MICROSOFT disrupted Fox Tempest, a malware-signing-as-a-service operation that allowed threat actors to sign malicious software with short-lived certificates to appear legitimate.
The group provided infrastructure and services rather than conducting direct attacks, and Microsoft Threat Intelligence researchers pointed out that Fox Tempest operated through signspace[.]cloud and managed customers via a Telegram presence, with pre-configured virtual machines hosted on third‑party infrastructure introduced in February 2026 to streamline signing.
In May 2026, Microsoft’s Digital Crimes Unit dismantled the operation, seizing infrastructure, pulling fraudulent accounts, and pursuing a lawsuit against Fox Tempest and Vanilla Tempest to justify takedowns of domains and third‑party providers. The service allegedly created over 1,000 certificates and revoked more than 1,000 code-signing certificates; it also linked to hundreds of Azure tenants and subscriptions to support its activities, and charged between $5,000 and $9,000 for access.
The certificates were used to distribute malware such as Rhysida, Oyster, Lumma Stealer, and Vidar, enabling adversaries to deliver malware at scale, with attacks touching sectors including healthcare, education, government and financial services across the United States, France, India and China.