Microsoft Takes Down Malware-Signing Service Behind Ransomware Attacks

Microsoft disrupted a commercial malware-signing-as-a-service operation run by the criminal actor Fox Tempest (OpFauxSign) that abused Microsoft Artifact Signing to produce short-lived fraudulent code-signing certificates and sign malicious binaries. The service enabled distribution of signed malware and ransomware (notably Rhysida) via affiliates and malicious download pages, impacted thousands of machines across multiple countries and sectors, used stolen identities for verification, charged customers $5,000–$9,000, and adapted infrastructure (e.g., Cloudzy-hosted VMs) before Microsoft seized sites and infrastructure in a takedown initiated with a cooperative source.