Skip to content

Microsoft Dismantles Criminal Malware Signature Service Network

Bottom line: Microsoft disrupted a malware signature service operation that created over a thousand fraudulent certificates and supplied various ransomware gangs. The domain signspace[.]cloud was seized and the criminal infrastructure was dismantled. A lawsuit was also filed.

Microsoft has shut down a cybercriminal operation that abused the company’s Artifact Signing Service to create over a thousand fraudulent code signature certificates. These certificates were used by ransomware gangs and other cybercriminals to disguise malware as legitimate software.

The threat group “Fox Tempest” leveraged Microsoft’s Azure Artifact Signing, a cloud service for software authentication launched in 2024, to generate short-lived certificates. With more than a thousand certificates created and hundreds of compromised Azure accounts, Fox Tempest operated a Malware-Signing-as-a-Service (MSaaS) via the domain signspace[.]cloud.

The criminal infrastructure was dismantled in May 2026 by Microsoft’s Digital Crimes Unit in collaboration with partners. Microsoft revoked a thousand certificates, seized the signspace[.]cloud domain, took hundreds of virtual machines offline, and blocked access to the criminal platform.

The malware signature service was used by various ransomware operations such as Rhysida, Akira, Qilin, and BlackByte, as well as stealer malware like Oyster and Lumma. The criminal actors disguised the signed malware files as legitimate software such as Microsoft Teams, AnyDesk, PuTTY, and Webex. Victims who executed what appeared to be Teams installers suffered infections from Oyster malware and Rhysida ransomware. Because the malware possessed Microsoft certificates, they were initially classified as trustworthy by the Windows operating system.

Microsoft filed suit against Fox Tempest and the Vanilla Tempest ransomware operation in the U.S. District Court for the Southern District of New York.

Share on: