Microsoft has unsealed a legal action in the US District Court for the Southern District of New York targeting Fox Tempest, a malware-signing-as-a-service (MSaaS) operation that fraudulently abused code-signing infrastructure, including Microsoft's Artifact Signing system, to disguise ransomware and infostealers as legitimate, "verified" software. Active since May 2025, the service infected thousands of machines worldwide and powered intrusions tied to Vanilla Tempest, Rhysida, INC, Qilin, Akira, and other ransomware affiliates.
What Happened
According to Microsoft's filing, Fox Tempest operated as a commercial enabler within the broader cybercrime ecosystem, selling fraudulent code-signing services to ransomware operators and malware distributors. The operators gained illicit access to legitimate signing tools and used them to sign malicious payloads with trust markers that endpoint defenses, browsers, and operating systems treat as authoritative. Microsoft executed a coordinated takedown that seized the service's primary domain, signspace[.]cloud, took hundreds of virtual machines running the operation offline, and blocked access to the repository hosting the underlying tooling. Microsoft's Digital Crimes Unit also accelerated revocation of fraudulently obtained certificates and pushed new detection logic into Defender and Artifact Signing to identify signing requests consistent with the actor's tradecraft. According to Microsoft, chatter on criminal forums already reflects operational degradation, with affiliates reporting they cannot reach the service.
What Was Taken
This action centers on infrastructure disruption rather than a single victim breach, but the downstream damage from Fox Tempest customers has been substantial. Affiliates running malware signed through the service deployed Oyster, Lumma Stealer, and Vidar, all of which harvest credentials, session cookies, cryptocurrency wallets, and authentication tokens at scale. Rhysida, the ransomware most prominently linked to Vanilla Tempest's use of the service, performs double extortion by exfiltrating internal documents before encryption. Prior Rhysida campaigns have leaked internal records from the British Library and disrupted operations at Seattle-Tacoma International Airport. Schools, hospitals, and other critical-infrastructure organizations are named in the complaint as victims of the customer base.
Why It Matters
Fox Tempest represents a structural shift in the cybercrime supply chain. Rather than each ransomware crew building its own evasion toolkit, specialized vendors now sell discrete capabilities, signing, loading, initial access, on a service model. Code signing is one of the most load-bearing trust primitives in modern operating systems: a signed binary bypasses SmartScreen warnings, defeats many application-control policies, and earns implicit trust from EDR heuristics that weight reputation. When the signing layer itself becomes a commodity criminal service, the assumption that "verified equals safe" collapses for defenders relying on signature-based allowlisting. The case is also notable as Microsoft's first public legal action against an enabler in the cybercrime stack rather than against a specific ransomware crew, signaling a shift toward dismantling shared infrastructure that multiple groups depend on.
The Attack Technique
Fox Tempest's tradecraft combined credential abuse against signing portals with automation that issued certificates or signed artifacts at the request of paying affiliates. Customers submitted malware payloads, including Oyster loaders, Lumma Stealer, Vidar, and Rhysida ransomware binaries, and received back signed versions that appeared legitimate to Windows trust mechanisms. The signed binaries were then distributed through SEO-poisoned downloads, malvertising for fake software installers, and phishing chains that abused brand impersonation. Because the resulting files carried valid signatures at the moment of execution, they frequently survived initial endpoint inspection and gained the elevated trust posture needed for follow-on payloads, lateral movement, and ransomware deployment by Vanilla Tempest and other affiliates.
What Organizations Should Do
- Stop treating valid Authenticode signatures as a primary trust signal. Pair signature checks with publisher reputation, prevalence, and behavioral telemetry rather than allowlisting on signing certificate alone.
- Audit application-control policies (WDAC, AppLocker) that permit execution based on signer identity, and tighten rules to require specific publisher plus product combinations rather than any signed binary.
- Hunt for recent execution of binaries signed by certificates revoked in the past 30 days, and prioritize alerts on signed-but-unprevalent executables landing on endpoints.
- Block the malware families tied to Fox Tempest customers, Oyster, Lumma Stealer, Vidar, and Rhysida, at the network and endpoint layer, and review identity logs for the credential-theft patterns characteristic of Lumma and Vidar.
- Restrict end-user installation of unsigned and newly signed software via Smart App Control or equivalent, and route exceptions through a review queue.
- For organizations that ship signed software, enforce hardware-backed key storage, multi-party approval for signing operations, and continuous monitoring of signing events to detect abuse of your own certificates.