Microsoft Disrupts Fox Tempest Cybercrime Operation Selling Code-Signing Certificates to Ransomware Gangs
Microsoft has seized websites and dismantled hundreds of virtual machines linked to Fox Tempest, a cybercrime service that sold fraudulent code-signing certificates to ransomware groups, enabling malware to bypass security checks by appearing as legitimate software. The operation, active since May 2025, exploited Microsoft’s Artifact Signing service by creating over 580 fake accounts under stolen identities to obtain and resell valid certificates.
Among Fox Tempest’s customers was the ransomware group Vanilla Tempest (also known as Vice Spider, Vice Society, and Rhysida), which used the certificates to sign malware including the Oyster backdoor, Lumma and Vidar infostealers, and Rhysida ransomware facilitating unauthorized access, data theft, and extortion. Microsoft’s investigation also tied the operation to other ransomware affiliates, such as INC, Qilin, and Akira.
Between February and March 2025, Microsoft’s Digital Crimes Unit (DCU) conducted undercover test purchases, posing as a buyer to document the service’s operations. Prices ranged from $5,000 for standard certificates to $9,500 for expedited delivery, with payments processed via cryptocurrency. The DCU traced transactions to wallets controlled by the operators, identified in court documents as John Doe 1 and 2 (alias SamCodeSign).
The impact was widespread: Microsoft confirmed thousands of infected machines in the U.S., including at least 12 of its own systems, were compromised by malware signed with Fox Tempest’s certificates. The civil complaint, unsealed on Tuesday, describes ongoing criminal activity, including unauthorized access, data exfiltration, and ransomware deployment.
Microsoft Security cybersecurity rating report: https://www.rankiteo.com/company/microsoft-security
"id": "MIC1779231548",
"linkid": "microsoft-security",
"type": "Cyber Attack",
"date": "5/2025",
"severity": "100",
"impact": "5",
"explanation": "Attack threatening the organization's existence"{'affected_entities': [{'customers_affected': 'Thousands of infected machines',
'industry': 'Software/Cloud Services',
'location': 'Global (U.S. primarily affected)',
'name': 'Microsoft',
'size': 'Large Enterprise',
'type': 'Technology Company'}],
'attack_vector': 'Fraudulent code-signing certificates',
'customer_advisories': 'Users are urged to scan systems for malware signed '
'with fraudulent certificates and update security '
'protocols.',
'data_breach': {'data_exfiltration': True,
'file_types_exposed': ['Executables signed with fraudulent '
'certificates'],
'personally_identifiable_information': 'Stolen identities '
'used to create fake '
'accounts',
'sensitivity_of_data': 'High (code-signing certificates, '
'malware, PII used for fake accounts)',
'type_of_data_compromised': ['Malware payloads',
'Stolen identities']},
'date_detected': '2025-02-01',
'date_publicly_disclosed': '2025-03-05',
'description': 'Microsoft has seized websites and dismantled hundreds of '
'virtual machines linked to Fox Tempest, a cybercrime service '
'that sold fraudulent code-signing certificates to ransomware '
'groups, enabling malware to bypass security checks by '
'appearing as legitimate software. The operation exploited '
'Microsoft’s Artifact Signing service by creating over 580 '
'fake accounts under stolen identities to obtain and resell '
'valid certificates. Customers included ransomware groups like '
'Vanilla Tempest, which used the certificates to sign malware '
'such as the Oyster backdoor, Lumma and Vidar infostealers, '
'and Rhysida ransomware.',
'impact': {'brand_reputation_impact': 'Potential reputational damage due to '
"abuse of Microsoft's services",
'data_compromised': 'Malware-signed data (Oyster backdoor, '
'Lumma/Vidar infostealers, Rhysida ransomware)',
'identity_theft_risk': 'Stolen identities used to create fake '
'accounts',
'operational_impact': 'Unauthorized access, data theft, and '
'ransomware deployment',
'systems_affected': 'Thousands of infected machines in the U.S., '
'including at least 12 Microsoft systems'},
'initial_access_broker': {'backdoors_established': 'Oyster backdoor, '
'Lumma/Vidar infostealers',
'entry_point': 'Fraudulent code-signing '
'certificates',
'high_value_targets': 'Ransomware affiliates '
'(Vanilla Tempest, INC, '
'Qilin, Akira)'},
'investigation_status': 'Ongoing',
'lessons_learned': 'Need for stricter identity verification in code-signing '
'services; enhanced monitoring of high-risk account '
'activity.',
'motivation': ['Financial gain', 'Ransomware deployment', 'Data exfiltration'],
'post_incident_analysis': {'corrective_actions': 'Disruption of Fox Tempest '
'operations, revocation of '
'fraudulent certificates, '
'legal action',
'root_causes': 'Exploitation of Microsoft’s '
'Artifact Signing service via '
'stolen identities; lack of '
'stringent identity verification'},
'ransomware': {'data_encryption': True,
'data_exfiltration': True,
'ransomware_strain': ['Rhysida',
'Other strains deployed by affiliates']},
'recommendations': ['Implement multi-factor authentication for code-signing '
'services',
'Enhance anomaly detection for account creation and '
'certificate issuance',
'Collaborate with law enforcement to track cryptocurrency '
'transactions linked to cybercrime'],
'references': [{'date_accessed': '2025-03-05',
'source': 'Microsoft Digital Crimes Unit (DCU)'}],
'regulatory_compliance': {'legal_actions': 'Civil complaint filed by '
'Microsoft'},
'response': {'communication_strategy': 'Public disclosure via unsealed civil '
'complaint',
'containment_measures': 'Seizure of websites, dismantling of '
'virtual machines, civil complaint filed',
'incident_response_plan_activated': True,
'remediation_measures': 'Disruption of Fox Tempest operations, '
'revocation of fraudulent certificates'},
'stakeholder_advisories': 'Microsoft has advised customers to revoke any '
'certificates obtained from untrusted sources and '
'monitor for signed malware.',
'threat_actor': ['Fox Tempest',
'Vanilla Tempest (Vice Spider, Vice Society, Rhysida)',
'INC',
'Qilin',
'Akira'],
'title': 'Microsoft Disrupts Fox Tempest Cybercrime Operation Selling '
'Code-Signing Certificates to Ransomware Gangs',
'type': 'Cybercrime Operation Disruption',
'vulnerability_exploited': 'Microsoft Artifact Signing service abuse'}