Back

Resecurity and Microsoft Collaborate to Target Fox Tempest

Resecurity and Microsoft Collaborate to Target Fox Tempest
Resecurity and Microsoft Collaborate to Target Fox Tempest

Resecurity supported Microsoft’s Digital Crimes Unit (DCU) in its disruption of Fox Tempest, a financially motivated threat actor operating a malware-signing-as-a-service (MSaaS) capability used by cybercriminals to make malicious files appear legitimate.

On May 19, 2026, Microsoft unsealed a legal case in the U.S. District Court for the Southern District of New York targeting Fox Tempest, a cybercrime service that abused Microsoft Artifact Signing to obtain fraudulent code-signing certificates. According to Microsoft, the service enabled cybercriminals to disguise malware as trusted software, improving the likelihood that malicious files would bypass security controls and be executed by victims.

As part of the disruption, Microsoft seized the Fox Tempest website signspace[.]cloud, took offline hundreds of virtual machines used in the operation, blocked access to infrastructure hosting the underlying code, and revoked more than 1,000 code-signing certificates attributed to Fox Tempest.

Fox Tempest played an upstream role in the ransomware ecosystem. Rather than directly targeting victims, the group provided a specialized service that enabled other threat actors to digitally sign malware, improve the effectiveness of malicious distribution campaigns, and increase the perceived legitimacy of malicious software. Microsoft linked Fox Tempest-enabled activity to ransomware and malware operations involving Vanilla Tempest, Rhysida, Oyster, Lumma Stealer, Vidar, INC, Qilin, Akira, and other families or affiliates.

Resecurity collaborated with Microsoft DCU to help better understand how Fox Tempest operated. Microsoft also noted coordination with Europol’s European Cybercrime Centre (EC3) and the Federal Bureau of Investigation (FBI), underscoring the importance of public-private collaboration in disrupting cybercrime infrastructure.

The case highlights a broader shift in cybercrime: attackers increasingly rely on modular, commercialized services that remove friction from the attack chain. By weaponizing code signing, Fox Tempest helped make malicious software look trusted, reducing user suspicion and increasing the chances of successful compromise.

Disrupting these services upstream is critical. When malicious code-signing ecosystems are degraded, ransomware operators and malware distributors lose a key capability, attacks become harder to scale, and defenders gain more opportunity to stop threats before they reach victims.

Share Article

Team

Resecurity Appoints Darrell M. Blocker as a Senior Advisor

Company

Resecurity Recognized As A Leader in Frost & Sullivan's 2024 Global Cyber Threat Intelligence Market Radar
Newsletter

Keep up to date with the latest cybersecurity news and developments.

By subscribing, I understand and agree that my personal data will be collected and processed according to the Privacy and Cookies Policy

Cloud Architecture
Cloud Architecture

Resecurity

contact@resecurity.com

(+1) 888 273 82 76

445 S. Figueroa Street
Los Angeles, CA 90071
Google Maps
Contact us by filling out the form
Try Resecurity products today with a free trial
Resecurity
Close
Hi there! I'm here to answer your questions and assist you.
Before we begin, could you please provide your name and email?