Microsoft Disrupts Fox Tempest Malware-Signing Service Used by Ransomware Gangs
Fox Tempest did not need to break every security control head-on. It sold attackers something often more useful: the appearance of trust.
Microsoft says it has disrupted a malware-signing-as-a-service operation that helped ransomware crews and malware distributors make malicious files look like legitimate software. The service abused Microsoft Artifact Signing to generate short-lived code-signing certificates, allowing malware to carry trusted-looking signatures and slip past defenses that rely heavily on software reputation.
The scale is what makes this case stand out. Microsoft says Fox Tempest created more than 1,000 certificates, established hundreds of Azure tenants and subscriptions, and supported downstream attacks across healthcare, education, government, and financial services in multiple countries.
What Microsoft Disrupted
On May 19, 2026, Microsoft disclosed that its Digital Crimes Unit, supported by industry partners, disrupted Fox Tempest’s malware-signing-as-a-service infrastructure. Microsoft also unsealed a legal case in the U.S. District Court for the Southern District of New York targeting the operation.
Fox Tempest’s service allowed customers to upload malicious files and receive signed binaries in return. The certificates were short-lived, reportedly valid for 72 hours, but that was enough time for attackers to run malvertising, SEO poisoning, fake software downloads, and ransomware delivery campaigns.
Microsoft said it revoked more than 1,000 code-signing certificates attributed to Fox Tempest. The company also said the actor had built a large operational base using hundreds of Azure tenants and subscriptions to sustain the service.
Why Code Signing Abuse Matters
Code signing is supposed to answer a simple question: can this software be trusted to come from the claimed publisher and remain untampered with?
Fox Tempest turned that trust signal into a criminal product. By signing malware with fraudulent certificates, the group helped malicious files appear safer to users, operating systems, browsers, and some security tools. That does not make the malware technically benign, but it can lower friction at the exact moment defenders need friction most: execution.
Microsoft said the signed payloads were disguised as legitimate software, including tools such as AnyDesk, Microsoft Teams, PuTTY, and Webex. That detail matters because attackers were not only abusing certificates; they were pairing signed malware with brands and utilities that users already recognize.
Ransomware Crews Used the Service
Microsoft has tracked Fox Tempest since September 2025 and said the service had been available since at least May 2025. The company linked Fox Tempest-signed malware to activity involving ransomware groups and clusters including Vanilla Tempest, Storm-0501, Storm-2561, and Storm-0249.
The operation was also tied to delivery activity involving ransomware families such as Rhysida, INC, Qilin, and Akira. Beyond ransomware, Microsoft observed the service enabling distribution of malware families including Lumma Stealer, Oyster, and Vidar.
This is the cybercrime economy working as designed: one group does not need to run the whole intrusion chain. Fox Tempest handled a trust-abuse layer that made other criminals’ payloads easier to deliver.
Infrastructure, Customers, and Money
Microsoft identified signspace[.]cloud as part of Fox Tempest’s now-defunct service infrastructure. The platform reportedly included an admin side for managing tooling, accounts, and infrastructure, and a customer side where malicious files could be uploaded for signing.
In February 2026, Microsoft observed Fox Tempest shift its operational model by providing customers with preconfigured virtual machines hosted on Cloudzy infrastructure. That change gave customers a controlled environment to upload files and receive signed binaries while keeping the signing workflow under Fox Tempest’s control.
The service was expensive. Microsoft said customers paid thousands of dollars, and cryptocurrency analysis linked the actor to ransomware affiliates with observed proceeds in the millions. That is not a side hustle; it is a specialized criminal support business.
Operational Impact for Defenders
The practical lesson is uncomfortable: a valid-looking signature is not the same as a safe file.
Security teams should treat code signing as one signal among many, not as a final verdict. Signed binaries still need behavioral inspection, reputation analysis, parent-child process review, download-source validation, and scrutiny around newly observed certificates, short-lived certificates, and files posing as remote access or collaboration tools.
Defenders should pay particular attention to malware delivery paths involving sponsored search results, fake software download pages, SEO-poisoned content, and newly registered lookalike domains. In Fox Tempest-enabled operations, the signature helped the payload look acceptable, but the delivery chain often still carried attacker tradecraft.
The Bigger Pattern
Fox Tempest is important because it shows how ransomware ecosystems keep professionalizing around specific services. Initial access brokers sell entry. Bulletproof hosts provide infrastructure. Malware developers sell payloads. Now, malware-signing services help attackers weaponize trust itself.
That shift raises the cost for defenders. Blocking known malware hashes is not enough when attackers can repeatedly sign fresh binaries, rotate infrastructure, and wrap malicious payloads in trusted-looking software identities.
Microsoft’s disruption removes a significant service from the ransomware supply chain, but it also exposes the demand behind it. As long as signed malware improves execution rates, criminal marketplaces will keep trying to manufacture trust at scale.
NeuraCyb's Assessment
Fox Tempest is a reminder that modern ransomware operations do not always win through sophistication at the endpoint. Sometimes they win by corrupting the assumptions defenders and users make before the endpoint ever gets a fair look.
The defensive takeaway is sharp: trust signals need context. A signed binary downloaded from a fake ad, delivered through SEO poisoning, or posing as a common IT tool should not get a free pass. In this case, the signature was not proof of safety. It was part of the attack.
References
Microsoft Security Blog: Exposing Fox Tempest — A malware-signing service operation
Microsoft On the Issues: Disrupting Fox Tempest
The Record: Microsoft disrupts Fox Tempest malware-signing-as-a-service platform
Axios: Microsoft disrupts service selling fake certificates to ransomware gangs
