- Microsoft disrupts Fox Tempest operation that abused Azure Artifact Signing to issue fraudulent code-signing certificates
- The group created over 1,000 certificates and hundreds of Azure tenants, allowing malware campaigns to bypass security checks
- Lawsuits were brought against Fox Tempest and Vanilla Tempest, whose services supported major malware and ransomware distribution
Microsoft has taken down a malicious service that offered digitally signed certificates to hackers and has launched a lawsuit against the perpetrators of the operation.
In its report, the company said a threat actor known as Fox Tempest used Azure Artifact Signing to create temporary certificates. These certificates made it possible to sign the malware as legitimate software, bypass antivirus protection and compromise the victim’s devices.
To access the service, the criminals allegedly used different identities, stolen from people in the United States and Canada. To minimize the chances of detection, they created certificates that were only valid for 72 hours – however, during their work, the attackers created more than 1,000 certificates, as well as hundreds of Azure tenants and subscriptions.
High-profile clients
“Fox Tempest has created over a thousand certificates and established hundreds of Azure tenants and subscriptions to support its operations. Microsoft has revoked over a thousand code signing certificates attributed to Fox Tempest,” Microsoft said in the report.
“In May 2026, Microsoft’s Digital Crimes Unit (DCU), with support from industry partners, disrupted Fox Tempest’s MSaaS offering, targeting the infrastructure and access model enabling its wider criminal use.”
As part of the takedown effort, Microsoft seized the sign space[dot]com domain, as well as hundreds of virtual machines. It also blocked access to infrastructure that hosted the entire service.
Bleeping Computer notes that some of the largest malware and ransomware campaigns used Fox Tempest’s services, including LummaStealer, Vidar, Qilin, BlackByte, and Akira. Vanilla Tempest was named as a co-conspirator in the lawsuit, it further stated, as it allegedly distributed both malware and ransomware.
Some of the fake apps distributed this way included Teams, AnyDesk and Webex.
“When unsuspecting victims executed the spoofed Microsoft Teams installation files, those files delivered a malicious loader that in turn installed the fraudulently signed Oyster malware and ultimately deployed the Rhysida ransomware,” Microsoft explained.
“Because the Oyster malware was signed by a certificate from Microsoft’s Artifact Signing service, the Windows operating system initially recognized the malware as legitimate software when it would otherwise be flagged as suspicious or blocked entirely by security controls in the Windows operating system.”
The best antivirus for all budgets
Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews and opinions in your feeds.
