Microsoft has disrupted a major cybercrime operation known as Fox Tempest, a “malware-signing-as-a-service” platform that helped ransomware gangs and malware operators disguise malicious software as legitimate applications. The takedown was carried out through Microsoft’s Digital Crimes Unit alongside industry partners and law enforcement agencies.
According to Microsoft, Fox Tempest abused the company’s Artifact Signing infrastructure to generate short-lived but trusted-looking code-signing certificates that allowed malware to bypass security controls and appear legitimate to users and systems. Attackers reportedly used the service to sign malware disguised as common software tools including AnyDesk, Microsoft Teams, PuTTY, and Webex.
Microsoft stated that Fox Tempest had been operating since at least May 2025 and created more than 1,000 fraudulent code-signing certificates while establishing hundreds of Azure tenants and subscriptions to support its operations. The company revoked over 1,000 certificates linked to the service and seized associated infrastructure, domains, and cloud resources.
The operation reportedly functioned as a professionalized cybercrime business offering malware-signing services to other threat actors. Customers allegedly paid between $5,000 and $9,000 for access depending on service tiers and infrastructure support. Higher-paying customers reportedly received preconfigured virtual machines for automated malware signing workflows.
Microsoft linked Fox Tempest to multiple ransomware and malware campaigns involving groups such as Vanilla Tempest, Storm-0501, Storm-0249, and Storm-2561. Malware families associated with the service reportedly included Rhysida ransomware, Lumma Stealer, Oyster, Vidar, Akira, INC, and Qilin.
Researchers explained that the service’s primary value came from abusing digital trust mechanisms rather than directly compromising victims. By digitally signing malware with trusted certificates, attackers increased the likelihood that malicious files would evade antivirus systems, SmartScreen warnings, and reputation-based security tools.
Microsoft also revealed that Fox Tempest operated openly through Telegram-based channels where customers coordinated payments, infrastructure access, and certificate requests. The company described the operation as a centralized criminal service business rather than a loosely connected underground network.
As part of the disruption effort, Microsoft filed legal action in U.S. federal court to seize infrastructure and compel service providers to suspend malicious resources associated with the operation. The company said the downstream impact of Fox Tempest-supported campaigns affected organizations across healthcare, education, financial services, and government sectors in countries including the United States, France, India, and China.
Cybersecurity experts say the case highlights how modern ransomware ecosystems have become increasingly specialized, with different criminal groups focusing on distinct services such as initial access brokerage, malware development, infrastructure hosting, phishing operations, and now trusted code-signing abuse.
Microsoft warned that code-signing certificates should no longer be treated as standalone indicators of software safety. The company recommended layered defenses including behavioral detection, endpoint monitoring, application control policies, tamper protection, Safe Links, Safe Attachments, and stronger identity protections to reduce risks from trusted-looking malicious software.
