A financially motivated threat actor known as Fox Tempest has been operating a sophisticated malware-signing-as-a-service (MSaaS)<\/a> platform that abused Microsoft\u2019s Artifact Signing infrastructure to generate trusted digital signatures for malicious code.<\/p>\n This activity enabled cybercriminals to bypass security controls and distribute malware that appeared to be legitimately signed.<\/p>\n In May 2026, Microsoft\u2019s Digital Crimes Unit (DCU), in collaboration with Resecurity, disrupted the group\u2019s infrastructure, revoking more than 1,000 fraudulent certificates linked to the operation.<\/p>\n Fox Tempest leveraged Microsoft\u2019s Artifact Signing service (formerly Azure Trusted Signing) to obtain short-lived code-signing certificates valid for up to 72 hours.<\/p>\n These certificates enabled attackers to sign malware binaries so they appeared as trusted applications, including spoofed versions of popular software such as Microsoft Teams, AnyDesk, PuTTY,<\/a> and Webex.<\/p>\n To obtain these certificates, the threat actor likely used stolen or synthetic identities from the United States and Canada to pass Microsoft\u2019s identity verification checks.<\/p>\n The operation was facilitated through a now-defunct platform,\u00a0signspace[.]cloud, which provided a user interface that allowed customers to upload malicious files and receive digitally signed binaries.<\/p>\n Microsoft Threat Intelligence has tracked Fox Tempest since September 2025, identifying it as a key enabler within the ransomware ecosystem rather than a direct attacker.<\/p>\n The group created hundreds of Azure tenants <\/a>and subscriptions to support its operations and issued thousands of certificates at scale.<\/p>\n In early 2026, Fox Tempest evolved its infrastructure by offering pre-configured virtual machines (VMs) hosted on third-party providers.<\/p>\n These VMs enabled customers to upload payloads directly into controlled environments, where automated scripts and configuration files (e.g., metadata.json and PowerShell scripts) were used to efficiently sign malware.<\/p>\n This shift improved operational security and streamlined the signing process.<\/p>\n Fox Tempest\u2019s MSaaS platform has been linked to multiple high-profile threat actors and ransomware families.<\/p>\n Groups such as Vanilla Tempest<\/a>, Storm-0501, Storm-2561, and Storm-0249 used Fox Tempest-signed malware in real-world intrusions.<\/p>\n Associated malware includes Rhysida ransomware, Lumma Stealer, Vidar infostealer, and the Oyster (Broomstick) backdoor.<\/p>\n One observed attack chain involved trojanized Microsoft Teams<\/a> installers distributed via malvertising.<\/p>\n Victims downloading the fake installer executed a signed binary that deployed the Oyster backdoor, enabling persistence, command-and-control (C2) communication, and eventual ransomware deployment.<\/p>\n Cryptocurrency analysis indicates that Fox Tempest is closely tied to ransomware affiliates behind families such as Qilin, Akira, and INC, with revenues reaching millions of dollars.<\/p>\n Fox Tempest operated as a commercial service, charging cybercriminals between $5,000 and $9,000 for malware-signing services.<\/p>\n Access was managed through Telegram channels and online forms, with higher-paying customers receiving priority.<\/p>\n The service lowered the barrier to entry for less sophisticated threat actors by providing trusted code-signing capabilities on demand.<\/p>\n Indicators of Compromise (IOCs)<\/strong><\/p>\n Indicators of Compromise (IOCs) linked to Fox Tempest activity include the domain Investigators also identified the following SHA-1 certificate fingerprints:<\/p>\n Additionally, the following SHA-256 file hashes have been associated with the campaign:<\/p>\n Microsoft said in a report shared with Cyber Security News<\/a> that organizations can reduce exposure to signed malware abuse by implementing the following controls:<\/p>\n Microsoft\u2019s takedown of Fox Tempest infrastructure marks a significant disruption to the cybercrime supply chain.<\/p>\n By targeting the enabling service rather than individual attackers, the operation reduces the ability of multiple ransomware groups to distribute trusted malware at scale.<\/p>\n However, the incident highlights how legitimate cloud services and trust mechanisms continue to be abused, reinforcing the need for stronger identity validation and certificate monitoring across the ecosystem.<\/p>\n Follow us on\u00a0Google News<\/a>,\u00a0LinkedIn<\/a>,\u00a0and\u00a0X<\/a>\u00a0to Get More Instant Updates.<\/strong><\/p>\n The post Fox Tempest Malware-Signing Service Abused Microsoft Artifact Signing to Certify Malware<\/a> appeared first on Cyber Security News<\/a>.<\/p>\n<\/div>\nAbuse of Microsoft Artifact Signing<\/strong><\/h2>\n
![\"Accessing](\"https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEhgEJbEn21d01h3BPagcoGsup61P3b5NCuI_usgvSjqUiD4Lu7zzjE7l7pNK1o5bDSEbSMk9t1fzx3HoQZvydPc5NYJXNGaPl4JqF_axRQEmlXD8InDyF8ZOQNfQawIRM5zN7zmOibtQvVIN_MAo_xxVJacju8rrLZ5piTt3Ko-s_iPFaJG9CYj3aLaUFo\/s1600\/Screenshot%25202026-05-20%2520110731%2520%25281%2529.webp?ssl=1\")
![\"Vanilla](\"https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEh2mZC0Zue8GRLHEKRnCSLPaUdVCFWSYlHWXUs5H2aDpyJr0-XzgqMEQOimmvWJWwZzMH6HKDMPiGTgYRPmZ029MnIdy71zOMO0Mh7BAdjf0uvJDZoe-_CTWiRqW_QiGoAra75s1cJdDT8erjqhQK2aEcpTAjGq-oFF9lTGVrwnpiCbSnr-qZ889D3wZXw\/s1600\/Screenshot%25202026-05-20%2520110644%2520%25281%2529.webp?ssl=1\")
![\"\u00a0Google](\"https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEjByNj14bPqrRVO29uroU5dB5ndazMEMqvgv76wGLeEimQBkReGD6PuFYLowlgfqaw8YGRuZYe84NE0aIpSUDxSgF1LnUv3L_hHaaKUIMaWbwdLSPfeg8bj-PPBQC_ImGmYyf6fU0w0QEM769hwwHDchLXxhynj_l3eZxTHc8gmEtwMu-Uf3L2p2K8rukk\/s1600\/Screenshot%25202026-05-20%2520111328%2520%25281%2529.webp?ssl=1\")
![\"Telegram](\"https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEgXt3e1r2hrigsXJidZhiKzFiJVgP138U8OXt0v22QckYQCeYIcIsmKloGA9DTP6YVNYXtLrtcgnj6aHgMSF27c4P4XCAlhRNaJD_DsowQ3U-rYKJ9TVBGmOgBrlqhy5rN4A4ePElH9q4sIusYMjVxfwPVeERRoAe-OfjoJjARzBfiv7S8WtEb0947_0xI\/s1600\/Screenshot%25202026-05-20%2520110849%2520%25281%2529.webp?ssl=1\")
signspace[.]cloud<\/code>.<\/p>\n\n
dc0acb01e3086ea8a9cb144a5f97810d291020ce<\/code><\/li>\n7e6d9dac619c04ae1b3c8c0906123e752ed66d63<\/code><\/li>\n<\/ul>\n\n
f0668ce925f36ff7f3359b0ea47e3fa243af13cd6ad9661dfccc9ff79fb4f1cc<\/code><\/li>\n11af4566539ad3224e968194c7a9ad7b596460d8f6e423fc62d1ea5fc0724326<\/code><\/li>\n<\/ul>\nMitigation and Defense Recommendations<\/strong><\/h2>\n
\n