News
Microsoft Disrupts Fox Tempest Malware-Signing Service Used in Ransomware Attacks
Microsoft has disrupted a cybercrime service that allegedly helped ransomware operators and other attackers make malware appear as verified software, the company said last week.
The operation, tracked by Microsoft as Fox Tempest, offered what the company described as a malware-signing-as-a-service business. The service let customers submit malicious files and receive signed binaries that appeared to come from a trusted source, increasing the odds that users, systems and security tools would treat them as legitimate.
For enterprise IT teams, the case highlights a difficult problem: Attackers are not just looking for vulnerabilities in software. They are also targeting the trust mechanisms organizations depend on to decide what software should run.
Microsoft said Fox Tempest abused Microsoft Artifact Signing to generate short-lived fraudulent code-signing certificates. Those certificates were valid for 72 hours, but that window was enough to help malware pass as legitimate software during delivery attempts. The company said it has revoked more than 1,000 code-signing certificates tied to the group.
The Microsoft Digital Crimes Unit also unsealed a legal case in the U.S. District Court for the Southern District of New York. As part of the disruption, Microsoft said it seized the signspace[.]cloud website, took hundreds of virtual machines offline and blocked access to a site hosting underlying code used in the operation.
Microsoft described Fox Tempest as a service provider for cybercriminals, not a group that typically breaks into networks itself. That matters because many cyberattacks now involve several different players. One group may get access to a network, another may deliver the malware and another may run the ransomware attack. Fox Tempest appears to have helped with one key piece of that chain: making malware look like trusted software.
Microsoft said Fox Tempest was a "vital operator" in the cybercrime ecosystem, enabling the distribution of malware families including Oyster, Lumma Stealer and Vidar, as well as ransomware tied to Rhysida and other groups.
The company also named Vanilla Tempest as a co-conspirator in the lawsuit. Microsoft said Vanilla Tempest used the service to distribute trojanized Microsoft Teams installers through paid ads and fake download pages. Users searching for Teams could be redirected to attacker-controlled sites, where the signed malware looked closer to the real thing.
That is the enterprise risk in plain terms. Employees are trained to look for trust signals. Attackers are learning how to manufacture them.
"Once signed, their malware appeared legitimate," Microsoft said. The company said that made malicious software more likely to be opened, allowed to run or pass security checks.
Microsoft said Fox Tempest had created more than 1,000 certificates and hundreds of Azure tenants and subscriptions to support the operation. It also said the group likely used stolen identities in the United States and Canada to pass identity validation steps needed to obtain signing credentials.
The service was not cheap. Microsoft said customers paid thousands of dollars to get malicious code signed, with pricing tiers listed at $5,000, $7,500 and $9,000. Higher-paying customers allegedly received priority in the queue.
The company said Fox Tempest later shifted tactics, moving in February to preconfigured virtual machines hosted by Cloudzy, a U.S.-based virtual private server provider. That move may have reduced friction for customers while giving Fox Tempest more control over the signing environment. Microsoft said it is working with Cloudzy, Resecurity, Europol's European Cybercrime Centre and the FBI on related disruption work.
Microsoft said the disruption will not end the threat on its own. These services can move quickly, and Fox Tempest has already tried to send customers to another signing service.
The goal is to slow attackers down. Signed malware can look trusted, making it harder for users and security tools to spot. Microsoft said this lets malware "hide in plain sight."
For IT teams, Microsoft recommends cloud-delivered antivirus protection, Safe Links and Safe Attachments in Defender for Office 365, tamper protection and attack surface reduction rules in Microsoft Defender XDR. Those steps will not stop every attack, but they can make signed malware harder to use at scale.