Microsoft's Digital Crimes Unit disrupted Fox Tempest in May 2026, a cybercrime group that sold fraudulent code-signing certificates to ransomware operators, enabling attacks on health care, education, government, and financial services organizations worldwide.
What happened
Fox Tempest operated a malware-signing-as-a-service (MSaaS) through a website called signspace[.]cloud, charging criminal customers between $5,000 and $9,000 to have their malicious files digitally signed with short-lived, fraudulent Microsoft-issued certificates. Those certificates made the malware appear to be legitimate software, allowing it to bypass security controls. Microsoft tracked Fox Tempest's operations beginning in September 2025 and has since revoked over 1,000 code-signing certificates attributed to the group. In May 2026, Microsoft's Digital Crimes Unit, with support from security partner Resecurity, disrupted the service's infrastructure.
The backstory
Fox Tempest functioned as an infrastructure provider for other ransomware groups, which used its signed malware to compromise victims. Microsoft linked Fox Tempest to multiple ransomware operators, including Vanilla Tempest, Storm-0501, Storm-2561, and Storm-0249, as well as ransomware families including INC, Qilin, Akira, Rhysida, and BlackByte. One documented campaign involved Vanilla Tempest purchasing legitimate advertisements that redirected users searching for Microsoft Teams to fraudulent download pages, where victims received a malware-laced installer signed by Fox Tempest. That installer deployed the Oyster backdoor, which established persistent remote access and in some cases led to Rhysida ransomware being deployed.
What was said
Scott Gee, AHA deputy national advisor for cybersecurity and risk, described the risk the service posed, "One component of modern security is that software packages need to be digitally signed to prove their authenticity. Normally, these signatures can only be provided by trusted, verified sources. Fox Tempest provided these signatures to malware so that it appeared to be legitimate to security systems. This service enabled a number of ransomware actors to attack health care and other sectors."
Gee added that Microsoft has revoked over 1,000 certificates issued by Fox Tempest and advised that "hospitals and health systems should ensure that certificate verification is enabled on their cybersecurity toolsets."
In the know
Code signing is a method of verifying that software comes from a known, trusted source and has not been tampered with. Operating systems and security tools use digital certificates to check this before allowing software to run. When malware carries a legitimate-looking certificate, it can bypass these checks. Fox Tempest exploited Microsoft's Artifact Signing service to obtain these certificates fraudulently.
Why it matters
Since the malware it signed appeared as trusted tools like Microsoft Teams or AnyDesk, software already used inside hospital networks, security systems were less likely to flag it. Also Fox Tempest did not need to attack anyone directly, it built and maintained a business that made everyone else's attacks more effective. As long as such businesses exist, this means less sophisticated ransomware operators can deploy hard-to-detect.
FAQs
What is malware-signing-as-a-service?
It is a criminal business model where a third party sells fraudulent digital signatures to other threat actors so their malware appears legitimate to security systems.
Does disrupting a service like this stop the ransomware groups that used it?
No, the ransomware groups that relied on Fox Tempest remain active.
How do employees download malware disguised as legitimate software?
Attackers purchase legitimate advertisements that appear in search results, redirecting users to fraudulent download pages that look nearly identical to official software sites.
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
