Microsoft Disrupts Fox Tempest Malware-Signing-as-a-Service Operation
Microsoft has dismantled Fox Tempest, a sophisticated malware-signing-as-a-service (MSaaS) operation that enabled cybercriminals to bypass security defenses by making malicious software appear legitimate. The takedown, revealed in a U.S. District Court filing on Tuesday, targeted a service active since May 2025 that weaponized Microsoft’s Artifact Signing system designed to verify software authenticity to distribute malware and ransomware.
Cybercriminals, including affiliates of Rhysida, INC, Qilin, and Akira, used Fox Tempest to obtain fraudulent code-signing certificates, allowing malware to evade detection. The service provided short-lived certificates that mimicked trusted software like AnyDesk, Teams, Putty, and Webex, tricking users and security tools into executing malicious payloads. Microsoft’s investigation found that the group created over 1,000 certificates and established hundreds of Azure tenants to support its operations.
The disruption included seizing Fox Tempest’s website, taking down virtual machines, and revoking compromised certificates. Evidence showed cybercriminals complaining about the takedown, with some ransomware affiliates losing access to critical attack tools. Microsoft’s Digital Crimes Unit linked the service to the distribution of malware families such as Oyster, Lumma Stealer, and Vidar, delivered via malicious ads and fake download sites.
Fox Tempest operated as a well-resourced criminal enterprise, with dedicated teams for infrastructure, customer support, and financial transactions. Cryptocurrency analysis revealed the group earned millions of dollars from ransomware affiliates, with attacks targeting organizations in the U.S., China, France, and India. Unlike lower-cost cybercrime services, Fox Tempest charged thousands per operation, reflecting the growing sophistication of the cybercriminal ecosystem.
The takedown highlights how code-signing abuse undermines trust in digital security, allowing attackers to bypass defenses by masquerading as legitimate software. Microsoft’s actions aim to increase the cost of cybercrime by disrupting critical infrastructure used in large-scale attacks.
Source: https://therecord.media/microsoft-disrupts-fox-tempest-malware-signing-service
AnyDesk TPRM report: https://www.rankiteo.com/company/anydesk-software-gmbh
Putty TPRM report: https://www.rankiteo.com/company/putty-technology
Microsoft TPRM report: https://www.rankiteo.com/company/microsoft-security
Webex TPRM report: https://www.rankiteo.com/company/webex
"id": "putwebanymic1779215753",
"linkid": "putty-technology, webex, anydesk-software-gmbh, microsoft-security",
"type": "Cyber Attack",
"date": "5/2026",
"severity": "85",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"{'affected_entities': [{'industry': 'Software & Cloud Services',
'location': 'Global',
'name': 'Microsoft',
'size': 'Large Enterprise',
'type': 'Technology Company'},
{'location': ['U.S.', 'China', 'France', 'India'],
'type': 'Organizations'}],
'attack_vector': ['Fraudulent code-signing certificates',
'Malicious ads',
'Fake download sites'],
'date_publicly_disclosed': '2025-05-06',
'description': 'Microsoft has dismantled Fox Tempest, a sophisticated '
'malware-signing-as-a-service (MSaaS) operation that enabled '
'cybercriminals to bypass security defenses by making '
'malicious software appear legitimate. The takedown targeted a '
'service active since May 2025 that weaponized Microsoft’s '
'Artifact Signing system to distribute malware and ransomware. '
'Cybercriminals used Fox Tempest to obtain fraudulent '
'code-signing certificates, allowing malware to evade '
'detection by mimicking trusted software like AnyDesk, Teams, '
'Putty, and Webex.',
'impact': {'brand_reputation_impact': 'Undermines trust in digital security '
'and code-signing systems',
'financial_loss': 'Millions of dollars earned by Fox Tempest',
'operational_impact': 'Disruption of ransomware and malware '
'distribution operations'},
'investigation_status': 'Disrupted',
'lessons_learned': 'Code-signing abuse undermines trust in digital security, '
'allowing attackers to bypass defenses by masquerading as '
'legitimate software.',
'motivation': ['Financial gain', 'Cybercrime enablement'],
'post_incident_analysis': {'corrective_actions': ['Seizure of infrastructure',
'Revocation of compromised '
'certificates'],
'root_causes': 'Abuse of Microsoft’s Artifact '
'Signing system to distribute '
'fraudulent code-signing '
'certificates'},
'ransomware': {'ransomware_strain': ['Rhysida', 'INC', 'Qilin', 'Akira']},
'recommendations': 'Increase the cost of cybercrime by disrupting critical '
'infrastructure used in large-scale attacks.',
'references': [{'source': 'Microsoft Digital Crimes Unit'}],
'regulatory_compliance': {'legal_actions': 'U.S. District Court filing'},
'response': {'containment_measures': ['Seizing Fox Tempest’s website',
'Taking down virtual machines',
'Revoking compromised certificates'],
'incident_response_plan_activated': 'Yes'},
'threat_actor': 'Fox Tempest',
'title': 'Microsoft Disrupts Fox Tempest Malware-Signing-as-a-Service '
'Operation',
'type': 'Malware-Signing-as-a-Service (MSaaS) Disruption',
'vulnerability_exploited': 'Abuse of Microsoft’s Artifact Signing system'}