Microsoft Disrupts Fox Tempest Malware-Signing-as-a-Service Operation Microsoft has dismantled Fox Tempest, a sophisticated malware-signing-as-a-service (MSaaS) operation that enabled cybercriminals to bypass security defenses by making malicious software appear legitimate. The takedown, revealed in a U.S. District Court filing on Tuesday, targeted a service active since May 2025 that weaponized Microsoft’s Artifact Signing system designed to verify software authenticity to distribute malware and ransomware. Cybercriminals, including affiliates of Rhysida, INC, Qilin, and Akira, used Fox Tempest to obtain fraudulent code-signing certificates, allowing malware to evade detection. The service provided short-lived certificates that mimicked trusted software like AnyDesk, Teams, Putty, and Webex, tricking users and security tools into executing malicious payloads. Microsoft’s investigation found that the group created over 1,000 certificates and established hundreds of Azure tenants to support its operations. The disruption included seizing Fox Tempest’s website, taking down virtual machines, and revoking compromised certificates. Evidence showed cybercriminals complaining about the takedown, with some ransomware affiliates losing access to critical attack tools. Microsoft’s Digital Crimes Unit linked the service to the distribution of malware families such as Oyster, Lumma Stealer, and Vidar, delivered via malicious ads and fake download sites. Fox Tempest operated as a well-resourced criminal enterprise, with dedicated teams for infrastructure, customer support, and financial transactions. Cryptocurrency analysis revealed the group earned millions of dollars from ransomware affiliates, with attacks targeting organizations in the U.S., China, France, and India. Unlike lower-cost cybercrime services, Fox Tempest charged thousands per operation, reflecting the growing sophistication of the cybercriminal ecosystem. The takedown highlights how code-signing abuse undermines trust in digital security, allowing attackers to bypass defenses by masquerading as legitimate software. Microsoft’s actions aim to increase the cost of cybercrime by disrupting critical infrastructure used in large-scale attacks.