Microsoft Dismantles “Fox Tempest” Code-Signing Network Fueling Global Ransomware

Microsoft’s Digital Crimes Unit (DCU) has delivered a massive blow to the cybercrime underground. In May 2026, alongside cybersecurity partner Resecurity, Microsoft disrupted “Fox Tempest,” a prominent player in the global malware supply chain.

The Business of Fraudulent Trust

Fox Tempest did not hack networks directly. Instead, the group carved out a lucrative niche by offering malware-signing-as-a-service (MSaaS) to other high-profile cybercriminals.

According to the Microsoft Threat Intelligence report:

“The threat actor abuses Microsoft Artifact Signing to generate short-lived, fraudulent code-signing certificates to appear legitimately signed, allowing malware to evade security controls.”

By abusing this infrastructure, the group generated digital certificates that remained valid for 72 hours. This narrow window allowed malicious payloads to masquerade as trusted everyday tools like Microsoft Teams, AnyDesk, and PuTTY. To bypass strict industry security verification, Fox Tempest likely relied on stolen identities from the United States and Canada to register hundreds of fraudulent Azure tenants and generate thousands of fake certificates.

A Premium Pricing Model

This operation ran like a legitimate enterprise, managing customer relations and processing high-value financial transactions. The group advertised its capabilities under the Telegram handle “EV Certs for Sale by SamCodeSign”. Customers filled out an English and Russian Google Form to select a tier package. These premium plans ranged from $5,000 to $9,000 USD, with higher-paying clients receiving priority access in the processing queue.

In February 2026, the group upgraded its infrastructure to streamline operations. They began providing buyers with pre-configured virtual machines (VMs) hosted on Cloudzy’s virtual private servers. This shift allowed buyers to upload malware files directly into Fox Tempest-controlled environments to receive signed binaries automatically.

Fueling the Ransomware Ecosystem

The downstream damage from this single service is staggering. Microsoft observed multiple aggressive threat actors leveraging Fox Tempest’s signed files to launch active network intrusions.

The report notes the wide reach of the operation:

“Microsoft Threat Intelligence observed Fox Tempest’s operations enabling the deployment of Rhysida ransomware by threat actors such as Vanilla Tempest, as well as the distribution of other malware families including Oyster, Lumma Stealer, and Vidar.”

For example, an actor known as Vanilla Tempest used the service to sign trojanized Microsoft Teams installers. They then distributed these malicious files via legitimate paid search ads and search engine optimization (SEO) poisoning. Unsuspecting users downloaded a fake installer, which quietly deployed the Oyster backdoor to grant initial access to corporate networks.

From there, attackers dropped devastating ransomware payloads. This pipeline fueled attacks across global healthcare, education, and financial sectors.

Fortunately, Microsoft’s intervention has revoked over one thousand fraudulent certificates and knocked out the core infrastructure. For system administrators and CISOs, this takedown removes a critical pillar that threat actors rely on to sneak past endpoint defenses.