Microsoft Dismantles Fox Tempest Malware-Signing Operation
Microsoft's Digital Crimes Unit seizes infrastructure behind Fox Tempest, a malware-signing service that helped Rhysida, Akira, and Qilin ransomware gangs disguise malicious code as legitimate software.
Microsoft has disrupted a criminal operation that sold fraudulent code-signing certificates to ransomware gangs, allowing them to disguise malware as legitimate software. The company unsealed a civil lawsuit on May 19, 2026 targeting the threat actor tracked as Fox Tempest, which operated a malware-signing-as-a-service (MSaaS) platform since at least May 2025.
The takedown represents a significant blow to the ransomware ecosystem. Code-signing certificates tell operating systems and security tools that an executable comes from a trusted source—when attackers obtain valid signatures, their payloads bypass the very defenses meant to stop them.
How the Operation Worked
Fox Tempest exploited Microsoft's Artifact Signing service (previously Azure Trusted Signing) to generate short-lived certificates valid for 72 hours. According to Microsoft's technical analysis, the operation created over 1,000 certificates and established hundreds of Azure tenants and subscriptions to sustain the service.
The certificates went to ransomware operators including Vanilla Tempest, Qilin, Rhysida, Inc, and Akira. Malware families distributed through the service included the Windows backdoor Oyster, infostealers Lumma and Vidar, and Rhysida ransomware itself.
In February 2026, Fox Tempest evolved its model. Rather than just providing certificates, it began offering pre-configured virtual machines hosted on US-based VPS provider Cloudzy. Customers uploaded their malicious files directly to Fox Tempest infrastructure and received signed binaries in return—a full-service malware packaging operation.
Why Signed Malware Matters
Signing malware with valid certificates creates a cascade of problems for defenders. Windows SmartScreen warnings don't trigger for signed executables. EDR tools that whitelist signed binaries let them pass. Even manual analysis becomes harder when malware carries apparently legitimate cryptographic attestation.
The Lumma stealer campaigns we covered earlier this month used signed payloads to evade detection. This kind of signing abuse has been a persistent challenge—last year's ASUS supply chain backdoor demonstrated how attackers leverage legitimate signing infrastructure to distribute malware at scale.
Microsoft's Response
The Digital Crimes Unit seized Fox Tempest's core infrastructure, revoked over 1,000 attributed certificates, and removed fraudulent Azure accounts. Microsoft also strengthened verification processes for Artifact Signing to prevent similar abuse.
The civil lawsuit, filed in the US District Court for the Southern District of New York, names both Fox Tempest and Vanilla Tempest (a ransomware operation that was a frequent customer). Microsoft is partnering with Cloudzy to identify and disrupt remaining related infrastructure.
Impact on Victims
Fox Tempest's downstream impact hit healthcare, education, government, and financial services organizations globally. Microsoft estimates the threat actor earned millions of dollars selling certificates at thousands per signature.
The operation's reach underscores why supply chain security extends beyond software—it includes the cryptographic trust infrastructure that validates code authenticity. When that trust is commoditized and sold to criminals, the entire verification model breaks down.
What This Means for Defenders
Organizations relying on code-signing as a security signal need layered defenses. Certificate validity alone doesn't guarantee safety—behavioral analysis, runtime monitoring, and application allowlisting based on more than signatures become essential.
Microsoft's Driver Quality Initiative announced last week includes stricter verification requirements for kernel-mode drivers. That initiative and this takedown share a common thread: tightening the chain of trust that attackers have learned to exploit.
The Fox Tempest disruption won't end code-signing abuse, but it removes a significant capability from the ransomware ecosystem. Operators will need to find new signing infrastructure—and that friction buys defenders time.
Related Articles
Scattered Spider Teens Convicted in £29M Transport for London Attack
Two UK teenagers plead guilty to the September 2024 TfL breach that exposed 10 million commuters and forced 28,000 employees to reset passwords in person.
Jun 29, 2026Bluekit PhaaS Uses Browser-in-the-Middle to Bypass MFA
Netcraft identifies 70 new Bluekit hostnames as the phishing-as-a-service platform adopts real-time session hijacking that defeats all forms of traditional MFA.
Jun 27, 2026Operation Endgame Dismantles StealC and Amadey Infrastructure
Microsoft and Europol seize 66 domains and 296 servers supporting StealC and Amadey malware, recovering 25.6 million stolen credentials in coordinated takedown.
Jun 25, 2026DragonForce Hid C2 Traffic in Microsoft Teams for Two Months
Symantec reveals ransomware group used Teams TURN relay infrastructure to mask command-and-control. First documented abuse of Teams relay for malware C2.
Jun 20, 2026