More than 580 fraudulent Microsoft accounts were created and used to obtain legitimate code‑signing credentials that, according to court documents, allowed criminals to make ransomware and other malware appear like authentic Windows software.
Fox Tempest: a signing-as-a-service accused of enabling ransomware
Microsoft says the cybercrime operation, which it has dubbed Fox Tempest, began in May 2025 and traded in real, Microsoft‑issued code‑signing credentials. The defendants are identified in court filings as John Doe 1 and John Doe 2, the latter operating under the handle SamCodeSign. Using fake identities and impersonations of real organizations, the group allegedly established more than 580 fraudulent Microsoft accounts and abused Microsoft’s Artifact Signing code‑signing service to produce certificates they then sold to other criminals for thousands of dollars.
The criminal offering functioned like a retail service: the court documents include screenshots and transaction details showing a Google Form where buyers chose a turnaround tier — standard for $5,000, priority for $7,500, and expedited for $9,500. Microsoft’s complaint describes Fox Tempest as a “malware signing‑as‑a‑service” operation that provided purchasers with instructions and virtual machines to complete the signing process.
Abuse of Microsoft’s Artifact Signing service
Microsoft’s Artifact Signing service is intended to let developers digitally sign applications so the Windows operating system and end users can verify authenticity and integrity. The Fox Tempest defendants allegedly used that same service to generate valid signatures for malicious code, a technique that makes malware more likely to be trusted and executed on victim machines. The court filings say the fraudulent certificates were used to sign a range of malware, including the Windows backdoor Oyster, infostealers Lumma and Vidar, and the Rhysida ransomware family.
How Microsoft’s Digital Crimes Unit tested and disrupted the operation
The company’s Digital Crimes Unit (DCU) used an undercover approach between February and March, purchasing the signing service from a cooperating source. The court documents say those test purchases allowed DCU investigators to observe “first‑hand how Fox Tempest Defendants operate the service, the information a purchaser is provided, and the instructions given by SamCodeSign to connect to the service and sign the test software created by Microsoft.” The purchases also enabled investigators to identify cryptocurrency wallets connected to Fox Tempest.
Following that work, Microsoft seized websites and took down hundreds of virtual machines that the complaint alleges were being used to run the service. The court documents were unsealed on Tuesday, and Microsoft filed a civil complaint laying out the alleged scheme and its disruption.
Impact: thousands of infected machines, including Microsoft systems
Microsoft’s complaint says certificates originating from tenants created by the Fox Tempest defendants were used to sign malware that impacted thousands of customer machines in the United States. That toll includes “more than a dozen” machines owned and operated by Microsoft itself. The civil complaint further charges that a ransomware group tracked by Microsoft as Vanilla Tempest — also known in public reporting as Vice Spider, Vice Society, Rhysida — was among the customers that purchased certificates and used them to sign malware.
The complaint states that Vanilla Tempest “unlawfully accessed victims’ computers and devices, exfiltrated and stole the personal and confidential information of victims, deployed ransomware designed to encrypt victims’ files and systems, and extorted victims by demanding payment in exchange for restoring access to, or suppressing, their data,” and it adds that the criminal activity remains ongoing. In a Microsoft blog post, DCU attorney Steven Masada said the investigation “further linked Fox Tempest to various additional ransomware affiliates and families, including INC, Qilin, Akira, and others.”
What this means for technologists, affected enterprises, and ransomware affiliates
- Technologists and security teams: defenders now have evidence that legitimately issued code‑signing certificates were used to mask malware delivered to thousands of machines; the DCU’s test purchases and identified cryptocurrency wallets may help forensic teams map signed artifacts to fraudulently created tenants and certificates.
- Affected enterprises and procurement leaders: the signed malware observed in the complaint includes Oyster, Lumma, Vidar and Rhysida — families associated with backdoors, infostealers and ransomware — and the civil filing alleges that signed binaries were part of campaigns that enabled exfiltration, file encryption and extortion of victims’ data.
- Ransomware affiliates and criminal resellers: the complaint presents a blueprint of how code‑signing services were commercialized — advertised tiers, delivery via virtual machines, and cryptocurrency payments — and Microsoft’s disruption and identification of wallets signals that those steps are now actionable targets for civil and technical countermeasures.
Microsoft’s takedown removed websites and hundreds of virtual machines and provided a forensic trail from test purchases to cryptocurrency wallets, but the civil complaint explicitly states the criminal activity remains ongoing. The record laid out in court documents — including detailed screenshots of pricing and account abuse, identification of malware families that were signed, and the DCU’s undercover purchases — gives investigators and victims concrete leads. It also leaves an open question embedded in the complaint itself: even after a large, public disruption, how many certificates, signed binaries and victim systems still lie undiscovered?




