Ethical Hacking News
Microsoft has successfully disrupted a notorious malware-signing-as-a-service network called Fox Tempest, which had been providing malicious actors with fake trusted certificates to sign their malware. The operation allowed threat actors to sign malware with short-lived Microsoft-issued certificates, making malicious software appear legitimate and bypassing security controls. In this article, we will delve into the details of the Fox Tempest operation and explore its impact on the cybercrime landscape.
Microsoft disrupted the Fox Tempest malware-signing-as-a-service network. The network provided fake trusted certificates, allowing malicious actors to sign malware and bypass security controls. Fox Tempest was used by various threat actors to distribute ransomware, Oyster, Lumma Stealer, and Vidar malware. The operation generated revenue through charging customers thousands of dollars for access to its services. Microsoft's Digital Crimes Unit dismantled the Fox Tempest operation, seizing infrastructure and revoking over 1,000 code-signing certificates. The disruption had a significant impact on global cybersecurity, with affected industries including healthcare, education, government, and financial services.
Microsoft has successfully disrupted a notorious malware-signing-as-a-service (MSaaS) network known as Fox Tempest, which had been providing malicious actors with fake trusted certificates to sign their malware. This operation, codenamed Fox Tempest, allowed threat actors to sign malware with short-lived Microsoft-issued certificates, thereby making malicious software appear legitimate and bypassing security controls.
Fox Tempest was a fully-fledged service that offered a range of features to its users, including identity verification, admin portals, and infrastructure built on Azure. The platform operated in the dark corners of the Telegram messaging app, where channels advertised EV certificate access and buyers coordinated payments for the malicious software. This centralized setup allowed Fox Tempest to sign malware at scale while maintaining relatively streamlined operations.
According to Microsoft, Fox Tempest was used by various threat actors to distribute malicious software, including Rhysida ransomware, Oyster, Lumma Stealer, and Vidar. These attacks were carried out through a variety of means, such as malvertising, SEO poisoning, and fake ads, which allowed the malware to be delivered at scale without requiring significant technical expertise.
The group behind Fox Tempest was found to have created over 1,000 certificates and set up hundreds of Azure tenants and subscriptions to support its operations. The malware-signing network was said to monetize its services by charging customers thousands of dollars for access, with higher tiers getting priority access and virtual machines for signing malicious code.
Microsoft's Digital Crimes Unit, in collaboration with industry partners, successfully dismantled the Fox Tempest operation by seizing its infrastructure and pulling down fraudulent accounts. The company also revoked over 1,000 code-signing certificates linked to the group. This marked a significant blow to the threat actors who relied on Fox Tempest for their malicious activities.
Microsoft's Threat Intelligence researchers noted that Fox Tempest was not directly attacking victims but rather providing infrastructure and services that supported ransomware groups. The group had been linked to various other notorious cybercrime operations, including Vanilla Tempest, Storm-0501, Storm-2561, and Storm-0249.
These actors used Fox Tempest-signed malware in real-world attacks against a broad range of industry sectors, including healthcare, education, government, and financial services. The impact of these attacks was felt globally, with organizations based in the United States, France, India, and China among those affected.
The disruption of Fox Tempest is seen as a significant success for Microsoft's efforts to combat cybercrime. By dismantling this notorious malware-signing-as-a-service network, the company has dealt a major blow to the threat actors who rely on it for their malicious activities. This operation serves as a reminder of the importance of robust security measures and the need for companies like Microsoft to stay vigilant in their efforts to protect users from cyber threats.
Related Information:
https://www.ethicalhackingnews.com/articles/Microsoft-Disrupts-Malware-Signing-as-a-Service-Network-Fox-Tempest-ehn.shtml
https://securityaffairs.com/192391/cyber-crime/microsoft-dismantled-malware-signing-network-fox-tempest.html
https://blogs.microsoft.com/on-the-issues/2026/05/19/disrupting-fox-tempest-a-cybercrime-service/
Published: Tue May 19 13:53:14 2026 by llama3.2 3B Q4_K_M
