Fox Tempest Malware-Signing Service Disrupted by Microsoft

On May 19, 2026, Microsoft’s Digital Crimes Unit (DCU), flanked by a coalition of international law enforcement and cybersecurity partners, struck a massive blow against a shadow industry of digital counterfeiting. At the center of this legal and technical dragnet is the Fox Tempest malware-signing operation, a prolific Malware-Signing-as-a-Service (MSaaS) provider that has spent the last year eroding the very foundation of digital trust. By exploiting elite developer signing mechanisms, Fox Tempest allowed some of the world’s most destructive ransomware syndicates to bypass enterprise-grade security controls with impunity.

The coordinated disruption, backed by an unsealed civil lawsuit in the U.S. District Court for the Southern District of New York, targeted a highly specialized criminal supply chain. Rather than directly executing attacks, Fox Tempest functioned as an upstream enabler. They weaponized stolen identities and cloud resources to generate over 1,000 trusted code-signing certificates. For the global cybersecurity community, this bust highlights a major paradigm shift: the cybercrime ecosystem has become modular, where specialized services are bought and sold to streamline complex cyber-extortion campaigns.

Deconstructing the Fox Tempest Malware Infrastructure

To appreciate how the Fox Tempest malware-signing service operated, one must understand how modern operating systems determine what software to trust. Windows relies heavily on code signing—a process where cryptographic signatures verify that a program comes from a legitimate publisher and has not been altered. When a binary is signed by a trusted authority, it bypasses defensive checkpoints such as Windows Defender SmartScreen and Endpoint Detection and Response (EDR) agents, sliding into enterprise environments with minimal friction.

Fox Tempest systematically exploited this trust model. The group abused Microsoft’s Artifact Signing system (formerly known as Azure Trusted Signing), a service designed to issue legitimate code-signing certificates to verified developers. The threat actors used the following multi-stage methodology to subvert the platform:

• Identity Fraud: The operators obtained stolen U.S. and Canadian identities to pass the strict identity verification checks required for developer registration.
• Tenant Proliferation: Using these synthetic and stolen personas, they established hundreds of fraudulent Azure tenants and active subscriptions.
• Certificate Generation: Through these compromised accounts, they generated more than 1,000 short-lived, Microsoft-issued code-signing certificates, which were typically valid for only 72 hours.

The short-lived nature of these certificates was a deliberate tactical choice. By utilizing certificates that expired within 72 hours, Fox Tempest ensured that by the time security researchers or certificate authorities flagged a specific hash as malicious, the certificate was already obsolete. Meanwhile, the payload had already been executed on the victim’s system, leaving defenders chasing ghosts.

The MSaaS Business Model: From SamCodeSign to Cloudzy VMs

Operating since at least May 2025, Fox Tempest managed its criminal enterprise with the efficiency of a legitimate software-as-a-service (SaaS) provider. The group marketed its services on a dedicated Telegram channel named “EV Certs for Sale by SamCodeSign” and routed customers to a bespoke bilingual English-Russian web portal hosted at signspace.cloud. The portal featured separate administrative and customer-facing interfaces.

To secure a signed payload, threat actors completed a standard intake form and paid hefty premiums. Pricing ranged between $5,000 and $9,500 per certificate, payable in Bitcoin, with higher tiers offering priority queue placement for faster turnaround times. This premium pricing structure reflected the high success rate of the signed malware in evading enterprise-grade defenses. Cryptocurrency analysis associated with the group has already revealed illicit revenues running into the millions of dollars.

The February 2026 Operational Shift

In February 2026, Microsoft Threat Intelligence observed a significant structural evolution in how Fox Tempest delivered its services. To minimize operational friction and protect their signing pipeline from exposure, the group transitioned to utilizing pre-configured virtual machines (VMs) hosted on the infrastructure of Cloudzy, a U.S.-based virtual private server (VPS) provider.

Instead of customers downloading certificates directly, the new model required cybercriminals to upload their raw, unsigned malware into these isolated VM environments. Fox Tempest’s backend automated systems would sign the files within the VM and deliver the fully verified, signed binary back to the customer. This insulated the core signing keys from external exposure, demonstrating an impressive level of operational security (OPSEC) for a criminal enterprise.

Downstream Havoc: The Vanilla Tempest Alliance

The downstream consequences of Fox Tempest’s operations have been devastating. By providing a reliable method to neutralize endpoint protection, Fox Tempest attracted a roster of highly aggressive ransomware affiliates and initial access brokers. Microsoft’s unsealed lawsuit directly named the ransomware group Vanilla Tempest (a prominent affiliate associated with the Rhysida ransomware family) as a key co-conspirator. Vanilla Tempest had been utilizing Fox Tempest’s MSaaS pipeline since at least June 2025.

The classic attack chain utilized by Vanilla Tempest relied on highly deceptive delivery mechanisms to infect corporate networks. The process operated as follows:

1. Trojanizing Enterprise Software: Vanilla Tempest repackaged ubiquitous enterprise software installers—including AnyDesk, Microsoft Teams, PuTTY, and Webex—with malicious backdoors.
2. Signing the Payloads: These trojanized installers were submitted to Fox Tempest’s signspace.cloud portal, returning fully signed, seemingly legitimate installers.
3. SEO Poisoning and Malvertising: The threat actors purchased legitimate search engine advertisements and optimized malicious web pages to intercept users searching for these business applications. Unsuspecting IT administrators and employees downloaded the signed, backdoored installers from these spoofed sites.
4. Payload Execution: Because the files carried valid digital signatures, security alerts were silenced. Once executed, the installers deployed backdoors like Oyster (also known as CleanBot) along with prominent information stealers such as Lumma Stealer and Vidar.
5. Ransomware Deployment: Armed with stolen credentials and persistent network access, Vanilla Tempest deployed Rhysida ransomware across the compromised enterprise network.

While Vanilla Tempest was a primary user, they were not alone. Microsoft Threat Intelligence verified that affiliates of other prominent ransomware operations, including Akira, Qilin, and INC Ransomware, also utilized Fox Tempest to sign their custom payloads. These signed packages targeted critical sectors—healthcare, K-12 and higher education, financial services, and government entities—across the United States, France, India, and China.

The Takedown: A Masterclass in Legal and Technical Disruption

The dismantling of Fox Tempest relied on a hybrid strategy combining technical intervention and civil legal maneuvers. This approach has become the hallmark of Microsoft’s Digital Crimes Unit. By filing a civil suit in the U.S. District Court for the Southern District of New York, Microsoft secured court orders that granted them the legal authority to seize critical online infrastructure.

The enforcement actions successfully executed during the disruption campaign included:

• Domain Seizure: The primary service portal, signspace.cloud, was seized and redirected to a Microsoft-controlled landing page detailing the legal action.
• VM Deprovisioning: Hundreds of active virtual machines running the signing operations across Azure and Cloudzy infrastructures were summarily taken offline.
• Code Blockade: Access to a secondary repository hosting the proprietary code used to manage the MSaaS infrastructure was blocked.
• Certificate Revocation: Microsoft systematically revoked more than 1,000 fraudulently obtained code-signing certificates, instantly neutralizing any active malware campaigns relying on those specific credentials.

Additionally, Microsoft’s investigators, operating undercover personas, interacted directly with Fox Tempest’s administrative staff to map out their technical dependencies. Microsoft continues to collaborate with the FBI and Europol’s European Cybercrime Centre (EC3) to unmask the real-world identities of the individuals operating behind the Fox Tempest brand.

Defensive Posture: How Enterprises Must Respond

The fall of Fox Tempest is a major victory, but the threat of certificate abuse remains an ongoing challenge. Cybercriminals are highly adaptable, and residual payloads signed prior to the takedown may still exist in enterprise environments. To defend against similar campaigns, CISOs and IT security teams should immediately enforce the following defensive postures:

• Enforce Tamper Protection: Ensure that tenant-wide tamper protection is enabled across all endpoints to prevent malware from attempting to disable antivirus or EDR agents.
• Monitor Code-Signing Logs: Implement auditing for newly installed software, specifically looking for binaries signed by newly created or short-lived certificates.
• Block Compromised Hashes: Ingest the Indicators of Compromise (IOCs) and certificate hashes published by Microsoft Threat Intelligence to block known legacy signed payloads.
• Restrict Application Installation: Enforce strict application control policies (such as AppLocker or Windows Defender Application Control) to restrict software execution to a pre-approved list of enterprise applications.
• User Education on Downloads: Educate staff, particularly IT support teams, about the dangers of downloading utilities from sponsored search engine links, emphasizing the use of internal software repositories.

The disruption of the Fox Tempest malware-signing ring sends a clear message to the cybercrime underground. By targeting the specialized service providers that facilitate the broader threat landscape, security forces can create a massive bottleneck. This increases both the cost and operational difficulty for ransomware operators worldwide.