A cybercrime group called Fox Tempest turned Microsoft’s own software infrastructure into a weapon. The group ran a malware-signing service that let ransomware gangs and other criminals make dangerous software look completely legitimate — and it worked for nearly a year before Microsoft shut it down.
Microsoft’s Digital Crimes Unit dismantled the operation in May 2026, seizing infrastructure, revoking over 1,000 fraudulent certificates, and filing a lawsuit in the Southern District of New York. The Fox Tempest malware campaign had reached organizations across the US, UK, France, Germany, Japan, India, and several other countries.
How Fox Tempest Made Malware Look Legitimate
Code-signing certificates exist for a straightforward reason: they confirm that a piece of software comes from a verified source and hasn’t been tampered with. When your computer sees a signed file, it treats that file with a degree of trust. Fox Tempest exploited that trust directly.
The group abused Microsoft’s Azure Artifact Signing platform — a legitimate cloud service launched in 2024 to help developers get their programs verified — to generate fraudulent certificates. These certificates were short-lived, valid for just 72 hours, but that window was enough. Criminals used them to sign malware so it appeared to come from a trusted publisher.
The signed files were then disguised as installers for well-known software: Microsoft Teams, AnyDesk, PuTTY, and Cisco Webex. Someone downloading what looked like a Teams update could unknowingly execute ransomware.
A Full-Service Cybercrime Business
Fox Tempest did not just generate certificates for internal use. It ran a commercial operation, offering malware-signing as a paid service to other criminal groups.
The service was advertised on a Telegram channel called “EV Certs for Sale by SamCodeSign.” Pricing ran from $5,000 to $9,000 in bitcoin. Customers filled out a Google Form specifying their service tier and how often they planned to use certificates. It operated more like a business than a hacking group.
From February 2026, Fox Tempest expanded its model further. The group began providing customers with pre-configured virtual machines hosted through Cloudzy infrastructure. Customers uploaded their malware directly to these environments and received signed binaries in return. The upgrade reduced friction, improved the group’s operational security, and made the whole pipeline faster and more scalable.
Microsoft estimates the operation generated millions of dollars in revenue before it was disrupted.
The Ransomware Groups Behind the Attacks
The Fox Tempest malware service had a broad client list. Ransomware groups including Rhysida, Akira, INC, Qilin, and BlackByte all used certificates obtained through the platform. Microsoft also linked activity to threat actors it tracks as Vanilla Tempest, Storm-0501, Storm-2561, and Storm-0249.
One documented attack chain shows exactly how the signed files were used. Victims encountered fake Microsoft Teams installers distributed through malvertising. Downloading the installer executed a signed binary that deployed the Oyster backdoor, which then established persistence and command-and-control access before eventually delivering Rhysida ransomware. Other malware tied to the operation includes Lumma Stealer and Vidar, both information stealers capable of harvesting passwords, session tokens, and financial data.
Fox Tempest created over 1,000 certificates and set up hundreds of Azure tenants and subscriptions to support the scheme. The scale of the infrastructure signals a well-resourced, professionally run operation.
How Microsoft Brought It Down
Microsoft’s Digital Crimes Unit obtained a court order earlier in May 2026. Investigators had spent months building the case, including working with a cooperative source to purchase and test the service between February and March 2026.
When the court order came through, Microsoft moved fast. The company seized the domain signspace[.]cloud, took hundreds of virtual machines offline, blocked access to a site hosting the platform’s underlying code, and revoked every certificate linked to Fox Tempest. Investigators also had direct conversations with a certificate seller on Telegram during the operation. After the court order was issued, that seller told Microsoft the service was no longer functioning and suggested the group was looking to shift operations elsewhere.
Microsoft’s assistant general counsel at the Digital Crimes Unit, Steven Masada, stated that the service infected thousands of machines and compromised networks worldwide. As Masada put it:
“When attackers can make malicious software look legitimate, it undermines how people and systems decide what’s safe.”
Final Thoughts
The Fox Tempest malware operation is a clear example of how cybercriminals adapt. Rather than trying to brute-force past security controls, the group quietly subverted the trust system those controls rely on. A signed file is not automatically a safe file — and this case reinforces that point for both users and organizations.
Microsoft’s takedown removes a major piece of ransomware infrastructure. But as the seller’s own response suggested, the group is already looking for ways to continue. Staying protected means keeping systems patched, treating unexpected software prompts with suspicion, and not assuming that a digitally signed file is necessarily what it claims to be.
