Microsoft DCU Disrupts Fox Tempest, a Ransomware-Enabling Malware-Signing Service
Microsoft's Digital Crimes Unit has disrupted Fox Tempest, a cybercrime group that sold a malware-signing-as-a-service tool used by Rhysida ransomware and other malware families to bypass security defenses.
Microsoft's Digital Crimes Unit (DCU) has taken down the infrastructure of Fox Tempest, a financially motivated threat actor that operated a malware-signing-as-a-service (MSaaS) platform enabling ransomware groups like Rhysida to sign malicious binaries with valid certificates. The operation, detailed in a civil court action unsealed on May 19 in the U.S. District Court for the Southern District of New York, marks the first time Microsoft has publicly targeted an upstream enabler in the cybercrime supply chain.
Fox Tempest, active since at least May 2025, did not conduct ransomware attacks itself. Instead, it sold code-signing certificates that allowed other criminals to disguise malware as legitimate software, evading endpoint protections. According to Maurice Mason, principal cybercrime investigator at Microsoft's DCU, the group operated "in the upstream in the malware and ransomware supply chain, as an enabler." The service was offered at tiers ranging from $5,000 for standard queue to $9,500 for expedited signing, making it accessible even to non-technical buyers.
The group's signing tool was built by abusing Microsoft's own Artifact Signing platform (formerly Trusted Signing), a legitimate service designed to help developers verify software integrity. Fox Tempest fraudulently obtained certificates via that system. The signed payloads were identified in Rhysida ransomware attacks as well as in campaigns deploying Aurora, Lumma Stealer, Malcert, Oyster, Vidar, and other malware strains. Microsoft also noted the tool was used in some operations attributed to MuddyWater, an Iranian state-linked espionage group.
The DCU investigation began with undercover engagement with an access broker known as SamCodeSign, who had been selling certificates since 2020. The team mapped Fox Tempest's infrastructure, which initially relied on UK-based Freak Hosting and Estonia-based Wavecom, and later shifted to Cloudzy, a VPS provider in Dubai. On May 5, Microsoft filed a civil action and obtained a court order three days later. The DCU then transferred the group's malicious domains to a Microsoft-owned sinkhole, disabled hundreds of Cloudzy-hosted virtual machines, took down approximately 1,000 accounts, and suspended the group's repository.
Following the takedown, Microsoft observed a significant decrease in certificates generated by Fox Tempest. The company is now working with the FBI and Europol's European Cybercrime Centre (EC3) to identify the individuals behind the group. Steven Masada, global head of Microsoft DCU, emphasized the broader significance: "For the first time, Microsoft is taking public action against a powerful, but often unseen, enabler within the cybercrime ecosystem."
Fox Tempest's primary customers included the Rhysida ransomware group (tracked by Microsoft as Vanilla Tempest), which has been linked to high-profile attacks on the British Library in October 2023 and Seattle-Tacoma International Airport in September 2024. The takedown disrupts a critical supply-chain node that allowed ransomware operators to achieve code-signing legitimacy, a technique that has become increasingly common as defenders rely on digital signatures as a trust signal.
The operation highlights a growing trend in law enforcement targeting not just ransomware affiliates but also the service providers that equip them. By removing the ability to easily sign malware with valid certificates, Microsoft has forced ransomware actors to seek alternative, likely less reliable, methods to bypass detection. The move also underscores the dual-use risk of legitimate code-signing platforms when their abuse is not aggressively policed.
Microsoft's Digital Crimes Unit revealed that Fox Tempest sold over 1,000 fraudulent code-signing certificates for up to $9,500 each, enabling ransomware groups including Rhysida, Vanilla Tempest, and Storm-0501 to bypass security controls. The operation, tracked since September 2025, abused Microsoft's Artifact Signing system by fabricating identities and was linked to malware families such as Oyster, Lumma Stealer, MuddyWater, and Vidar. Microsoft seized the group's website, deleted over 1,000 accounts, and took down hundreds of virtual machines, though officials acknowledged the disruption may only temporarily raise costs for attackers.
Microsoft revealed that Fox Tempest abused its own Artifact Signing service to generate short-lived code-signing certificates, creating over a thousand certificates and establishing hundreds of Azure tenants. The malware-signing-as-a-service operation, tracked since September 2025, enabled ransomware groups including Vanilla Tempest, Rhysida, Inc, Qilin, and Akira, as well as malware families like Lumma Stealer, Oyster, and Vidar. Microsoft seized core infrastructure, removed fraudulent accounts, and filed a lawsuit targeting both Fox Tempest and Vanilla Tempest as part of the disruption.
The Record reports that Microsoft unsealed the legal case in U.S. District Court on Tuesday, revealing that Fox Tempest abused Microsoft's Artifact Signing service to create over a thousand short-lived certificates and established hundreds of Azure tenants. The operation charged ransomware affiliates thousands of dollars and was used by groups including Rhysida, INC, Qilin, and Akira to sign malware families such as Oyster, Lumma Stealer, and Vidar. Microsoft seized the Fox Tempest website, took hundreds of virtual machines offline, and revoked over 1,000 certificates, with cryptocurrency analysis showing the service was paid millions of dollars by ransomware affiliates targeting organizations in the U.S., China, France, and India.
Court documents unsealed Tuesday reveal that the Fox Tempest operation, active since May 2025, used fake identities to create over 580 fraudulent Microsoft accounts and abused the Artifact Signing service to obtain legitimate code-signing certificates, which were then sold for $5,000 to $9,500. Microsoft's Digital Crimes Unit, working with a cooperating source, conducted test purchases that confirmed the service was used by Vanilla Tempest (Vice Society/Rhysida) to sign malware including the Oyster backdoor, Lumma and Vidar stealers, and Rhysida ransomware. The investigation further linked Fox Tempest to INC, Qilin, and Akira ransomware affiliates, and identified thousands of impacted customer machines in the U.S., including more than a dozen owned by Microsoft.
BleepingComputer's report adds that Microsoft unsealed a legal case in the U.S. District Court for the Southern District of New York targeting the operation, naming Vanilla Tempest (INC Ransomware) as a co-conspirator. The article also details that Fox Tempest used stolen identities from the U.S. and Canada to pass Microsoft's identity verification, and that the service was promoted on a Telegram channel named 'EV Certs for Sale by SamCodeSign' with pricing ranging from $5,000 to $9,000 in bitcoin. Additionally, the platform later evolved to provide customers with pre-configured virtual machines hosted through Cloudzy infrastructure, allowing them to upload malware and receive signed binaries using Fox Tempest-controlled certificates.
Microsoft's detailed analysis reveals Fox Tempest created over a thousand certificates and hundreds of Azure tenants, enabling ransomware groups like Vanilla Tempest, Storm-0501, and Storm-2561 to deploy Rhysida ransomware, Oyster, Lumma Stealer, and Vidar. The operation impacted healthcare, education, government, and financial sectors globally, with cryptocurrency analysis linking the actor to ransomware affiliates responsible for INC, Qilin, and Akira, with proceeds in the millions. Microsoft's Digital Crimes Unit, with Resecurity, took down the signspace[.]cloud infrastructure in May 2026.
Microsoft's Digital Crimes Unit seized the Fox Tempest website signspace[.]cloud, took down hundreds of virtual machines, and blocked access to the underlying code. The operation enabled Rhysida ransomware and other malware like Oyster, Lumma Stealer, and Vidar, and was linked to affiliates of INC, Qilin, BlackByte, and Akira ransomware. Fox Tempest used stolen identities to obtain fraudulent code-signing certificates valid for 72 hours, and later shifted to providing pre-configured VMs hosted on Cloudzy. Microsoft worked with a cooperative source to purchase and test the service between February and March 2026.
Malwarebytes' coverage adds that Fox Tempest's certificates were valid for only 72 hours, forcing attackers to repeatedly re-sign payloads, and that the signed malware masqueraded as AnyDesk, Teams, PuTTY, and Webex to evade detection. The report also details the broad impact across healthcare, education, government, and financial sectors globally, and emphasizes that code signing alone should not be treated as a standalone security control.