Cybercrime
,
Fraud Management & Cybercrime
Fraudulent Certificates Helped Ransomware Bypass Security Defenses
Computing giant Microsoft said it obtained the go-ahead from a federal judge to disrupt the online infrastructure behind a cybercrime outfit providing stolen code-signing certificates to ransomware gangs since at least September 2025.
See Also: Why Cyberattackers Love ‘Living Off the Land’
The computing giant seized online domain, signspace.cloud and took offline hundreds of virtual machines belonging to a financially-motivated threat actor it tracks as Fox Tempest.
The hacking group had created more than a thousand certificates and established hundreds of Azure tenants and subscriptions. Its fraudulently obtained code‑signing certificates enabled high-profile cyberattacks on many industries globally, including a ransomware attack on the Seattle-Tacoma International Airport in 2024 and other attacks on hospitals and schools.
“Illicit code-signing certificates have been sold and trafficked for more than a decade. What’s changed is how this activity is marketed, packaged and sold as a service, along with the scale at which it is now used across ransomware campaigns,” said Steven Masada, assistant general counsel at Microsoft’s Digital Crimes Unit.
Microsoft said Fox Tempest obtained short-lived certificates through Microsoft Artifact Signing, a cloud service where developers submit software to be digitally signed, using stolen credentials from legitimate U.S. and Canadian organizations.
“Attackers then distributed the signed malware through tactics such as search manipulation and malicious ads, where users are more likely to trust what they encounter. Artificial intelligence then helped generate and refine these campaigns to reach a broader audience,” Masada said.
Cybercriminals paid anywhere from $5,000 to $9,500 to get a certificate from Fox Tempest. The higher the price, the faster their request would be processed. Microsoft says it found millions of dollars in proceeds from Fox Tempest’s cryptocurrency transactions.
The money trail linked the malware signing provider to ransomware group Vanilla Tempest, who became a customer as early as June 2025.
“Through this service, Vanilla Tempest uploaded malicious payloads such as trojanized Microsoft Teams installers, which Fox Tempest fraudulently signed to appear legitimate,” Microsoft explained. The ransomware hackers distributed the signed binaries through ads that redirected users searching for Microsoft Teams to attacker-controlled advertisements and fraudulent download pages.
“It really comes down to the profitability of abusing trust,” said Cynthia Kaiser, SVP of Halcyon’s Ransomware Research Center.
Vanilla Tempest was able to drop a backdoor known as “Oyster” through the fake Teams files, paving the way for deployment of the Rhysida ransomware strain, which was linked to the 2023 British Library breach as well as disruptions at the Seattle Airport.
“Unlike lower-cost services like RedVDS, a cybercriminal infrastructure provider that costs as little as $24 per month, which Microsoft disrupted earlier this year, Fox Tempest shows that more sophisticated actors are willing to pay thousands of dollars for advanced capabilities that make attacks easier to carry out, harder to detect and more likely to succeed,” Masada said.
Click Here For The Original Source.
