FOX Tempest is a financially motivated threat actor that operates a malware-signing-as-a-service (MSaaS) used by other cybercriminals to distribute malicious code, including ransomware, by fraudulently signing it to appear legitimate. The operation has created over a thousand certificates and established hundreds of Azure tenants and subscriptions to support its activities, with Microsoft revoking more than one thousand code signing certificates attributed to Fox Tempest.
In May 2026, according to Microsoft Threat Intelligence, the Digital Crimes Unit disrupted Fox Tempest’s MSaaS offering, targeting the infrastructure and access model that enables its broader criminal use, after the MSaaS shifted to pre-configured virtual machines hosted on Cloudzy infrastructure to reduce friction for customers.
Customers could upload files to Fox Tempest‑provided VM environments and receive signed binaries in return, with pricing via a Google Form offering plans at $5,000, $7,500 or $9,000 USD and a queue system for access. Fox Tempest also operated a Telegram channel for direct customer contact, and has enabled other threat actors such as Vanilla Tempest to deploy signed payloads like the Oyster backdoor.