MICROSOFT says it dismantled a malware-signing-as-a-service operation called Fox Tempest, which helped cybercriminals make malware appear legitimate. The service let customers submit malicious files to be digitally signed with short-lived Microsoft-issued certificates, making the malware look trustworthy and more likely to bypass security checks.
Fox Tempest’s signing workflow allowed uploads of malicious binaries to a portal, with certificates valid for only 72 hours, producing files that appeared to come from a trusted software source. The signing layer enabled installers to masquerade as products such as AnyDesk, Teams, PuTTY, and Webex, increasing the chance of execution and delivery.
The fraudulent certificates were used to spread ransomware and infostealers, with attacks affecting healthcare, education, government, and financial services across multiple countries. The report notes a shift towards a service economy in cybercrime, where one group produces trust and others monetise it.