Microsoft shuts down malware-signing service Fox Tempest

Kavitha Nair
By
Kavitha Nair
Tech writer at All Things Geek. Covers the business and industry of technology.
8 Min Read
Microsoft shuts down malware-signing service Fox Tempest

A malware-signing service called Fox Tempest has been disrupted by Microsoft’s Digital Crimes Unit, marking a rare takedown of a criminal infrastructure operation that sold fraudulent code-signing certificates to ransomware gangs and other threat actors. The service operated as a malware-signing-as-a-service (MSaaS) platform, abusing Microsoft’s own Artifact Signing infrastructure to create short-lived, fraudulent certificates that made malicious software appear legitimate and trustworthy.

Key Takeaways

  • Fox Tempest created over 1,000 fraudulent code-signing certificates using Microsoft’s signing infrastructure.
  • The service charged up to $9,500 per malicious code-signing request from criminal customers.
  • Microsoft revoked all identified certificates and seized hundreds of Azure tenants and subscriptions supporting the operation.
  • Downstream attacks affected healthcare, education, government, and financial sectors across multiple countries.
  • The service operated since at least May 2025 and was tracked by Microsoft since September 2025.

How Fox Tempest Weaponized Code-Signing Trust

Code-signing certificates are meant to prove that software comes from a legitimate, trusted source. Fox Tempest perverted this system by creating fraudulent certificates valid for only 72 hours, giving it a moving target that made detection and revocation harder. The operation established hundreds of Azure tenants and subscriptions to support its infrastructure, creating what amounted to a criminal signing factory. Customers submitted malware or trojanized installers—like fake Microsoft Teams downloads—through an authenticated portal with drag-and-drop functionality, receiving signed binaries in return.

Steven Masada from Microsoft’s Digital Crimes Unit described the abuse bluntly: fraudulent code-signing acts as a fake ID that lets cybercriminals walk right through the front door. When security tools check whether software is authentic, they see a valid Microsoft-issued certificate and allow execution. The malware then runs with the trust that legitimate software deserves, bypassing controls designed to catch suspicious binaries before they execute.

Scale and Impact of the malware-signing service Operation

Fox Tempest was not a small-time operation. Microsoft said the service created more than 1,000 code-signing certificates and revoked over 1,000 attributed to the group. The website signspace[.]cloud hosted the service before Microsoft took it down. Cybercriminal customers paid up to $9,500 per signing request, making this a lucrative business model for the operators.

The downstream impact extended across multiple sectors and countries. Healthcare, education, government, and financial services organizations in the U.S., France, India, and China reported attacks using Fox Tempest-signed malware. The service enabled the deployment of ransomware families including Rhysida, helped distribute infostealers like Lumma Stealer and Vidar, and supported ad-fraud and SEO-poisoning campaigns that pushed malicious downloads higher in search results. One documented example involved Vanilla Tempest uploading trojanized Microsoft Teams installers, which were then signed and distributed through attacker-controlled ads and fake download pages.

Microsoft’s Takedown and the Broader Threat Landscape

Microsoft seized infrastructure, blocked access to hundreds of virtual machines, and removed the hosting infrastructure supporting the operation. The takedown was supported by industry partner Resecurity. However, the disruption highlights a structural vulnerability in how code-signing is managed at scale. Maurice Mason from Microsoft’s Digital Crimes Unit noted that Fox Tempest operated upstream in the malware and ransomware supply chain, as an enabler. Unlike threat actors that directly target victims, Fox Tempest sold its services to other gangs, multiplying the impact of a single malicious infrastructure investment.

This model differs from traditional certificate abuse. While code-signing certificate theft and misuse have existed for at least a decade, Fox Tempest was unusual because it offered a scalable, service-based model with a user-friendly interface. Customers did not need technical expertise in certificate generation or Windows authentication mechanisms—they simply uploaded code and received signed binaries. That accessibility made it dangerous.

Why This Matters for Software Supply Chain Security

The Fox Tempest takedown exposes a gap in how trust is verified in software delivery. Code-signing is supposed to be a hard guarantee: if a binary is signed by Microsoft, it came from Microsoft or an authorized party. Fox Tempest broke that assumption by forging the signature itself, not by stealing a legitimate key. The 72-hour validity window made the certificates harder to track and revoke in real time. When a user downloads what appears to be a legitimate Microsoft Teams installer but is actually ransomware signed with a Fox Tempest certificate, they have no way to know the difference without checking certificate revocation lists or trusting their security software to catch the deception.

Organizations that rely on code-signing as a primary defense mechanism—and many do—face a sobering reality: the defense is only as strong as the signing infrastructure itself. Fox Tempest demonstrated that even when that infrastructure belongs to a major technology company, determined attackers can abuse it at scale.

What happens to Fox Tempest customers now?

Microsoft revoked all identified Fox Tempest certificates, rendering signed binaries invalid on patched systems. However, organizations that were compromised by Fox Tempest-signed malware before the takedown need to assume their systems were infiltrated and conduct thorough incident response. Ransomware groups that relied on Fox Tempest will need to find alternative code-signing methods or operate without the trust that a valid signature provides—a significant operational setback.

Could Fox Tempest restart elsewhere?

The core vulnerability—the ability to abuse code-signing infrastructure at scale—remains. Another actor could attempt a similar operation using different signing platforms or by stealing legitimate certificates. Microsoft’s takedown is a disruption, not a permanent fix. The real mitigation requires code-signing providers to implement stronger abuse detection, stricter certificate issuance controls, and faster revocation mechanisms. Until then, the supply chain remains a target.

Microsoft’s disruption of Fox Tempest matters because it pulled back the curtain on how malware supply chains operate. The service was not a tool for a single ransomware gang—it was infrastructure for hire, sold to multiple threat actors across sectors and geographies. Shutting it down degrades the capabilities of every customer, but it also sends a message that even criminal services operating at scale can be identified and dismantled. The question now is whether other code-signing abuse operations are running in the shadows, waiting for the next opportunity to monetize trust.

Edited by the All Things Geek team.

Source: TechRadar

Share This Article
Tech writer at All Things Geek. Covers the business and industry of technology.