The Underground Malware-Signing-as-a-Service That Makes Ransomware Look “Verified” on Windows

The Core Technical Concept: Code Signing

At the center of Microsoft’s disruption of the Fox Tempest cybercrime operation is a foundational trust mechanism that modern operating systems rely on heavily: code signing.

Code signing is a cryptographic trust framework used by operating systems such as Windows to verify both the integrity and origin of executable software. When a developer signs a binary — such as an EXE, DLL, MSI installer, kernel driver, PowerShell module, or software package — the operating system can determine whether:

  • the file has been modified after signing,
  • the publisher identity is trusted,
  • and the software originates from a recognized source.

The mechanism is built on Public Key Infrastructure (PKI) and asymmetric cryptography.

A software publisher generates:

  • a private signing key,
  • and a public verification key.

The private key is used to create a digital signature across the executable’s cryptographic hash. The public key is embedded inside a certificate issued by a trusted Certificate Authority (CA). Windows then validates:

  • the certificate chain,
  • certificate authority trust path,
  • file integrity,
  • timestamp metadata,
  • certificate validity periods,
  • and revocation status.

If validation succeeds, the executable is associated with a verified publisher identity.

For users, this usually appears as:

  • “Verified Publisher” prompts,
  • reduced SmartScreen warnings,
  • lower installation friction,
  • and fewer execution alerts.

For enterprise environments, code signing is even more important because multiple security controls treat signed binaries differently from unsigned files.

Security systems including:

  • Microsoft Defender SmartScreen,
  • Windows Defender Application Control (WDAC),
  • AppLocker,
  • cloud reputation engines,
  • and modern EDR platforms

all incorporate signer reputation and publisher trust into execution decisions.

Unsigned binaries frequently trigger:

  • heuristic analysis,
  • sandbox detonation,
  • execution warnings,
  • cloud reputation lookups,
  • or direct blocking.

Signed binaries often receive:

  • lower suspicion scores,
  • delayed behavioral inspection,
  • reduced sandbox prioritization,
  • and temporary execution trust while telemetry systems gather context.

This distinction is operationally critical.

Modern malware operators increasingly target trust systems themselves rather than relying exclusively on software vulnerabilities.

How Modern Trust and Reputation Systems Work

Most modern endpoint security products no longer rely solely on static malware signatures. Contemporary detection pipelines combine:

  • machine learning,
  • cloud telemetry,
  • behavioral analytics,
  • publisher reputation,
  • prevalence scoring,
  • trust-chain analysis,
  • and execution history.

Windows SmartScreen, for example, evaluates:

  • whether the signer has historical trust reputation,
  • how frequently the executable appears globally,
  • whether the publisher has prior malicious associations,
  • how long the signer has existed,
  • and how recently the binary first appeared in telemetry.

A signed executable therefore behaves very differently inside Windows trust systems than an unsigned binary downloaded from an unknown source.

This creates a powerful operational asymmetry.

If attackers can obtain legitimate signatures, they can manipulate trust calculations long enough for malware to execute before telemetry-driven detections fully mature.

That short execution window is often all ransomware operators need.

Traditional Abuse of Code Signing

Historically, threat actors abused code signing primarily through certificate theft.

Attackers targeted:

  • software vendors,
  • hardware manufacturers,
  • enterprise build servers,
  • developer workstations,
  • game studios,
  • and CI/CD infrastructure

to steal legitimate signing certificates and private keys.

Several major malware campaigns leveraged stolen certificates successfully:

  • Stuxnet abused stolen Realtek and JMicron certificates,
  • Flame exploited fraudulent Microsoft certificate chains,
  • ShadowPad leveraged compromised software-signing environments,
  • and multiple ransomware groups used stolen EV certificates to suppress SmartScreen warnings.

These incidents exposed a structural weakness in the traditional signing model:
the private signing key itself became a high-value target.

If attackers obtained the key, they could sign arbitrary malware while appearing operationally legitimate to Windows and enterprise security products.

What makes certificate theft persistently attractive despite years of public awareness is its asymmetric forensic profile. A stolen certificate often produces:

  • no suspicious tenant provisioning,
  • no anomalous cloud onboarding,
  • and no obvious identity-fraud signals.

The first observable indicator is frequently the malware execution itself — by which point the first-stage compromise may already be complete.

Why Microsoft Introduced Artifact Signing

Microsoft introduced a cloud-native signing platform originally called Trusted Signing, later rebranded as:

Microsoft Artifact Signing

The architecture was specifically designed to reduce risks associated with stolen signing keys.

Instead of developers storing certificates locally, Artifact Signing centralizes signing operations inside Microsoft-controlled cloud infrastructure backed by Hardware Security Modules (HSMs).

Under this model:

  • developers authenticate to Microsoft cloud services,
  • binaries are uploaded to Microsoft infrastructure,
  • signing operations occur inside protected HSM boundaries,
  • and private signing keys never leave Microsoft-managed systems.

The design was intended to mitigate:

  • developer workstation compromise,
  • signing-key theft,
  • CI/CD pipeline compromise,
  • and long-term certificate abuse.

Artifact Signing also supports modern cloud-native CI/CD workflows requiring automated release signing.

From a defensive perspective, the platform offered several advantages:

  • centralized telemetry,
  • faster revocation,
  • short-lived certificates,
  • tighter abuse monitoring,
  • and reduced exposure of long-term signing assets.

Fox Tempest demonstrated, however, that attackers no longer needed to steal signing keys if they could instead manipulate the trust provisioning process itself.

How Fox Tempest Exploited Microsoft Artifact Signing

Microsoft stated that Fox Tempest did not compromise the Artifact Signing backend directly. Instead, the operation appears to have systematically abused Azure onboarding, identity verification, and tenant provisioning workflows.

According to Microsoft and related reporting, the group allegedly created hundreds of Azure tenants and cloud subscriptions using combinations of:

  • synthetic identities,
  • shell organizations,
  • compromised business records,
  • mule-operated payment methods,
  • fraudulent registrations,
  • and stolen credentials.

Court documents reportedly identified operators referenced as John Doe 1 and John Doe 2, who allegedly used fake identities and impersonated legitimate organizations to provision more than 580 fraudulent Microsoft accounts.

Once provisioned into Microsoft’s cloud ecosystem, those tenants obtained access to Artifact Signing capabilities and generated short-lived signing certificates valid for approximately 72 hours.

Microsoft ultimately revoked more than 1,000 certificates associated with the operation.

This represented a major evolution in malware-signing abuse.

Rather than protecting a small number of valuable long-lived certificates, Fox Tempest industrialized disposable trust generation at scale.

The operation effectively transformed Microsoft’s own trust infrastructure into a Malware-Signing-as-a-Service (MSaaS) platform.

Why Short-Lived Certificates Became Operationally Valuable

The use of 72-hour certificates was not accidental. It reflects a broader strategic shift across modern cybercrime ecosystems toward ephemeral infrastructure and disposable operational identities.

Historically, attackers preferred long-lived Extended Validation (EV) certificates because they carried strong SmartScreen reputation and could remain usable for months or years.

However, long-lived certificates eventually became operational liabilities.

Once researchers associate a certificate with malware campaigns, defenders can:

  • correlate related attacks,
  • identify malware families,
  • cluster ransomware affiliates,
  • track infrastructure reuse,
  • and build detections around signer metadata.

A single long-lived certificate can effectively become a permanent attribution fingerprint.

Fox Tempest instead adopted a disposable trust model.

Each operation could generate:

  • a fresh Azure tenant,
  • a fresh publisher identity,
  • a fresh certificate,
  • and a clean reputation history.

This dramatically complicated:

  • attribution,
  • signer-based detections,
  • malware clustering,
  • and campaign correlation.

The strategy exploited a fundamental weakness in reputation-driven security systems:
reputation takes time to build.

Modern detection pipelines often require hours or days to:

  • detonate malware,
  • analyze behavior,
  • correlate telemetry,
  • distribute detections,
  • update reputation systems,
  • and identify infrastructure overlap.

Fox Tempest compressed operational timelines below that detection threshold.

By the time:

  • Microsoft updated revocation systems,
  • EDR platforms correlated abuse,
  • SmartScreen reputation collapsed,
  • and security vendors distributed detections,

the certificate infrastructure had often already expired or rotated.

This mirrors broader trends across modern cybercrime ecosystems where attackers increasingly rely on:

  • disposable VPS infrastructure,
  • rotating domains,
  • serverless malware delivery,
  • transient command-and-control nodes,
  • short-lived cloud accounts,
  • and fast-flux infrastructure.

Fox Tempest applied the same operational philosophy directly to software trust chains.

What Happens After the 72-Hour Certificate Window

An important technical misconception surrounding the operation is that malware somehow stops functioning once the certificate expires.

That is not how Windows code signing works.

Certificate expiration affects trust validation — not malware execution itself.

Once the victim executes the signed malware:

  • the payload runs normally,
  • persistence mechanisms install,
  • credential theft begins,
  • secondary malware deploys,
  • and post-exploitation activity continues independently of certificate validity.

The expiration of the certificate does not:

  • disable the executable,
  • terminate ransomware,
  • remove persistence,
  • or uninstall the malware.

The certificate’s primary operational purpose is to facilitate reliable first execution.

Once execution succeeds, the signing infrastructure has already served its purpose.

Timestamping is critically important here.

Most legitimately signed binaries include trusted timestamps proving the executable was signed while the certificate remained valid. Windows generally validates whether:

the certificate was valid at signing time,

rather than requiring the certificate to remain valid indefinitely afterward.

As a result, malware signed during the 72-hour operational window may continue appearing cryptographically valid even after the certificate expires.

A late-2025 malvertising campaign specifically abused short-lived certificates combined with legitimate code-signing services to bypass signature-based detections. Forensic analysis showed that valid timestamped signatures allowed the payloads to continue appearing trusted long after operational infrastructure disappeared.

Over time:

  • SmartScreen reputation degrades,
  • EDR detections improve,
  • revocation lists update,
  • and signer trust collapses.

By that stage, the intrusion chain may already be mature.

Ransomware operators often need only a few hours between:

  • initial execution,
  • credential theft,
  • lateral movement,
  • privilege escalation,
  • and ransomware deployment.

Fox Tempest’s infrastructure was optimized specifically to maximize success during that critical early execution window before global telemetry systems adapted.

The Commercialization of Malware Signing

Fox Tempest operated not merely as a threat actor group, but as a structured commercial cybercrime service provider.

According to reporting surrounding the takedown, the operation allegedly offered tiered signing services priced between:

  • $5,000,
  • and $9,000,

with higher service tiers providing:

  • priority signing access,
  • dedicated signing virtual machines,
  • and enhanced operational separation.

The operation reportedly marketed services through Telegram channels where operators advertised:

  • Microsoft-trusted certificates,
  • malware-signing access,
  • SmartScreen reputation,
  • and execution-reliability services.

This detail is operationally significant because it demonstrates the industrialization of trust abuse.

Fox Tempest was not simply using Microsoft infrastructure opportunistically.

It had built a scalable business model around monetizing artificial legitimacy.

Malware Families and Threat Actors Linked to the Infrastructure

Microsoft linked the signing ecosystem to multiple ransomware and malware operations including:

  • Akira,
  • INC ransomware,
  • Qilin,
  • BlackByte,
  • Rhysida,
  • Lumma Stealer,
  • Vidar,
  • Oyster malware,
  • and Vanilla Tempest activity.

Associated Microsoft-tracked threat clusters reportedly included:

  • Storm-0501,
  • Storm-0249,
  • Storm-2561,
  • and Vanilla Tempest.

Many of the signed binaries impersonated legitimate enterprise applications including:

  • Microsoft Teams,
  • Cisco Webex,
  • AnyDesk,
  • PuTTY,
  • VPN clients,
  • and remote administration tools.

Those applications are widely trusted in enterprise environments and frequently allowlisted, making them ideal disguises for first-stage malware loaders.

Operationally, many of the signed binaries functioned as:

  • first-stage loaders,
  • droppers,
  • downloaders,
  • or persistence installers

rather than full ransomware payloads themselves.

The objective was to:

  • bypass SmartScreen,
  • reduce EDR scrutiny,
  • obtain initial execution,
  • establish persistence,
  • and deploy secondary tooling.

Once execution succeeded, operators could deploy:

  • credential stealers,
  • PowerShell loaders,
  • Cobalt Strike beacons,
  • remote access trojans,
  • ransomware encryptors,
  • or post-exploitation frameworks.

The signing component existed primarily to guarantee reliable early-stage execution during the most fragile stage of the intrusion lifecycle.

Other Malware-Signing-as-a-Service Techniques Used Across the Cybercrime Ecosystem

Fox Tempest reflects only one branch of a much larger underground ecosystem centered around trust abuse and artificial legitimacy generation.

Modern Malware-Signing-as-a-Service operations increasingly combine multiple techniques designed to manipulate execution trust, delay telemetry correlation, and bypass reputation-based security systems.

Shell Company and Identity Fraud Certificate Acquisition

Dedicated underground brokers create:

  • fake businesses,
  • shell corporations,
  • synthetic corporate identities,
  • and fraudulent incorporation records

to acquire legitimate certificates from certificate authorities and resell them through cybercrime marketplaces.

Extended Validation certificates remain especially valuable because SmartScreen and other reputation systems heavily weight EV trust chains during early execution.

Underground advertisements now openly market:

  • “fresh SmartScreen reputation,”
  • “Microsoft-trusted certs,”
  • and “AV bypass signing”

as measurable deliverables.

Researchers investigating the EvilAI malware campaign observed newly created certificate-holding organizations registered between 2024 and 2025, suggesting attackers increasingly establish disposable companies solely to acquire signing infrastructure before abandonment and rotation.

Cloud-Native Trust Provisioning Abuse

Fox Tempest represents one of the clearest documented examples of cloud-native trust provisioning abuse.

The same automated onboarding systems designed to reduce friction for legitimate developers also reduce friction for adversaries investing in synthetic identities and fraudulent tenant provisioning.

Cloud-native signing abuse offers several operational advantages:

  • trivial certificate rotation,
  • baseline inherited trust from the cloud platform,
  • tenant isolation,
  • reduced attribution visibility,
  • and low operational cost.

The broader implication extends beyond Microsoft. Any cloud provider offering identity-gated signing infrastructure potentially represents a future target for provisioning abuse.

Timestamp Abuse and Post-Expiration Trust Persistence

Timestamp abuse has become a foundational component of modern MSaaS ecosystems.

By attaching RFC 3161-compliant trusted timestamps, attackers ensure malware continues appearing cryptographically valid even after:

  • the certificate expires,
  • signer infrastructure disappears,
  • or reputation collapses.

This creates a significant operational challenge because:

  • certificate expiration no longer functions as a meaningful remediation boundary,
  • and timestamped malware may continue executing on already-compromised systems long after revocation activity begins.

Signed Loaders and In-Memory Payload Delivery

Advanced MSaaS providers increasingly support multi-stage execution architectures designed to keep unsigned malware off disk entirely.

A common operational chain looks like:

  1. A signed loader executes
  2. SmartScreen allows execution
  3. The loader allocates memory
  4. Encrypted shellcode downloads
  5. Payload injects into legitimate processes
  6. Unsigned ransomware executes entirely in memory

This separation between:

  • the trusted signed artifact,
  • and the actual malicious payload

significantly increases analytical complexity for defenders.

Arctic Wolf documented a 2025 campaign involving trojanized PuTTY and WinSCP installers that delivered the Oyster/Broomstick backdoor through DLL-based persistence mechanisms executed via rundll32.exe.

BYOVD and EDR Killers

Bring Your Own Vulnerable Driver (BYOVD) operations have evolved from niche offensive tradecraft into a standardized ransomware pre-encryption phase.

Modern ransomware operators increasingly use vulnerable but legitimately signed drivers to:

  • disable EDR products,
  • terminate antivirus services,
  • tamper with kernel memory,
  • unregister monitoring callbacks,
  • and blind security telemetry before ransomware deployment begins.

A March 2026 analysis identified:

  • 54 distinct EDR-killer tools
    abusing:
  • 35 signed legitimate drivers.

Frequently abused drivers include:

  • RTCore64.sys,
  • gdrv.sys,
  • mhyprot2.sys,
  • and procexp.sys.

Threat actors associated with:

  • BlackByte,
  • AvosLocker,
  • LockBit,
  • Cuba ransomware,
  • and Lazarus-linked activity

have all leveraged BYOVD techniques extensively.

Cisco Talos documented a DeadLock ransomware campaign in late 2025 using a vulnerable Baidu Antivirus driver to terminate EDR processes, disable Windows Defender, stop services, and impair recovery mechanisms before encryption.

Qilin operators reportedly deployed multi-stage BYOVD chains specifically designed to unregister EDR monitoring callbacks before terminating security tooling.

Reputation Seeding and Infrastructure Seasoning

Some MSaaS providers intentionally distribute benign signed software first in order to:

  • generate telemetry,
  • build SmartScreen reputation,
  • increase prevalence scoring,
  • and establish historical trust

before switching the same signing identity to malicious payloads.

This mirrors:

  • phishing-domain aging,
  • cloud-account warming,
  • and social-media persona seasoning techniques

observed elsewhere across cybercrime ecosystems.

The operational objective is straightforward:
extend the period during which trust systems treat the signer as legitimate before detections adapt.

Supply Chain Compromise

The most advanced trust-abuse operations compromise legitimate software supply chains directly.

In incidents involving:

  • SolarWinds,
  • CCleaner,
  • ASUS Live Update,
  • and ShadowPad,

malware was inserted into genuine signed software releases before distribution.

These attacks are particularly dangerous because:

  • the trust chain itself remains technically valid,
  • the certificate is legitimate,
  • and the software was genuinely signed by the vendor.

Traditional trust validation becomes almost meaningless in these scenarios.

SEO Poisoning and Malvertising Distribution

Modern MSaaS ecosystems increasingly pair signed malware with:

  • SEO poisoning,
  • malvertising,
  • fake software portals,
  • trojanized installers,
  • and AI-generated phishing infrastructure.

Threat actors heavily impersonate:

  • Zoom,
  • Teams,
  • Outlook,
  • ChatGPT,
  • Claude,
  • NotebookLM,
  • VPN clients,
  • cryptocurrency tools,
  • and remote administration utilities.

Researchers observed a 115% increase in malicious files impersonating ChatGPT during early 2025.

The combination of:

  • search-engine trust,
  • realistic software impersonation,
  • and “Verified Publisher” Windows prompts

creates a highly effective social-engineering chain capable of neutralizing user suspicion almost completely.

AI-Assisted Identity Fabrication

An emerging development involves the likely future use of generative AI to automate identity-fabrication workflows used in certificate provisioning abuse.

Fox Tempest’s operational model required:

  • large numbers of synthetic organizations,
  • consistent identity artifacts,
  • fake registration documents,
  • and scalable provisioning workflows.

Generative AI increasingly lowers operational friction for:

  • shell-company creation,
  • synthetic organizational identity generation,
  • and automated document production.

While still an emerging threat vector, this represents a natural evolutionary path for cloud-native trust abuse ecosystems.

OpFauxSign and the Infrastructure Disruption

Microsoft’s takedown effort was formally codenamed:

OpFauxSign

The operation involved:

  • seizure of the domain signspace[.]cloud,
  • shutdown of hundreds of virtual machines,
  • disruption of signing infrastructure,
  • and blocking access to code-hosting systems associated with the operation.

Microsoft’s Digital Crimes Unit (DCU) reportedly used undercover personas to engage with Fox Tempest operators, map infrastructure, and identify operational workflows.

The company coordinated disruption efforts with:

  • the FBI,
  • Europol EC3,
  • hosting providers,
  • and other external partners.

Microsoft’s legal case was unsealed on May 19, 2026, in the U.S. District Court for the Southern District of New York and reportedly identified Vanilla Tempest as a co-conspirator.

Microsoft also clarified that geographic telemetry associated with signed malware did not necessarily indicate deliberate targeting of those countries. Rather, it reflected locations where signed files were observed on systems globally.

The broader strategic implication of the Fox Tempest operation is increasingly clear:
modern cybercriminals are no longer merely selling malware.

They are selling:

  • trust laundering,
  • execution reliability,
  • telemetry delay,
  • reputation manipulation,
  • and early-stage intrusion success.

The product is no longer simply the certificate itself.

The product is a temporary operational window during which:

  • SmartScreen,
  • EDR telemetry,
  • reputation systems,
  • and behavioral analytics

have not yet fully correlated the malicious activity with the signer identity.

Every major technique in the modern MSaaS ecosystem — from cloud provisioning abuse and timestamp manipulation to BYOVD, reputation seeding, SEO poisoning, and signed in-memory loaders — is ultimately optimized around the same objective: