Microsoft Takes Down Malware-Signing Service Behind Ransomware Attacks

Microsoft disrupted a malware-signing-as-a-service operation run by Fox Tempest that exploited Microsoft's own Artifact Signing system to distribute malware and conduct ransomware attacks across thousands of compromised machines worldwide.

The threat actor abused legitimate code-signing infrastructure to make malicious executables appear trustworthy to security tools and endpoints. This approach bypassed traditional defenses by leveraging Microsoft's signing authority, allowing Fox Tempest to deliver payloads that passed authentication checks. The operation functioned as a commercial service, offering malware distribution and attack capabilities to other threat actors.

Fox Tempest commercialized access to the signing infrastructure, effectively operating a platform for hire. Customers paid to use the service for ransomware deployment, data theft, and other attacks. The scale reached thousands of affected organizations and endpoints across multiple countries and sectors.

The Artifact Signing system compromise represents a critical supply-chain risk. Rather than targeting end users directly, Fox Tempest compromised a foundational trust mechanism. Any signed code appeared legitimate to Windows systems and enterprise security products, dramatically reducing detection rates and enabling deep network penetration before defenders recognized the threat.

Microsoft's takedown included disabling Fox Tempest's access to the signing system and working with law enforcement and industry partners to contain the threat. The company notified affected customers and released technical indicators to help organizations identify compromised systems and malware variants signed by the operation.

Organizations using systems signed by the affected infrastructure face elevated risk. Malware distributed through this channel bypassed email filters, code-execution controls, and behavioral analysis tools. Defenders must assume that signed malicious code may have executed on their networks undetected and conduct thorough forensic reviews of process execution logs and network communications from the active period.

This incident underscores how attackers target infrastructure providers rather than end victims directly. Compromising a signing