Source: BleepingComputer
Author: Lawrence Abrams
URL: https://www.bleepingcomputer.com/news/security/cybercrime-service-disrupted-for-abusing-microsoft-platform-to-sign-malware/
ONE SENTENCE SUMMARY:
Microsoft disrupted Fox Tempest’s malware-signing service abusing Azure Artifact Signing, revoking certificates, seizing infrastructure, and aiding ransomware campaigns worldwide operations.
MAIN POINTS:
- Azure Artifact Signing lets developers obtain Microsoft-backed signatures for released software.
- Fox Tempest exploited the service to issue short-lived code-signing certificates for malware.
- Over 1,000 certificates and hundreds of Azure tenants/subscriptions supported the MSaaS business.
- A U.S. Southern District of New York lawsuit underpinned the disruption action.
- Microsoft seized signspace[.]cloud, blocked hosting, and took hundreds of related VMs offline.
- Signed binaries impersonated Teams, AnyDesk, PuTTY, and Webex to appear legitimate.
- Oyster loaders installed signed malware that enabled Rhysida ransomware deployment on victims.
- Threat actors including Vanilla Tempest, Storm-0501, Storm-2561, and Storm-0249 used the service.
- Operators likely used stolen U.S./Canada identities to pass Artifact Signing verification.
- Telegram marketing offered access for 5,000–9,000 USD-equivalent bitcoin, generating millions in profit.
TAKEAWAYS:
- Code-signing trust can be operationalized as a criminal “service” when onboarding controls are bypassed.
- Short validity certificates still meaningfully increase malware success by suppressing OS and user suspicion.
- Rapid revocation and infrastructure takedowns reduce blast radius, but abuse can scale quickly in cloud ecosystems.
- Defenders should treat “signed” as a signal, not proof of safety, and validate publisher reputation.
- Cross-industry coordination plus legal action can effectively dismantle enabling platforms for ransomware affiliates.