Fox Tempest and the malware-signing-as-a-service
Microsoft says a financially motivated threat group it tracks as Fox Tempest built and sold a turnkey code-signing service that allowed other cybercriminals to make malware-laced programs appear trusted and legitimate. The group, tracked by Microsoft since September 2025, fabricated identities and impersonated legitimate organizations to abuse Microsoft’s Artifact Signing system and access Microsoft’s code-signing services, according to the company.
Microsoft described the operation as a scalable “malware-signing-as-a-service” that offered an authenticated portal and a drag-and-drop interface enabling customers to get malicious code signed. Customers paid as much as $9,500 to have their malware signed, a price Microsoft said threat actors considered cheap relative to potential ransomware payouts. The service was sold to multiple ransomware groups, including Rhysida, Vanilla Tempest, Storm-0501, Storm-2561 and Storm-0249, and Microsoft tied the operation to affiliates for INC, Qilin, Akira and others.
How the forged signatures were used in attacks
Microsoft investigators linked the signed binaries to the deployment of dozens of malware families, naming Oyster, Lumma Stealer, MuddyWater and Vidar among them. Investigators said operators used fraudulent certificates in extortion, phishing, SEO poisoning and malware-laced advertising — techniques that pushed malicious downloads to the top of search results or into advertising channels so victims would run what they believed was legitimate software.
“It acts as a fake ID that lets cybercriminals get into systems by walking right through the front door,” Masada said, describing how signed malware can slip past controls designed to confirm a program’s authenticity and trusted origin.
Microsoft’s disruption and legal action
Microsoft said it secured a court order to dismantle the operation after at least a year of the service operating. Acting on that order, the company evicted or deleted more than 1,000 accounts and subscriptions that Fox Tempest used, seized the threat group’s website, took hundreds of virtual machines offline and blocked access to a site hosting the underlying code. Microsoft described those steps as a disruption intended to raise the cost for attackers who had relied on the service.
“This disruption likely is going to raise the cost for attackers, and we’re hoping that they move off of using these services,” Maurice Mason, principal cybercrime investigator at Microsoft’s Digital Crimes Unit, said. At the same time, Mason cautioned that the action was a disruption — not a permanent elimination of the concept — noting that attackers may move to alternative methods or attempt similar operations in different ways.
Impact by sector and geography
Microsoft said the operation had a global impact, with attacks recorded across healthcare, education, government and financial services sectors. The company also said organizations and people in the United States, France, India and China were the most heavily targeted. Microsoft investigators described the operation as uniquely scalable compared with prior resales of code-signing certificates, allowing widespread deployment across different kinds of campaigns.
What this means for ransomware affiliates, technologists, and affected enterprises
- Ransomware affiliates and resellers: Microsoft’s findings underscore why operators paid for the service — Mason said threat actors view a $9,500 transaction as “chump change” if it enables extortion and ransomware payouts worth millions. Disrupting the marketplace raises costs for these affiliates and could change how they procure signing capabilities.
- Technologists and security teams: Microsoft framed Fox Tempest as part of a broader shift “upstream” in the attack lifecycle — moving from exploiting user behavior to exploiting systems that vouch for software authenticity. The company described a stratified cybercrime ecosystem where higher-tier services emphasize evasion, durability and optimization; defenders focused on marketplace disruptions to map how that economy functions.
- Affected enterprises and procurement leaders: Because the signed malware was used in SEO poisoning and advertising channels to trick users into downloading software that appeared legitimate, organizations in healthcare, education, government and finance will need to account for threats that bypass authenticity checks, Microsoft said.
Mason and Masada both emphasized that Microsoft’s action revealed the structure of a modern cybercrime economy: components for sale, markets for optimization, and specialized vendors that engineer evasion. As Mason put it, the disruption raises barriers for attackers but does not end the problem — “someone might try to do this a different way next time.”
