New Microsoft research disclosed disruption of a cybercrime operation known as Fox Tempest, a malware-signing-as-a-service (MSaaS) platform that enabled ransomware gangs and other threat actors to disguise malicious software as legitimate applications. Active since May 2025, the service was used to infect thousands of machines and compromise networks worldwide through fraudulent abuse of Microsoft’s code-signing infrastructure. Microsoft linked the operation to ransomware actors, including Vanilla Tempest, and malware families such as Oyster, Lumma Stealer, Vidar, INC, Qilin, and Akira.
The company said organizations targeted by the campaigns included schools, hospitals, and other critical entities across multiple regions. Microsoft also tied the Rhysida ransomware strain associated with the operation to high-profile attacks. Microsoft added that the broader abuse of illicit code-signing services has also been observed in attacks targeting critical infrastructure organizations in Europe, underscoring the increasingly global and industrialized nature of the cybercrime ecosystem.
Microsoft is working closely with cybersecurity firm Resecurity to understand how Fox Tempest operates, while also coordinating with Europol’s European Cybercrime Centre and the Federal Bureau of Investigation.
“To disrupt the service, we seized Fox Tempest’s website signspace[.]cloud, took offline hundreds of the virtual machines running the operation, and blocked access to a site hosting the underlying code,” Steven Masada, assistant general counsel at Microsoft’s Digital Crimes Unit, wrote in a Tuesday blog post. “This action builds upon persistent internal efforts to revoke fraudulently obtained code‑signing certificates and enhance our defenses and employ new security features to detect and thwart such malicious activity. It’s already having an impact: cybercriminals are complaining about challenges accessing the current service.”
As Microsoft disabled fraudulent accounts, revoked fraudulently obtained certificates and introduced enhanced protections, the Fox Tempest operators continually adapted. In February 2026, the adversaries shifted to networks of third-party-hosted virtual machines to maintain and scale operations. That kind of rapid change is part of the model, with these services evolving quickly in response to pressure and friction. In fact, Microsoft has observed further adaptations in response to its layered disruption efforts, with Fox Tempest attempting to shift operations and customers to another code-signing service.
Apart from seizing core infrastructure behind the operation and degrading its ability to function at scale, Microsoft has taken further steps to prevent similar abuse, removing fraudulent accounts, strengthening verification, and limiting how this type of access can be reused.
Masada said Microsoft’s action extended beyond a single threat actor, noting that the company unsealed a case in the U.S. District Court for the Southern District of New York targeting Fox Tempest’s infrastructure and naming the ransomware group Vanilla Tempest as a co-conspirator. He said the group used the service to deploy malware, including Oyster, Lumma Stealer, and Vidar, as well as ransomware strains such as Rhysida in multiple recent cyberattacks.
He also highlighted that the case points to how cybercrime is changing. What once required a single group to carry out an attack from start to finish is now broken into a modular ecosystem where services are bought and sold and work interchangeably with one another. Some services are inexpensive and widely used. Others, like Fox Tempest, are highly specialized and expensive because they remove friction or bypass obstacles that make attacks fail, making them more reliable and harder to detect. As seen with Fox Tempest, when these services are combined with AI-powered tactics, attacks can scale more easily, reaching more people and becoming more convincing.
“Vanilla Tempest has targeted schools, hospitals, and other critical organizations worldwide, while Rhysida, a highly evolved ransomware variant that both encrypts files and steals data, often used for double extortion, has been used by various actors in numerous high-profile attacks globally, including to steal and leak internal documents from the British Library and to disrupt operations at Seattle-Tacoma International Airport,” the post detailed. “Microsoft’s investigation further linked Fox Tempest to various additional ransomware affiliates and families, including INC, Qilin, Akira, and others.”
AI also helped generate and refine these campaigns to reach a broader audience. Flagging that changed the odds, Masada noted that malicious software that should have been blocked or flagged by antivirus and other safeguards was more likely to be opened, allowed to run, or pass security checks, essentially allowing malware to hide in plain sight. Instead of forcing their way in, attackers could slip through the front door by masquerading as a welcomed guest.
Masada also identified that illicit code-signing certificates have been sold and trafficked for more than a decade. “That includes its use by nation-state actors to target critical infrastructure organizations in Europe. What’s changed is how this activity is marketed, packaged, and sold as a service, along with the scale at which it is now used across ransomware campaigns. Instead of buying certificates one-by-one, criminals upload their malware to a service that signs it for them.”
“What also makes this model notable is the level of investment,” Masada disclosed. “Unlike lower-cost services like RedVDS, a cybercriminal infrastructure provider that costs as little as $24 per month, which Microsoft disrupted earlier this year, Fox Tempest shows that more sophisticated actors are willing to pay thousands of dollars for advanced capabilities that make attacks easier to carry out, harder to detect, and more likely to succeed.”
Masada described Fox Tempest’s business model as straightforward, selling fraudulent code-signing capabilities that allowed customers to package malware and enable downstream attacks. He said the operation generated millions in proceeds, underscoring its substantial financial gains.
“Behind the scenes, the operators built access at scale. Using fabricated identities and impersonating legitimate organizations, they created hundreds of fraudulent Microsoft accounts to obtain real code-signing credentials in volume,” he added. “Customers who paid for Fox Tempest’s services could then upload malicious files via an online portal for them to be signed using Fox Tempest-controlled certificates. Cybercriminals paid thousands of dollars for the service, reflecting how valuable this capability was.”
Once signed, the malware appeared legitimate. Attackers then distributed the signed malware through tactics such as search manipulation and malicious ads, where users are more likely to trust what they encounter.
Commenting on Microsoft’s action, Cynthia Kaiser, senior vice president of SVP of Halcyon’s Ransomware Research Center, wrote in an emailed statement that it really comes down to the profitability of abusing trust.
“Malware-Signing-as-a-Service (MSaaS) is offered to cybercriminals (e.g., initial access brokers (IABs)) who then pay to use it, which involves abusing code-signing services (e.g., Microsoft Artifact Signing ) to generate short-lived, fraudulent code-signing certificates so that malware would appear legitimately signed and evade security controls,” Kaiser detailed. “Typical signed malware is often disguised as trusted applications like various Remote Management and Monitoring (RMM) and IT tools (e.g., AnyDesk, Microsoft Teams, PuTTY, and Webex), which significantly increases the chance that victims would run it. Many of these IAB operations lead to ransomware.”
In conclusion, Masada said Microsoft’s action was not aimed at stopping a single actor, but at disrupting a critical enabler of cybercrime. “It sought to strategically neutralize a vital service that many attackers, particularly ransomware groups, rely on. When legitimate code signing services are weaponized, everything downstream gets easier: malware looks legitimate, security warnings are less likely to trigger, and attacks are more likely to succeed. Degrading that capability adds friction and forces a reset.”
He added that the success rates of attacks decrease, and attackers have to rebuild, find new ways in, and accept more risk with each attempt, driving up both the cost and the time required to operate. “Importantly, disruption actions don’t happen in isolation and are never one-and- done. Collaboration is critical, as different organizations and sectors have visibility into different parts of the cybercrime ecosystem.”
