Microsoft & Resecurity Disrupt Fox Tempest Malware‑Signing Service, Revoking 1,000+ Fraudulent Certificates
What Happened – Microsoft’s Digital Crimes Unit, assisted by Resecurity, seized the Fox Tempest malware‑signing‑as‑a‑service (MSaaS) infrastructure, took down the signspace.cloud website, disabled hundreds of virtual machines, and revoked more than 1,000 illicit code‑signing certificates that were being used to make ransomware and other malware appear legitimate.
Why It Matters for TPRM –
- Upstream code‑signing services are a critical “as‑a‑service” supply‑chain risk that can amplify attacks across multiple vendors and customers.
- Disruption of the service removes a trusted‑appearance vector, forcing threat actors to revert to less effective delivery methods.
- The operation demonstrates the value of coordinated public‑private threat‑intel sharing for protecting third‑party ecosystems.
Who Is Affected – Financial services, healthcare, retail, SaaS providers, and any organization that relies on signed binaries for trust decisions.
Recommended Actions – Review any reliance on third‑party code‑signing or certificate authorities, validate the provenance of signed executables, and enhance detection rules for newly signed files.
Technical Notes – The actors abused Microsoft Artifact Signing to obtain fraudulent certificates, then offered a “malware‑signing‑as‑a‑service” platform. The takedown involved legal action, domain seizure, VM shutdown, and revocation of >1,000 certificates. No public data breach was reported. Source: Security Affairs