Microsoft says it disrupted a malware-signing service that abused Azure Artifact Signing to create fraudulent certificates used in ransomware and malware attacks.
The Fox Tempest operation allegedly helped cybercriminals distribute malware disguised as trusted software to evade Windows defenses and fool users.
“Fox Tempest doesn’t directly target victims but instead provides supporting services that enable ransomware operations by other threat actors,” said Microsoft in its advisory.
Key Takeaways from the Fox Tempest Operation
- Microsoft disrupted the Fox Tempest malware-signing service that abused Azure Artifact Signing to create fraudulent code-signing certificates.
- The operation allegedly helped ransomware groups distribute malware disguised as trusted software like Microsoft Teams and AnyDesk.
- Microsoft said the group used stolen identities and short-lived certificates to bypass verification controls and evade detection.
- The service expanded into hosted malware-signing infrastructure, allowing customers to upload malware and receive signed binaries directly.
- Microsoft warned that trusted digital signatures alone are no longer reliable indicators of software legitimacy.
Inside the Fox Tempest Malware Operation
Microsoft said attackers abused its Azure Artifact Signing service to generate legitimate-looking certificates used to distribute malware through a large-scale malware-signing-as-a-service (MSaaS) operation known as Fox Tempest.
The campaign was tied to malware families including Oyster, Lumma Stealer, and Vidar, along with ransomware groups such as Rhysida, Akira, INC, Qilin, and BlackByte.
Threat actors associated with Vanilla Tempest, Storm-0501, Storm-2561, and Storm-0249 reportedly used the signed malware in attacks targeting organizations worldwide.
Signed Malware Disguised as Trusted Software
Customers of the platform could upload malicious binaries and receive digitally signed malware using fraudulently obtained certificates generated through Azure Artifact Signing.
The malware itself was often disguised as trusted enterprise software such as Microsoft Teams, AnyDesk, PuTTY, and Webex to reduce suspicion and improve delivery success rates.
In one example fake Microsoft Teams installers deployed Oyster malware before ultimately delivering Rhysida ransomware to victim systems.
Stolen Identities and Short-Lived Certificates
Researchers believe the operators likely relied on stolen identities from the United States and Canada to bypass Microsoft’s identity verification requirements and gain access to the signing service.
Microsoft also said Fox Tempest frequently used short-lived certificates valid for only 72 hours, allowing the group to rotate certificates quickly and reduce the effectiveness of traditional revocation efforts.
Malware-Signing Service Expanded Operations
Earlier this year, the operation reportedly expanded beyond certificate issuance by offering pre-configured virtual machine environments hosted through Cloudzy infrastructure.
Customers could upload malware directly into hosted systems and receive signed binaries, streamlining malware deployment for ransomware operators and other cybercriminal customers.
The service was openly promoted through a Telegram channel called “EV Certs for Sale by SamCodeSign,” with access reportedly priced between $5,000 and $9,000 in bitcoin.
Microsoft said the operation generated millions of dollars in profits and demonstrated the characteristics of a mature cybercriminal enterprise managing infrastructure, financial transactions, operational security, and customer support at scale.
Reducing Risk from Trusted Software Abuse
Trusted digital signatures are no longer a guarantee that software is safe.
As attackers abuse cloud signing services and trusted applications to evade detection, organizations need stronger controls around software validation, identity management, and infrastructure segmentation.
- Strengthen application allowlisting and endpoint detection policies to identify suspicious behavior from signed binaries, installers, and trusted software impersonation attempts.
- Enforce strong identity verification, multi-factor authentication (MFA), and least-privilege access controls across certificate issuance systems, Azure tenants, and cloud-signing environments.
- Segment build, signing, and production infrastructure to limit lateral movement opportunities and reduce exposure if signing environments or certificates are compromised.
- Monitor Azure tenant creation, virtual machine provisioning, and certificate activity for anomalous behavior, including excessive short-lived certificate issuance or suspicious infrastructure deployment patterns.
- Implement certificate reputation monitoring, behavioral sandboxing, and secondary validation checks for newly signed executables before allowing them to run in enterprise environments.
- Continuously review and revoke unused signing credentials, API tokens, and cloud identities, while restricting access to signing systems through privileged access management and hardware-backed key protection.
- Test incident response and trusted software abuse playbooks regularly to ensure teams can quickly isolate signed malware, revoke compromised certificates, contain malicious infrastructure, and recover affected systems.
Together, these steps can help organizations build resilience against trusted software abuse while reducing overall exposure to compromised certificates, malicious infrastructure, and signed malware attacks.
Trusted Signatures No Longer Mean Safe
This example shows how cybercriminal operations are adopting service-based business models that provide other threat actors with tools designed to bypass security controls more efficiently.
Like ransomware-as-a-service and initial access brokers, malware-signing services lower the technical barriers for distributing malware that appears legitimate to security tools and operating systems.
The incident reinforces that digital signatures alone are no longer reliable indicators of trust as attackers continue abusing legitimate signing infrastructure.
As trusted digital signatures become easier for attackers to abuse, organizations are turning to zero trust solutions to help continuously verify users, devices, and applications.
