-
Microsoft’s Digital Crimes Unit dismantled Fox Tempest, a criminal operation that sold fraudulent code-signing certificates to active ransomware groups, including Rhysida and INC.
-
Cybercriminals paid between $5,000 and $9,500 per plan to receive malware that bypassed Windows security tools by appearing fully legitimate.
-
The operation resulted in the revocation of over 1,000 fraudulent certificates generated across hundreds of Azure tenants.
A ransomware gang submits a malicious file. Days later, that same file carries an official Microsoft certificate and slips into a hospital’s network without raising a single alarm. That is not a scenario from a thriller. That is the exact service Fox Tempest was selling, and Microsoft just shut it down.
Microsoft’s DCU (Digital Crimes Unit), working alongside industry associates, took down Fox Tempest in May 2026. The group ran a paid malware-signing operation through a platform called signspace[.]cloud. Fox Tempest took advantage of Microsoft’s “Artefact Signing” system (formerly Azure Trusted Signing) to generate short-lived, 72-hour code-signing certificates.
Those certificates allowed ransomware groups to disguise their malicious software as trusted applications such as AnyDesk, Microsoft Teams, PuTTY, and Webex. Windows security tools, seeing a valid certificate, let the files through without flagging them.
The DCU revoked over 1,000 fraud-intended certificates the gang had created on all Azure tenants. According to Microsoft, the group likely used stolen American and Canadian identities to pass the identity verification process required to access the signing infrastructure.
How Fox Tempest Ran the Business
Fox Tempest did not function like a disorganized criminal outfit. It operated like a structured, subscription-based software service.
Cybercriminals paid between $5,000 and $9,500 per plan, with higher-tier subscribers receiving priority in the processing queue. Customers submitted their orders through a bilingual English-Russian Google Form, uploaded their malicious payloads to Fox Tempest-controlled environments, and collected a properly signed binary in return, ready to deploy against victims.
By February 2026, Fox Tempest had upgraded its infrastructure. The group began providing end users with virtual machines (pre-configured) hosted on “Cloudzy”, a VPS provider running in the US. This upgrade further streamlined the signing workflow and reduced the group’s own exposure to detection.
The service attracted some of the most active ransomware operations currently running. Storm-0501, Vanilla Tempest, and Storm-2561 had malware with Fox Tempest signature in real events against real victims.
Attacks That Caused Real Damage
One documented attack chain shows just how effective this operation was. Vanilla Tempest ran paid Google Ads promoting a trojanized Microsoft Teams installer. Victims who downloaded the file received the Oyster backdoor. In several of those cases, the backdoor then delivered Rhysida ransomware onto the infected systems.
This isn’t the only malware campaign using legitimate-sounding app names. Microsoft recently warned of a WhatsApp malware attack targeting Windows users, another reminder that attackers disguise malicious files as popular applications.
According to Microsoft, Fox Tempest generated proceeds in the millions. The victims spanned healthcare, education, government, and financial services organizations across the United States, France, India, and China.
The damage speaks directly to why code-signing certificates are such a dangerous target. Security teams and everyday users treat a signed executable as a trusted file. Fox Tempest exploited that trust completely, packaging it into a service and selling it at scale to any criminal group that could afford the subscription.
What Organizations and Users Should Do Now
Microsoft has outlined several concrete steps for organizations. Enabling cloud-delivered protection in Microsoft Defender is the starting point. Turning on Safe Links and Safe Attachments in Defender for Office 365 adds a second layer of defense. Microsoft also recommends activating attack surface reduction rules, specifically the advanced ransomware protection rule, to limit the damage signed malware can cause once it enters a network.
For everyday users, the guidance is simpler but equally important. Downloading software through search engine ads carries a serious risk, even when the installer appears to carry a valid signature. Users should go directly to official vendor websites for any software download rather than clicking on sponsored search results.
Fox Tempest is gone, but the model it built is not. Malware-signing offered as a subscription service is a template other criminal groups will likely copy. According to Microsoft, organizations should treat code signatures as one trust signal among many, not as proof that a file is safe. A signed file confirms who signed it. It does not confirm what the file actually does.
