MICROSOFT has disrupted a cybercrime service run by a threat actor it calls Fox Tempest, which operated a malware-signing-as-a-service that abuses Microsoft Artifact Signing to generate short-lived code-signing certificates used to sign malware and evade detection.
According to Microsoft, Fox Tempest has created over a thousand certificates and established hundreds of Azure tenants and subscriptions to support its operations, with Microsoft revoking over one thousand code signing certificates attributed to Fox Tempest.
The firm has been tracked since September 2025 and its MSaaS has been used by several ransomware groups, including Vanilla Tempest, to deliver ransomware such as Rhysida, Inc, Qilin, and Akira, as well as distributing other malware families like Lumma Stealer, Oyster and Vidar. The downstream impact has affected a broad range of sectors, including healthcare, education, government and financial services, across the United States, France, India and China.
The service reportedly cost thousands of dollars and Microsoft believes the actor made millions; in response, Microsoft seized core infrastructure, removed fraudulent accounts and strengthened verification processes, while filing a lawsuit targeting Fox Tempest and Vanilla Tempest. 19 May 2026. according to Microsoft