Security

Fox Tempest Malware Signing Service Disrupted

3 min read

Summary

Microsoft has disrupted Fox Tempest, a malware-signing-as-a-service operation that helped cybercriminals make ransomware and other malware appear legitimately signed. The takedown matters because the group abused Microsoft Artifact Signing, created more than 1,000 fraudulent certificates, and enabled attacks that could bypass security controls more easily.

Need help with Security?Talk to an Expert

Introduction

Microsoft has detailed the disruption of Fox Tempest, a financially motivated threat actor that operated a malware-signing-as-a-service (MSaaS) platform for other cybercriminals. This is significant for security teams because signed malware is more likely to evade defenses, appear trustworthy to users, and succeed in ransomware delivery.

What’s new

Microsoft disrupts Fox Tempest infrastructure

  • In May 2026, Microsoft’s Digital Crimes Unit (DCU), with industry partners, disrupted Fox Tempest’s service and supporting infrastructure.
  • Microsoft also revoked more than 1,000 code-signing certificates linked to the operation.

Abuse of Microsoft Artifact Signing

  • Fox Tempest abused Microsoft Artifact Signing (formerly Azure Trusted Signing) to obtain short-lived certificates valid for 72 hours.
  • These certificates made malware look legitimately signed, helping threat actors bypass some security controls.

Broad cybercrime enablement

  • Microsoft says Fox Tempest enabled the delivery of Rhysida ransomware and malware families including Oyster, Lumma Stealer, and Vidar.
  • The actor has been linked to ransomware activity involving groups such as Vanilla Tempest, Storm-0501, Storm-2561, and Storm-0249.

Evolving delivery model

  • The service initially operated through signspace[.]cloud, where customers uploaded files for signing.
  • In early 2026, Fox Tempest shifted to pre-configured VMs hosted through Cloudzy, streamlining signed malware delivery for customers.

Why it matters for defenders

Fox Tempest did not directly attack victims. Instead, it provided a critical supporting service to ransomware affiliates and malware operators. That makes this case especially important for IT and security administrators: disrupting access to trusted code-signing can reduce the effectiveness of downstream attacks across multiple threat groups.

Organizations in healthcare, education, government, and financial services were among those affected globally. Because signed binaries can appear legitimate, defenders should not treat digital signatures alone as proof that software is safe.

  • Review Microsoft Defender detections and indicators of compromise published with the report.
  • Hunt for suspicious signed binaries, especially those masquerading as common tools such as AnyDesk, Teams, PuTTY, or Webex.
  • Investigate recent malware activity tied to malvertising, SEO poisoning, and fake software downloads.
  • Tighten controls around application execution, including allowlisting and reputation-based protection.
  • Monitor for unusual Azure-related artifacts, suspicious certificate usage, and short-lived signing activity.
  • Educate users to verify software sources and avoid sponsored or poisoned search results.

Bottom line

The Fox Tempest disruption highlights how trusted-signing abuse has become a force multiplier for ransomware operators. Security teams should use Microsoft’s published detections and IOCs to validate exposure, strengthen defenses, and reduce the risk from signed malware.

Need help with Security?

Our experts can help you implement and optimize your Microsoft solutions.

Talk to an Expert

Stay updated on Microsoft technologies

Fox Tempestmalware signingransomwareMicrosoft Defenderthreat intelligence

Related Posts

Security

Microsoft CSP Security: New Partner Ecosystem Protections

Microsoft outlined how it is strengthening security across its Cloud Solution Provider ecosystem to reduce partner-led attacks on customer environments. The update focuses on tighter partner vetting, mandatory tenant security requirements, least-privilege access through GDAP, and stronger monitoring and response capabilities.

Security

Microsoft Frost Radar 2026: Cloud Runtime Security

Microsoft has been named a leader in Frost & Sullivan’s 2026 Frost Radar for Cloud/Application Runtime Security, highlighting its unified approach to cloud and application risk reduction. The recognition matters to security teams because it reflects a broader market shift toward prioritizing exploitable attack paths across code, cloud, runtime, identity, and SOC workflows.

Security

Quantum-Safe Security: Microsoft Targets 2029

Microsoft is accelerating its quantum-safe security roadmap and now aims to transition critical products and services to post-quantum cryptography by 2029. The update matters because IT teams need to start cryptographic inventory, crypto-agility planning, and TLS 1.3 modernization sooner as the risk timeline for quantum attacks moves closer.

Security

Securing AI Agents: MCP Tool Poisoning Risks

Microsoft Incident Response warns that as AI agents move from reading content to taking actions, poisoned Model Context Protocol (MCP) tool metadata can silently redirect agent behavior and expose sensitive data. The guidance outlines how to detect, contain, and prevent this emerging supply chain risk using controls across Copilot Studio, Entra, Purview, Defender, and Sentinel.

Security

Microsoft Security June 2026: Key Updates for IT

Microsoft’s June 2026 security updates introduce new protections for AI agents, stronger identity recovery in Entra, expanded multicloud coverage in Defender for Cloud, and more flexible reporting in Purview. These changes matter for IT and security teams because they improve visibility, speed remediation, and help protect identities, data, endpoints, and cloud workloads across hybrid environments.

Security

Malicious Chromium Extension Hijacks Search via AI Branding

Microsoft Threat Intelligence uncovered a malicious Chromium extension that spoofed Perplexity AI branding to intercept browser searches and search suggestions through attacker-controlled infrastructure. The finding matters because it shows how threat actors are using trusted AI brands and browser extension permissions to capture user input, redirect traffic, and increase privacy and security risk in enterprise environments.