Crimes Unit seized infrastructure linked to Fox Tempest, a malware-signing operation that sold fraudulent code-signing certificates to ransomware gangs since May 2025. The service abused Microsoft's Artifact Signing platform through 580+ fake accounts, enabling criminals to digitally sign malware—including Rhysida ransomware and Lumma infostealer—making it appear legitimate to Windows systems. Thousands of US machines were compromised, including over a dozen owned by Microsoft itself.

The operation charged $5,000-$9,500 per certificate and supplied groups like Vanilla Tempest, INC, Qilin, and Akira.

️ Open sources - closed narratives

@sitreports

Source: Telegram "sitreports"