Cyber criminals involved in spreading dangerous malware such as ransomware are reportedly spending anywhere between $5,000 and $9,000 to keep their malicious software undetected and anonymous on Windows-based systems. This emerging trend highlights a major shift in the cyber-crime ecosystem, where hackers are increasingly relying on sophisticated services to bypass security protections rather than developing such capabilities themselves.
The growing underground market for “malware signing as a service” (MSaaS) demonstrates how organized and professional cybercrime operations have become in recent years. Instead of purchasing legitimate digital security certificates directly, cybercriminal groups are now outsourcing the process to specialized service providers that help disguise malware as trusted software. This allows malicious files to evade antivirus programs and gain easier access to targeted systems.
However, a major breakthrough came after threat intelligence teams from Microsoft successfully disrupted one such organized cybercriminal operation known as Fox Tempest. The take-down is considered significant because the group was allegedly supporting multiple ransomware gangs by helping them digitally sign malware and avoid detection on Windows devices.
According to information shared with the media, Microsoft’s security researchers not only managed to dismantle the criminal infrastructure but also revoked several compromised certificates that had been fraudulently obtained through an Artifact Signing Service. These certificates were being abused to make malware appear legitimate and trustworthy to users and security systems.
In addition to revoking the certificates, Microsoft investigators reportedly shut down a large cluster of virtual machines that were operating through Azure cloud infrastructure. By disabling these resources, the company effectively disrupted the operational backbone of the malware-signing network. Experts believe this move has already impacted the activities of several ransomware groups, including INC Ransom, Qilin, Akira, and Rhysida, all of which were suspected of benefiting from the service.
Security researchers further revealed that members associated with Fox Tempest had been using stolen identities and compromised tenant credentials since May 2025 to create hundreds of Azure accounts. These accounts were then used to anonymously host malicious infrastructure and carry out illegal cyber activities without immediately raising suspicion.
The incident underlines how cybercrime networks are rapidly evolving and adopting business-like models to expand their operations. The rise of malware signing as a service across Europe and other regions signals a dangerous new phase in ransomware attacks, where criminals increasingly depend on underground service providers to scale their campaigns efficiently.
Cybersecurity experts warn that organizations must remain vigilant, strengthen endpoint protection, and continuously monitor suspicious digital certificates and cloud activities to counter these evolving threats.
Click Here For The Original Source.
