A financially motivated threat actor known as Fox Tempest has been operating a sophisticated malware-signing-as-a-service (MSaaS) platform that abused Microsoft’s Artifact Signing infrastructure to generate trusted digital signatures for malicious code.
This activity enabled cybercriminals to bypass security controls and distribute malware that appeared to be legitimately signed.
In May 2026, Microsoft’s Digital Crimes Unit (DCU), in collaboration with Resecurity, disrupted the group’s infrastructure, revoking more than 1,000 fraudulent certificates linked to the operation.
Abuse of Microsoft Artifact Signing
Fox Tempest leveraged Microsoft’s Artifact Signing service (formerly Azure Trusted Signing) to obtain short-lived code-signing certificates valid for up to 72 hours.
These certificates enabled attackers to sign malware binaries so they appeared as trusted applications, including spoofed versions of popular software such as Microsoft Teams, AnyDesk, PuTTY, and Webex.
To obtain these certificates, the threat actor likely used stolen or synthetic identities from the United States and Canada to pass Microsoft’s identity verification checks.
The operation was facilitated through a now-defunct platform, signspace[.]cloud, which provided a user interface that allowed customers to upload malicious files and receive digitally signed binaries.
Microsoft Threat Intelligence has tracked Fox Tempest since September 2025, identifying it as a key enabler within the ransomware ecosystem rather than a direct attacker.
Accessing VM provided by Fox Tempest(source: Microsoft)
The group created hundreds of Azure tenants and subscriptions to support its operations and issued thousands of certificates at scale.
In early 2026, Fox Tempest evolved its infrastructure by offering pre-configured virtual machines (VMs) hosted on third-party providers.
These VMs enabled customers to upload payloads directly into controlled environments, where automated scripts and configuration files (e.g., metadata.json and PowerShell scripts) were used to efficiently sign malware.
This shift improved operational security and streamlined the signing process.
Vanilla Tempest and Fox Tempest attack chain(source :microsoft)
Fox Tempest’s MSaaS platform has been linked to multiple high-profile threat actors and ransomware families.
Groups such as Vanilla Tempest, Storm-0501, Storm-2561, and Storm-0249 used Fox Tempest-signed malware in real-world intrusions.
Associated malware includes Rhysida ransomware, Lumma Stealer, Vidar infostealer, and the Oyster (Broomstick) backdoor.
One observed attack chain involved trojanized Microsoft Teams installers distributed via malvertising.
Victims downloading the fake installer executed a signed binary that deployed the Oyster backdoor, enabling persistence, command-and-control (C2) communication, and eventual ransomware deployment.
Google form used by Fox Tempest(source :microsoft )
Cryptocurrency analysis indicates that Fox Tempest is closely tied to ransomware affiliates behind families such as Qilin, Akira, and INC, with revenues reaching millions of dollars.
Fox Tempest operated as a commercial service, charging cybercriminals between $5,000 and $9,000 for malware-signing services.
Access was managed through Telegram channels and online forms, with higher-paying customers receiving priority.
Telegram used by Fox Tempest(source : Microsoft)
The service lowered the barrier to entry for less sophisticated threat actors by providing trusted code-signing capabilities on demand.
Indicators of Compromise (IOCs)
Indicators of Compromise (IOCs) linked to Fox Tempest activity include the domain signspace[.]cloud.
Investigators also identified the following SHA-1 certificate fingerprints:
dc0acb01e3086ea8a9cb144a5f97810d291020ce
7e6d9dac619c04ae1b3c8c0906123e752ed66d63
Additionally, the following SHA-256 file hashes have been associated with the campaign:
f0668ce925f36ff7f3359b0ea47e3fa243af13cd6ad9661dfccc9ff79fb4f1cc
11af4566539ad3224e968194c7a9ad7b596460d8f6e423fc62d1ea5fc0724326
Mitigation and Defense Recommendations
Microsoft said in a report shared with Cyber Security News that organizations can reduce exposure to signed malware abuse by implementing the following controls:
Enable cloud-delivered protection and real-time scanning in endpoint security solutions.
Deploy Microsoft Defender SmartScreen to block malicious downloads and websites.
Enforce tamper protection to prevent disabling of security tools.
Use attack surface reduction (ASR) rules to block common malware techniques.
Enable Safe Links and Safe Attachments in email security solutions.
Monitor for suspicious certificate usage and short-lived signing activity.
Microsoft’s takedown of Fox Tempest infrastructure marks a significant disruption to the cybercrime supply chain.
By targeting the enabling service rather than individual attackers, the operation reduces the ability of multiple ransomware groups to distribute trusted malware at scale.
However, the incident highlights how legitimate cloud services and trust mechanisms continue to be abused, reinforcing the need for stronger identity validation and certificate monitoring across the ecosystem.
Follow us on Google News, LinkedIn, and X to Get More Instant Updates.
The post Fox Tempest Malware-Signing Service Abused Microsoft Artifact Signing to Certify Malware appeared first on Cyber Security News.
