Become a TechRadar Insider
- Microsoft disrupts Fox Tempest operation which abused Azure Artifact Signing to issue fraudulent code‑signing certificates
- The group created over 1,000 certificates and hundreds of Azure tenants, enabling malware campaigns to bypass security controls
- Legal action was launched against Fox Tempest and Vanilla Tempest, whose services supported major malware and ransomware distribution
Microsoft has taken down a malicious service that offered digitally signed certificates to hackers, and has launched a legal case against the operation’s perpetrators.
In its report the company said a threat actor known as Fox Tempest used Azure Artifact Signing to create temporary certificates. These certificates allowed malware to be signed as legitimate software, bypassing antivirus protections and compromising victim devices.
To access the service, the miscreants allegedly used different identities, stolen from people in the United States and Canada. To minimize the chances of being spotted, they created certificates that were only valid for 72 hours - however, during their work, the attackers created more than 1,000 certificates, as well as hundreds of Azure tenants and subscriptions.
High-profile customers
"Fox Tempest has created over a thousand certificates and established hundreds of Azure tenants and subscriptions to support its operations. Microsoft has revoked over one thousand code signing certificates attributed to Fox Tempest," Microsoft said in the report.
"In May 2026, Microsoft's Digital Crimes Unit (DCU), with support from industry partners, disrupted Fox Tempest's MSaaS offering, targeting the infrastructure and access model that enables its broader criminal use."
As part of the takedown effort, Microsoft seized the signspace[dot]com domain, as well as hundreds of virtual machines. It also blocked access to infrastructure that hosted the entire service.
BleepingComputer notes some of the biggest malware and ransomware campaigns used Fox Tempest’s services, including LummaStealer, Vidar, Qilin, BlackByte, and Akira. Vanilla Tempest was named as a co-conspirator in the legal action, it was further stated, since it allegedly distributed both malware and ransomware.
Some of the fake apps being distributed this way included Teams, AnyDesk, and Webex.
"When unsuspecting victims executed the falsely named Microsoft Teams installer files, those files delivered a malicious loader, which in turn installed the fraudulently signed Oyster malware and ultimately deployed Rhysida ransomware," Microsoft explained.
“Because the Oyster malware was signed by a certificate from Microsoft's Artifact Signing service, the Windows operating system initially recognized the malware as legitimate software, when it would otherwise be flagged as suspicious or blocked entirely by security controls in the Windows operating system."
➡️ Read our full guide to the best antivirus
1. Best overall:
Bitdefender Total Security
2. Best for families:
Norton 360 with LifeLock
3. Best for mobile:
McAfee Mobile Security
Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews, and opinion in your feeds.