Microsoft Seizes Websites And Servers Used To Issue Fake Code-Signing Certificates

Microsoft has disrupted a cybercrime network by seizing its websites and shutting down hundreds of virtual machines used to issue fake code‑signing certificates. These certificates helped ransomware groups disguise malicious programs as legitimate software, which allowed large‑scale infections, even affecting some of Microsoft’s own systems.

The cybercrime operation known as Fox Tempest has been active since May 2025 which exploits Microsoft’s Artifact Signing code-signing service. This legitimate tool is normally used by developers to verify that software is genuine and unchanged, but the group misused it to make malicious programs appear trustworthy.

Fake code-signing certificates used to mask malware

Fox Tempest acted as an “enabler” in the cybercrime supply chain and supported ransomware groups and malware operators rather than carrying out attacks itself. This operation enabled widespread cyberattacks, including ransomware campaigns and malware infections across many sectors such as healthcare, education, government, and finance. Its services were used by well‑known ransomware groups (such as Vanilla Tempest) and helped distribute multiple malware types, which increased the scale and success rate of attacks.

“For the first time, Microsoft is taking public action against a powerful, but often unseen, enabler within the cybercrime ecosystem, targeting how cybercriminals prepare and employ techniques to optimize their rate of success. To disrupt the service, we seized Fox Tempest’s website signspace[.]cloud, took offline hundreds of the virtual machines running the operation, and blocked access to a site hosting the underlying code,” Microsoft’s Digital Crimes Unit explained.

Microsoft used both legal measures and technical steps to break up the operation. This included taking control of key websites and infrastructure, shutting down servers and virtual machines linked to the activity, canceling fake code‑signing certificates, and initiating legal proceedings against those responsible.

Why defense-in-depth and zero-trust are essential against modern cyber threats?

Organizations should adopt a defense‑in‑depth strategy to handle such threats, since attackers can misuse trusted tools to make malware appear legitimate. This means combining multiple layers of protection (such as advanced endpoint security, behavioral monitoring, and threat intelligence) so that even digitally signed software is carefully analyzed for suspicious activity rather than automatically trusted. They should also continuously update systems, monitor for known indicators of compromise, and maintain strong incident‑response plans to quickly detect and contain breaches.

Additionally, companies need to strengthen identity and verification controls to prevent abuse by attackers using stolen or fake identities. Moreover, it’s important to train employees to remain cautious even when software appears “verified.” Overall, organizations must assume that traditional trust signals can be manipulated and focus on resilience, proactive monitoring, and rapid response to minimize damage from such sophisticated attacks.