Microsoft says it dismantled a malware-signing-as-a-service (MSaaS) called Fox Tempest, which helped cybercriminals make malware appear legitimate.
The service let customers submit malicious files to be digitally signed with short-lived Microsoft-issued certificates, making the malware look legitimate and more likely to bypass security checks.
Fox Tempest’s service was built around a customer-facing signing workflow where cybercriminals could upload malicious binaries to a portal, have them signed with certificates valid for only 72 hours, and then receive files that appeared to come from a trusted software source.
Microsoft explicitly says this approach allowed malware to evade security controls and bypass defenses that would otherwise flag suspicious unsigned code. Many security tools treat signed binaries as more trustworthy than unsigned ones, especially in environments that rely on allow-lists and publisher reputation. Fox Tempest abused that assumption by using fraudulently obtained certificates to make malware blend in as legitimate software, increasing the likelihood of execution and successful delivery.
A trusted-looking certificate can help malware get past initial scrutiny, especially when paired with social engineering, paid ads, SEO poisoning, or fake download pages. In this campaign, the signing layer helped malicious installers masquerade as products like AnyDesk, Teams, PuTTY, and Webex, which is exactly the kind of abuse that can slip through control frameworks built around reputation and trust.
The fraudulent certificates were used to spread ransomware and infostealers. The effects of these malware campaigns were broad, with attacks affecting healthcare, education, government, and financial services across multiple countries.
How to stay safe
Microsoft’s disclosure shows how cybercrime has evolved beyond “malware authors” into a service economy where one group specializes in producing trust and others monetize it.
For defenders, the strongest lesson is not to treat code signing as a standalone security control.
For consumers:
- Remember to only download software from the official vendor site, the Microsoft Store, or another source you already trust. Avoid download buttons on links sent via social media posts, direct messages or email.
- Be skeptical of “sponsored” search results and advertisements for popular apps.
- Use an up-to-date, real-time anti-malware solution that looks for malicious behavior rather than just signatures.
We don’t just report on threats—we remove them
Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.
