What happened
Microsoft unsealed a legal case in US District Court on Tuesday detailing the disruption of Fox Tempest, a malware-signing-as-a-service platform that has operated since May 2025, providing ransomware affiliates and cybercriminals with code-signing tools that made malicious software appear legitimate to security controls. Microsoft seized Fox Tempest’s website, took hundreds of virtual machines offline, blocked access to the underlying code repository, and revoked over 1,000 fraudulent code-signing certificates attributed to the operation.
Fox Tempest abused Microsoft’s Artifact Signing service to generate short-lived, fraudulent code-signing certificates. Ransomware affiliates tied to Rhysida, INC, Qilin, and Akira uploaded malware to the platform, had it signed, and then distributed it through fake websites impersonating legitimate software downloads including AnyDesk, Teams, PuTTY, and Webex. The signed malware was also delivered through purchased advertisements. Microsoft security officials identified Fox Tempest-signed malware families including Oyster, Lumma Stealer, and Vidar being used in attacks targeting organizations in the US, China, France, and India. Cryptocurrency payment analysis showed the platform was paid millions of dollars by ransomware affiliates.
Fox Tempest operated as a structured criminal business with departments handling infrastructure creation, customer relations, and financial transactions. It created over a thousand certificates and established hundreds of Azure tenants and subscriptions to support its operations, charging users thousands of dollars per engagement. Microsoft described the operation as evidence of how the cybercriminal ecosystem is evolving toward specialized service providers that allow threat actors to scale attacks and bypass defenses without building capabilities in-house.
Who is affected
Organizations in the US, China, France, and India are confirmed targets of attacks enabled by Fox Tempest’s signing services. The broader affected population includes any organization whose security controls were bypassed by Fox Tempest-signed malware across the ransomware affiliates that used the platform, including Rhysida, INC, Qilin, and Akira victims.
Why CISOs should care
Fox Tempest illustrates a meaningful evolution in the criminal service economy. Code signing has long been a trust mechanism that security tools use to distinguish legitimate software from malware. When that mechanism is systematically abused at scale through a dedicated service, the downstream effect is that signed malware passes security checks that unsigned malware would not. The platform’s structured, service-oriented model, complete with customer relations and financial transaction departments, reflects the same professionalization dynamic seen in ransomware-as-a-service and phishing-as-a-service operations.
The revocation of over 1,000 certificates also means that any organization with previously signed Fox Tempest malware still present in their environment may find that malware is now detectable where it previously was not, making this a useful prompt for retrospective hunting.
3 practical actions
- Hunt for Fox Tempest-associated malware families across your environment using the newly revoked certificate indicators: Microsoft has revoked over 1,000 certificates associated with Fox Tempest. Update your endpoint security tools to incorporate the revoked certificate list and run a retrospective scan for Oyster, Lumma Stealer, and Vidar infections that may have previously evaded detection due to valid signing.
- Implement application control policies that go beyond code signing validation: Fox Tempest demonstrates that signed certificates cannot be treated as a reliable trust signal for software legitimacy. Supplement signature-based trust with allowlisting of known-good application hashes, behavioral analysis, and reputation checks that account for newly signed but previously unknown executables.
- Audit Azure tenant and subscription creation for anomalous patterns: Fox Tempest created hundreds of Azure tenants and subscriptions to support its signing infrastructure. If your organization uses Azure, review tenant and subscription creation logs for unauthorized or anomalous activity, and ensure that access to Microsoft Artifact Signing and similar developer credential services is restricted to verified organizational accounts.
John Kevin Hao is a news and feature writer covering cybersecurity, technology, and business targeted for professional audiences.