- Microsoft disrupts Operation Fox Tempest that abused Azure Artifact Signing to issue fraudulent code signing certificates
- The group created more than 1,000 certificates and hundreds of Azure tenants, allowing malware campaigns to bypass security controls.
- Legal action has been launched against Fox Tempest and Vanilla Tempest, whose services supported the distribution of significant malware and ransomware.
Microsoft has removed a malicious service that offered digitally signed certificates to hackers and has launched legal action against the perpetrators.
In its report, the company said a threat actor known as Fox Tempest used Azure Artifact Signing to create temporary certificates. These certificates allowed malware to be signed as legitimate software, bypassing antivirus protections and compromising victims’ devices.
To access the service, the criminals allegedly used different identities, stolen from people in the United States and Canada. To minimize the chances of detection, they created certificates that were only valid for 72 hours. However, during their work, the attackers created more than 1,000 certificates, as well as hundreds of Azure tenants and subscriptions.
Prestigious clients
“Fox Tempest has created more than a thousand certificates and established hundreds of Azure tenants and subscriptions to support its operations. Microsoft has revoked more than a thousand code signing certificates assigned to Fox Tempest,” Microsoft said in the report.
“In May 2026, Microsoft’s Digital Crimes Unit (DCU), with support from industry partners, disrupted Fox Tempest’s MSaaS offering, targeting the infrastructure and access model that enables its broader criminal use.”
As part of the takedown effort, Microsoft seized signage space[dot]com, as well as hundreds of virtual machines. It also blocked access to the infrastructure that hosted the entire service.
BeepComputer notes that some of the largest malware and ransomware campaigns have used Fox Tempest’s services, including LummaStealer, Vidar, Qilin, BlackByte and Akira. Vanilla Tempest was named as a co-conspirator in the lawsuit, it was added, because it allegedly distributed both malware and ransomware.
Some of the fake apps distributed this way included Teams, AnyDesk and Webex.
“When unsuspecting victims ran the falsely named Microsoft Teams installation files, these files delivered a malicious loader, which in turn installed the fraudulently signed Oyster malware and ultimately deployed the Rhysida ransomware,” Microsoft explained.
“Because the Oyster malware was signed by a certificate from Microsoft’s Artifact Signing service, the Windows operating system initially recognized the malware as legitimate software, when it would otherwise have been flagged as suspicious or blocked entirely by the Windows operating system’s security controls.”
The best antivirus for every budget
Follow TechRadar on Google News And add us as your favorite source to get our news, reviews and expert opinions in your feeds.
