Microsoft Dismantles Service Selling 72-Hour Malware Certificates

Microsoft dismantled Fox Tempest, a malware-signing-as-a-service that let customers submit malicious files for digital signing. The service used Microsoft-issued code-signing certificates that remained valid for 72 hours and returned signed binaries that appeared to come from legitimate publishers.

Customers uploaded installers to a portal and received them signed before distributing the files. The short lifespan of the certificates allowed signed files to pass reputation checks and some allow-list systems before revocation or other defenses could react.

Operators paired the signing service with distribution tactics including paid advertisements, manipulated search results, fake download pages and social engineering to persuade users to install the signed files. Microsoft identified installers impersonating AnyDesk, Microsoft Teams, PuTTY and Webex. The signed binaries were used to deliver ransomware and information-stealing malware.

Microsoft reported infections across the healthcare, education, government and financial services sectors in multiple countries. The company removed the service’s infrastructure and provided technical indicators to help security teams block related threats.

Microsoft described the operation as part of a criminal service economy, in which one group supplies trust signals and others use those signals to spread malware. The company advised that code signing should not be the only security control relied on to determine whether a file is safe.

Code signing is intended to verify publisher identity and maintain file integrity. Fraudulently obtained, short-lived certificates reduce the window for detection and can undermine defenses that treat signed binaries as trustworthy. Microsoft recommended downloading software only from official vendor sites, the Microsoft Store or other known trusted sources, avoiding unsolicited download links, and running up-to-date endpoint protections that look for malicious behavior rather than relying solely on signature checks or publisher reputation.