Fox Tempest — Malware‑Signing‑as‑a‑Service Exploits Microsoft Artifact Signing

May 20, 2026 Faeem BLOGS, MICROSOFT 0

Overview A financially motivated threat actor known as Fox Tempest has been operating a malware‑signing‑as‑a‑service (MSaaS) platform that abused Microsoft’s Artifact Signing infrastructure to generate trusted digital signatures for malicious code. This allowed cybercriminals to bypass security controls and distribute malware that appeared to be legitimately signed.

In May 2026, Microsoft’s Digital Crimes Unit (DCU), in collaboration with Resecurity, dismantled the operation, revoking more than 1,000 fraudulent certificates linked to Fox Tempest’s infrastructure.

Abuse of Microsoft Artifact Signing

Fox Tempest exploited Microsoft’s Artifact Signing service (formerly Azure Trusted Signing) to obtain short‑lived code‑signing certificates valid for up to 72 hours.

  • These certificates made malware binaries appear as trusted applications.
  • Spoofed versions of Microsoft Teams, AnyDesk, PuTTY, and Webex were distributed using these signatures.
  • The group used stolen or synthetic identities from the U.S. and Canada to pass Microsoft’s identity verification checks.

The operation was facilitated through a now‑defunct platform, signspace[.]cloud, which allowed customers to upload malicious files and receive digitally signed binaries.

Infrastructure and Operations

Microsoft Threat Intelligence has tracked Fox Tempest since September 2025, identifying it as a key enabler within the ransomware ecosystem.

  • Hundreds of Azure tenants and subscriptions were created to issue thousands of certificates.
  • In early 2026, Fox Tempest began offering pre‑configured virtual machines (VMs) hosted on third‑party providers.
  • Customers could upload payloads directly into controlled environments, where automated scripts (e.g., metadata.json, PowerShell) handled signing.
  • This evolution improved operational security and streamlined the signing process.

Links to Other Threat Actors

Fox Tempest’s MSaaS platform has been tied to multiple ransomware and infostealer families:

  • Vanilla Tempest, Storm‑0501, Storm‑2561, and Storm‑0249 used Fox Tempest‑signed malware.
  • Associated payloads include Rhysida ransomware, Lumma Stealer, Vidar infostealer, and the Oyster (Broomstick) backdoor.
  • One observed attack chain involved trojanized Microsoft Teams installers distributed via malvertising, deploying the Oyster backdoor for persistence and C2 communication.

Commercial Model

Fox Tempest operated as a commercial service, charging between $5,000 – $9,000 for malware‑signing.

  • Access was managed through Telegram channels and online forms.
  • High‑tier customers received priority signing and dedicated VMs.
  • Cryptocurrency analysis links Fox Tempest to ransomware affiliates behind Qilin, Akira, and INC, with revenues reaching millions of dollars.

This model lowered the barrier for less‑skilled attackers by providing trusted code‑signing capabilities on demand.

Indicators of Compromise (IOCs)

  • Domain: signspace[.]cloud
  • SHA‑1 Certificates:
    • dc0acb01e3086ea8a9cb144a5f97810d291020ce
    • 7e6d9dac619c04ae1b3c8c0906123e752ed66d63
  • SHA‑256 File Hashes:
    • f0668ce925f36ff7f3359b0ea47e3fa243af13cd6ad9661dfccc9ff79fb4f1cc
    • 11af4566539ad3224e968194c7a9ad7b596460d8f6e423fc62d1ea5fc0724326

Mitigation & Defense Recommendations

Microsoft advises organizations to strengthen defenses against signed‑malware abuse:

  • Enable cloud‑delivered protection and real‑time scanning in endpoint security tools.
  • Deploy Microsoft Defender SmartScreen to block malicious downloads.
  • Enforce tamper protection to prevent disabling of security agents.
  • Use ASR rules to block common malware techniques.
  • Enable Safe Links and Safe Attachments in email security.
  • Monitor certificate usage for suspicious short‑lived signing activity.

Strategic Impact

Microsoft’s takedown of Fox Tempest infrastructure marks a significant disruption to the cybercrime supply chain. By targeting the enabling service rather than individual attackers, the operation reduces the ability of multiple ransomware groups to distribute trusted malware at scale.

However, the incident underscores how legitimate cloud services and trust mechanisms continue to be abused — reinforcing the need for stronger identity validation and certificate monitoring across the ecosystem.

Final Thoughts

The Fox Tempest case demonstrates how trust exploitation has become a cornerstone of modern cybercrime. By abusing legitimate signing infrastructures, attackers can weaponize authenticity itself.

For defenders, the path forward lies in continuous certificate auditing, identity verification hardening, and cross‑vendor collaboration to ensure that trust mechanisms remain uncompromised.

Be the first to comment

Leave a Reply

Your email address will not be published.


*


This site uses Akismet to reduce spam. Learn how your comment data is processed.