Microsoft Dismantles Fox Tempest Malware-Signing Network
- May 20
- 2 min read
Key Findings
Microsoft's Digital Crimes Unit dismantled Fox Tempest, a malware-signing-as-a-service operation that created over 1,000 fraudulent certificates
The service enabled threat actors to sign malware with short-lived Microsoft certificates, making malicious files appear legitimate
Fox Tempest charged between $5,000 and $9,000 for access to its signing platform, with higher tiers offering priority service
The operation supported major ransomware families including Rhysida, INC, Qilin, and Akira, impacting healthcare, education, government, and financial sectors globally
Microsoft revoked more than 1,000 code-signing certificates and seized infrastructure including the signspace.cloud platform
Background
Fox Tempest operated as a well-resourced cybercriminal enterprise focused on providing infrastructure and services rather than directly attacking victims. Since September 2025, the group has supported dozens of downstream threat actors including Storm-0501, Storm-2561, and Storm-0249. The operation targeted organizations across multiple continents, with documented victims in the United States, France, India, and China. Rather than operating in hidden underground forums, Fox Tempest functioned like a legitimate business with customer service channels and tiered pricing structures.
How the Service Worked
Fox Tempest operated the signspace.cloud platform, which allowed customers to submit malicious files for signing with legitimate Microsoft-issued certificates. The service exploited Microsoft's Artifact Signing system by using stolen identities to pass verification requirements. Certificates issued through the platform were short-lived, lasting only 72 hours, but provided enough time for malware to bypass security controls and appear trustworthy to endpoint systems. In February 2026, the operation evolved to provide pre-configured virtual machines hosted on third-party infrastructure, allowing customers to directly upload malware without needing technical expertise.
Malware Distributed
Fox Tempest signed malware for distribution campaigns using various delivery methods including malvertising, SEO poisoning, and fake advertisements. The malware families distributed through the service included Rhysida ransomware, Oyster, Lumma Stealer, and Vidar. Ransomware affiliates associated with families like INC, Qilin, and Akira generated millions in alleged proceeds from attacks enabled by Fox Tempest's infrastructure.
Business Model and Operations
Fox Tempest structured its operation like a commercial service, with customers selecting between pricing tiers ranging from $5,000 to $9,000 for certificate access. Higher-tier customers received priority handling and dedicated virtual machines for signing operations. The group managed customer relations through Telegram channels where they advertised services and coordinated payments. The centralized infrastructure approach allowed Fox Tempest to maintain operations at scale while keeping the technical setup relatively streamlined and repeatable.
Microsoft's Disruption Effort
Microsoft's Digital Crimes Unit took down Fox Tempest's infrastructure and filed lawsuits against both Fox Tempest and associated group Vanilla Tempest. These legal actions provided grounds to seize domains, tear down server infrastructure, and pressure third-party providers to suspend related services. Microsoft revoked over 1,000 certificates linked to the operation and tightened verification processes that had been exploited. The company also worked with industry partners to coordinate the takedown and continues monitoring for related abuse.
Recommended Defenses
Microsoft advises organizations to implement layered security controls including cloud protection, Safe Links and Safe Attachments, and SmartScreen filtering. Additional measures include enabling tamper protection, limiting administrative rights, and deploying attack surface reduction rules. Strong identity controls remain critical for preventing abuse of cloud services. Microsoft emphasized that disruption efforts require ongoing collaboration between organizations, as no single action completely eliminates the threat landscape.
Sources
https://securityaffairs.com/192391/cyber-crime/microsoft-dismantled-malware-signing-network-fox-tempest.html
https://ttpwire.com/article/15352525
https://x.com/shah_sheikh/status/2056800888438886447
https://x.com/securityaffairs/status/2056797791330959815
https://www.linkedin.com/posts/cybercureme_microsoft-dismantled-malware-signing-network-activity-7462566581882036224-VxRE

Comments