A cybercriminal group, Fox Tempest, has been identified as operating an illicit platform that exploited Microsoft’s Artifact Signing infrastructure to authenticate malware with trusted digital signatures. This service enabled attackers to bypass security defenses and distribute malware appearing as legitimate software.
Microsoft’s Intervention and Disruption
In May 2026, a decisive action by Microsoft’s Digital Crimes Unit, in collaboration with Resecurity, dismantled the infrastructure supporting Fox Tempest’s operations. This effort led to the revocation of over 1,000 fraudulent certificates. The group had been using Microsoft’s Artifact Signing service to obtain temporary code-signing certificates, allowing malicious binaries to mimic trusted applications.
Detailed Exploitation Tactics
Fox Tempest used the Artifact Signing service to issue certificates valid for up to 72 hours, aiding in the distribution of malware that impersonated popular software solutions like Microsoft Teams and AnyDesk. The group likely utilized stolen or fictitious identities from North America to pass Microsoft’s verification processes. Their service was facilitated through a now-inoperative platform, signspace[.]cloud, which provided an interface for clients to submit files for signing.
Advanced Infrastructure and Clientele
Microsoft’s threat intelligence team has been monitoring Fox Tempest since September 2025. The group’s operations included creating numerous Azure tenants and subscriptions to support large-scale certificate issuance. By 2026, they had further enhanced their infrastructure by offering pre-configured virtual machines for clients to upload malware for signing, utilizing scripts to automate and secure the process.
Fox Tempest’s offerings attracted high-profile threat actors and ransomware groups, including Vanilla Tempest and others. Their signed malware has been linked to various malicious campaigns, including the deployment of ransomware and backdoors through trojanized software installers.
Financial Impact and Service Model
The group operated as a commercial enterprise, charging between $5,000 and $9,000 for their signing services, with transactions managed via Telegram and online forms. This service model lowered the entry barrier for less advanced cybercriminals by offering on-demand trusted signing capabilities. Analysis of cryptocurrency transactions ties Fox Tempest to several ransomware affiliates, with revenues reaching substantial figures.
Security Measures and Future Outlook
Microsoft recommends several actions to mitigate risks associated with signed malware, including enabling cloud-delivered protection, deploying Microsoft Defender SmartScreen, and using ASR rules to block common tactics. The takedown of Fox Tempest signifies a major disruption in the cybercrime ecosystem, emphasizing the importance of targeting service enablers rather than individual attackers.
Despite this success, the incident underscores the ongoing abuse of legitimate cloud services and the necessity for stronger identity validation and monitoring within the cybersecurity landscape.
