Microsoft says it has disrupted a malware-signing-as-a-service (MSaaS) operation that abused the company's Artifact Signing service to generate fraudulent code-signing certificates used by ransomware gangs and other cybercriminals.
According to a report published today by Microsoft Threat Intelligence, the threat actor tracked as Fox Tempest used the Microsoft Artifact Signing platform to create short-lived certificates that allowed malware to be digitally signed and trusted as legitimate software by both users and operating systems.
Azure Artifact Signing (previously Trusted Signing) is a cloud-based service launched by Microsoft in 2024 that allows developers to easily have their programs signed by Microsoft.
Microsoft says the financially motivated threat actor created more than 1,000 certificates and hundreds of Azure tenants and subscriptions as part of the operation. Today, Microsoft also unsealed a legal case in the U.S. District Court for the Southern District of New York targeting the cybercrime operation.
"Fox Tempest has created over a thousand certificates and established hundreds of Azure tenants and subscriptions to support its operations. Microsoft has revoked over one thousand code signing certificates attributed to Fox Tempest," Microsoft said.
