EXECUTIVE SUMMARY
Fox Tempest is a financially motivated threat actor that operates a malware-signing-as-a-service used by other cybercriminals to more effectively distribute malicious code, including ransomware. The threat actor abuses Microsoft Artifact Signing to generate short-lived, fraudulent code-signing certificates to appear legitimately signed, allowing malware to evade security controls. Fox Tempest has created over a thousand certificates and established hundreds of Azure tenants and subscriptions to support its operations. Microsoft has revoked over one thousand code signing certificates attributed to Fox Tempest. Fox Tempest's operations enable the deployment of Rhysida ransomware by threat actors such as Vanilla Tempest, as well as the distribution of other malware families, including Oyster, Lumma Stealer, and Vidar.[/subscribe_to_unlock_form]
EXECUTIVE SUMMARY
Fox Tempest is a financially motivated threat actor that operates a malware-signing-as-a-service used by other cybercriminals to more effectively distribute malicious code, including ransomware. The threat actor abuses Microsoft Artifact Signing to generate short-lived, fraudulent code-signing certificates to appear legitimately signed, allowing malware to evade security controls. Fox Tempest has created over a thousand certificates and established hundreds of Azure tenants and subscriptions to support its operations. Microsoft has revoked over one thousand code signing certificates attributed to Fox Tempest. Fox Tempest's operations enable the deployment of Rhysida ransomware by threat actors such as Vanilla Tempest, as well as the distribution of other malware families, including Oyster, Lumma Stealer, and Vidar.[emaillocker id="1283"]
Fox Tempest's MSaaS operation functions by allowing other threat actors to upload their malicious files to be signed using Fox Tempest-controlled certificates. The threat actor provides pre-configured virtual machines (VMs) hosted on US-based virtual private server provider Cloudzy's infrastructure, allowing threat actors to upload their malicious files directly to Fox Tempest-controlled environments and receive signed binaries in return. This infrastructure evolution reduces friction for customers, improves operational security for Fox Tempest, and further streamlines the delivery of malicious but trusted, signed malware at scale. Microsoft's Digital Crimes Unit (DCU) disrupted this infrastructure and continues to partner with Cloudzy to identify and disrupt related infrastructure.
Fox Tempest's operations are significant for organisations as they enable the delivery of trusted, signed malware across the cybercrime ecosystem. The threat actor's use of short-lived certificates from a trusted source allows malware and ransomware to masquerade as legitimate software, significantly increasing the likelihood of execution and successful delivery. Organisations should defend against Fox Tempest-enabled attacks by turning on cloud-delivered protection in their antivirus product, turning on Safe Links and Safe Attachments in Microsoft Defender for Office 365, and encouraging users to use Microsoft Edge and other web browsers that support Microsoft Defender SmartScreen. Organisations should also turn on tenant-wide tamper protection features to prevent attackers from stopping security services or using antivirus exclusions.
THREAT PROFILE:
| Tactic | Technique ID | Technique | Sub-technique |
| Resource Development | T1583.003 | Acquire Infrastructure | Virtual Private Server |
| Initial Access | T1189 | Drive-by Compromise | — |
| Execution | T1059.001 | Command and Scripting Interpreter | PowerShell |
| Persistence | T1136.001 | Create Account | Local Account |
| Defense Evasion | T1116 | Code Signing | — |
| Defense Evasion | T1562.001 | Impair Defenses | Disable or Modify Tools |
| Initial Access | T1078.003 | Valid Accounts | Local Accounts |
| Discovery | T1082 | System Information Discovery | — |
| Command and Control | T1071.001 | Application Layer Protocol | Web Protocols |
| Impact | T1486 | Data Encrypted for Impact | — |
REFERENCES:
The following reports contain further technical details:
https://www.csoonline.com/article/4173417/microsoft-disrupts-malware-code-signing-service-used-by-ransomware-gangs.html
https://www.microsoft.com/en-us/security/blog/2026/05/19/exposing-fox-tempest-a-malware-signing-service-operation/