Fox Tempest

Fox Tempest is a financially motivated threat actor operating a malware-signing-as-a-service (MSaaS) platform since at least May 2025. Microsoft describes it as an upstream enabler in the malware and ransomware supply chain rather than a group primarily conducting direct intrusions. The actor abused Microsoft Artifact Signing (formerly Azure Trusted Signing) to fraudulently obtain short-lived code-signing certificates, typically valid for about 72 hours, and used them to sign malicious binaries so they appeared legitimate to users, Windows, and security controls. Fox Tempest operated the signspace[.]cloud platform, where customers could upload malicious files and receive signed binaries, and later expanded to pre-configured third-party-hosted virtual machines, including Cloudzy-hosted infrastructure, to streamline signing operations. Microsoft reported that the operation created more than 1,000 fraudulent certificates and hundreds of Azure tenants, subscriptions, and accounts, and likely relied on stolen or fabricated identities, including identities from the United States and Canada, to pass verification requirements. Microsoft linked Fox Tempest-signed activity to malware and ransomware including Oyster, Lumma Stealer, Vidar, Rhysida, Akira, INC, Qilin, and BlackByte. The service was used by other threat actors and affiliates including Vanilla Tempest, Storm-0501, Storm-2561, and Storm-0249; Microsoft’s legal action named Vanilla Tempest as a co-conspirator. Signed malware was observed masquerading as trusted software such as Microsoft Teams, AnyDesk, PuTTY, and Webex, and distribution methods included malvertising, SEO poisoning, fake download pages, search manipulation, and malicious advertisements. Microsoft reported downstream victimization across healthcare, education, government, and financial services organizations globally, including organizations in the United States, France, India, and China. Fox Tempest marketed its service through Telegram, including the channel "EV Certs for Sale by SamCodeSign," and charged thousands of dollars in Bitcoin, with reported pricing ranging from $5,000 to $9,000 or higher-tier expedited options. Microsoft assessed the operation as sophisticated, well-resourced, and generating millions of dollars in revenue. In May 2026, Microsoft’s Digital Crimes Unit, with support from partners including Resecurity, Europol EC3, and the FBI, disrupted the operation by seizing signspace[.]cloud, taking offline hundreds of virtual machines, blocking access to supporting infrastructure, revoking more than 1,000 certificates, and pursuing legal action in the U.S. District Court for the Southern District of New York. Known alias in the provided content: fox_tempest.