Microsoft shuts down illegal code-signing operation used by ransomware crims to mask their malware

Microsoft shut down ‘Fox Tempest’, an illicit code-signing-as-a-service that abused Microsoft Artifact Signing by creating fraudulent tenant accounts to obtain and sell legitimate code-signing certificates to ransomware and malware operators. Customers included known ransomware affiliates (e.g., Vanilla Tempest) that used the certificates to sign malware such as Oyster, Lumma, Vidar, and Rhysida, contributing to infections of thousands of US machines — including systems owned by Microsoft; the Digital Crimes Unit documented purchases, pricing ($5,000–$9,500), and cryptocurrency wallets and has pursued legal action.