- Microsoft disrupts Fox Tempest operation that abused Azure Artifact Signing to issue fraudulent code signing certificates
- The group created more than 1,000 certificates and hundreds of Azure tenants, allowing malware campaigns to bypass security controls.
- Legal action was initiated against Fox Tempest and Vanilla Tempest, whose services supported the significant distribution of malware and ransomware.
Microsoft has removed a malicious service that offered digitally signed certificates to hackers and has launched a legal case against the perpetrators of the operation.
In its report, the company said that a threat actor known as Fox Tempest used Azure Artifact Signing to create temporary certificates. These certificates allowed the malware to be signed as legitimate software, bypassing antivirus protections and compromising victims’ devices.
To access the service, the criminals allegedly used different identities, stolen from people in the United States and Canada. To minimize the chances of being discovered, they created certificates that were only valid for 72 hours; However, during their work, the attackers created more than 1,000 certificates, as well as hundreds of Azure tenants and subscriptions.
High profile clients
“Fox Tempest has created more than a thousand certificates and established hundreds of Azure tenants and subscriptions to support its operations. Microsoft has revoked more than a thousand code signing certificates attributed to Fox Tempest,” Microsoft said in the report.
“In May 2026, Microsoft’s Digital Crimes Unit (DCU), with support from industry partners, disrupted Fox Tempest’s MSaaS offering, targeting the infrastructure and access model that enables its broader criminal use.”
As part of the removal effort, Microsoft took over the signage space.[dot]com, as well as hundreds of virtual machines. It also blocked access to the infrastructure that housed the entire service.
beepcomputer notes that some of the largest malware and ransomware campaigns used Fox Tempest services, including LummaStealer, Vidar, Qilin, BlackByte, and Akira. It was further claimed that Vanilla Tempest was named a co-conspirator in the legal action, as she allegedly distributed both malware and ransomware.
Some of the fake apps that were distributed this way included Teams, AnyDesk, and Webex.
“When unsuspecting victims ran the Microsoft Teams installation files under fake names, those files delivered a malicious loader, which in turn installed the fraudulently signed Oyster malware and ultimately deployed the Rhysida ransomware,” Microsoft explained.
“Because the Oyster malware was signed using a certificate from Microsoft’s Artifact Signing service, the Windows operating system initially recognized the malware as legitimate software, when it would otherwise be flagged as suspicious or blocked entirely by the Windows operating system’s security controls.”
The best antivirus for all budgets
Follow TechRadar on Google News and add us as a preferred source to receive news, reviews and opinions from our experts in your feeds.
