Code-Signing

Microsoft disrupted SignSpaceCloud, a Russian cybercrime service providing code signing certificates to malware and ransomware operators, while European governments are shifting from Signal and WhatsApp due to phishing and data sovereignty risks, and the Fast16 malware targeted Iran's nuclear program.

Microsoft disrupted a malware-signing-as-a-service (MSaaS) operation run by Fox Tempest that abused the Azure Artifact Signing service to generate fraudulent code-signing certificates, enabling malware to bypass security controls.

Attackers may attempt to disable or modify code signing policies on Windows systems by using built-in tools like bcdedit.exe in order to execute unsigned or self-signed malicious code.

A stack buffer overflow vulnerability (CVE-2026-39853) exists in osslsigncode versions prior to 2.12 due to insufficient validation of digest length during PKCS#7 signature verification, potentially leading to arbitrary code execution.

Attackers may modify the Windows registry to disable code signing policy, allowing the execution of unsigned or self-signed malicious code, thereby bypassing security controls and enabling defense evasion.