Microsoft Disrupts Malware-Signing Service Run by 'Fox Tempest'

Microsoft Disrupts Malware-Signing Service Run by 'Fox Tempest'

Briefly

"Fox Tempest has been running a malware-signing-as-a-service (MSaaS) that abuses Microsoft Artifact Signing to generate short-lived code-signing certificates. The certificates are used to sign malware disguised as legitimate software, helping it evade detection. Microsoft has revoked over one thousand code signing certificates attributed to Fox Tempest, the company explained."

"Fox Tempest has created over a thousand certificates and established hundreds of Azure tenants and subscriptions to support its operations. Microsoft has revoked over one thousand code signing certificates attributed to Fox Tempest. Microsoft has been tracking Fox Tempest since September 2025 and says its services have been used by several ransomware groups, including Vanilla Tempest, which the company targeted in October 2025."

"The MSaaS has been used to deliver ransomware such as Rhysida, Inc, Qilin, and Akira. In addition to ransomware, Fox Tempest has aided the distribution of malware families such as Lumma Stealer, Oyster, and Vidar. The downstream impact of these operations has resulted in attacks against a broad range of industry sectors, including healthcare, education, government, and financial services, impacting organizations globally including, but not limited to the United States, France, India, and China."

"In an effort to disrupt the cybercrime operation, Microsoft seized core infrastructure, removed fraudulent accounts, and strengthened verification processes for the abused services. The company filed a lawsuit targeting Fox Tempest and Vanilla Tempest. In cybercrime disruption operations, lawsuits serve as powerful legal mechanisms to seize malicious domains, dismantle server infrastructure, a"