Microsoft announced on Tuesday that it has disrupted a cybercrime service that has been helping threat actors distribute ransomware and other malware.
According to the tech giant, a threat actor it has named Fox Tempest has been running a malware-signing-as-a-service (MSaaS) that abuses Microsoft Artifact Signing to generate short-lived code-signing certificates. The certificates are used to sign malware disguised as legitimate software, helping it evade detection.
“Fox Tempest has created over a thousand certificates and established hundreds of Azure tenants and subscriptions to support its operations. Microsoft has revoked over one thousand code signing certificates attributed to Fox Tempest,” the company explained.
Microsoft has been tracking Fox Tempest since September 2025 and says its services have been used by several ransomware groups, including Vanilla Tempest, which the company targeted in October 2025. The MSaaS has been used to deliver ransomware such as Rhysida, Inc, Qilin, and Akira.
In addition to ransomware, Fox Tempest has aided the distribution of malware families such as Lumma Stealer, Oyster, and Vidar.
“The downstream impact of these operations has resulted in attacks against a broad range of industry sectors, including healthcare, education, government, and financial services, impacting organizations globally including, but not limited to the United States, France, India, and China,” Microsoft said.
The service costs thousands of dollars, and Microsoft believes the threat actor made millions.
In an effort to disrupt the cybercrime operation, Microsoft seized core infrastructure, removed fraudulent accounts, and strengthened verification processes for the abused services.
The company filed a lawsuit targeting Fox Tempest and Vanilla Tempest. In cybercrime disruption operations, lawsuits serve as powerful legal mechanisms to seize malicious domains, dismantle server infrastructure, and compel third-party providers to take criminal operations offline.
Microsoft was involved in several cybercrime service takedowns in the past year, including operations targeting RedVDS, RaccoonO365, and Tycoon 2FA.
Related: Google Says Chinese ‘Lighthouse’ Phishing Kit Disrupted Following Lawsuit
Related: Tycoon 2FA Fully Operational Despite Law Enforcement Takedown
Related: SystemBC Infects 10,000 Devices After Defying Law Enforcement Takedown
