Microsoft Disrupts Malware-Signing Service Run by 'Fox Tempest'

Microsoft announced on Tuesday that it has disrupted a cybercrime service that has been helping threat actors distribute ransomware and other malware.

According to the tech giant, a threat actor it has named Fox Tempest has been running a malware-signing-as-a-service (MSaaS) that abuses Microsoft Artifact Signing to generate short-lived code-signing certificates. The certificates are used to sign malware disguised as legitimate software, helping it evade detection.

“Fox Tempest has created over a thousand certificates and established hundreds of Azure tenants and subscriptions to support its operations. Microsoft has revoked over one thousand code signing certificates attributed to Fox Tempest,” the company explained.

Microsoft has been tracking Fox Tempest since September 2025 and says its services have been used by several ransomware groups, including Vanilla Tempest, which the company targeted in October 2025. The MSaaS has been used to deliver ransomware such as Rhysida, Inc, Qilin, and Akira.

In addition to ransomware, Fox Tempest has aided the distribution of malware families such as Lumma Stealer, Oyster, and Vidar.

Microsoft Disrupts Malware-Signing Service Run by 'Fox Tempest'

Other newsrooms on this story

Related reading

Cybercrime service disrupted for abusing Microsoft platform to sign malware

Microsoft disrupts service helping ransomware gangs disguise malware

Microsoft disrupts cybercrime service offering malware disguised as legitimate…

Microsoft shuts down illegal code-signing operation used by ransomware crims to…

Warning Issued As Hackers Give Microsoft Windows The Finger: Report

Microsoft, DOJ take down Lumma Stealer malware sites - UPI.com