Microsoft's Digital Crimes Unit unsealed a civil lawsuit on May 19 in U.S. District Court for the Southern District of New York targeting Fox Tempest, a criminal operation that sold fraudulently signed malware to ransomware gangs as a subscription service — and whose customers went on to attack hospitals, schools, and critical infrastructure across ten countries.
The action is directly relevant to anyone who downloads software on Windows. Fox Tempest spent a year exploiting Microsoft's own Artifact Signing platform to generate short-lived, fraudulent code-signing certificates — the same digital stamps that Windows and enterprise security tools use to determine whether software is safe to run. By selling those certificates to ransomware operators for between $5,000 and $9,500 per engagement, Fox Tempest industrialized the most reliable path past Windows defenses: making malware look like legitimate software.
Criminal Marketplace Built Inside Microsoft's Own Infrastructure
Fox Tempest, active since at least May 2025, operated a portal at signspace[.]cloud with an authenticated dashboard and a drag-and-drop interface for uploading malicious files. Customers paid for code-signing engagements via a bilingual English-Russian form, received certificates valid for up to 72 hours, and could request priority queue access at the higher end of the service's price range. According to court documents, the group created more than 580 fraudulent Microsoft accounts by using fake identities and impersonating real organizations to pass identity verification for Artifact Signing.
The product was sophisticated enough to qualify as an enterprise SaaS offering. Pre-configured virtual machines let customers upload malicious payloads directly into Fox Tempest-controlled environments and receive signed binaries in return. The group operates "in the upstream in the malware and ransomware supply chain, as an enabler," Maurice Mason, principal cybercrime investigator at Microsoft's Digital Crimes Unit, told reporters at a pre-disclosure briefing on May 18. "They've made this operational and scalable by providing a mass service to cybercriminals and ransomware operators to essentially go out, get their code signed quickly, then deploy whatever operations they want."
As Microsoft disabled fraudulent accounts and revoked certificates in the months before the court filing, Fox Tempest adapted. By February 2026, it had migrated to networks of third-party virtual machines hosted on Cloudzy, a US-based virtual private server provider, to reduce friction for customers and improve operational security. Microsoft filed for a civil court order on May 5 and was granted one three days later; the action was unsealed on May 19.
How a Signed Installer Becomes a Ransomware Attack
Microsoft's threat intelligence team documented the complete attack chain in the days before unsealing the case. A victim searches for Microsoft Teams online. Search results — poisoned through paid advertising or SEO manipulation — return a spoofed download page. The file is a counterfeit Teams installer, signed with a short-lived Fox Tempest certificate that Windows treats as legitimate. Executing it deploys Oyster, a modular backdoor also known as Broomstick, which establishes persistent remote access. Rhysida ransomware follows.
This attack chain was documented specifically in campaigns run by Vanilla Tempest, which Microsoft named as a co-conspirator in the lawsuit. Vanilla Tempest distributed Fox Tempest-signed binaries through purchased advertising and SEO poisoning that impersonated Teams, AnyDesk, PuTTY, and Cisco Webex download pages. Beyond Vanilla Tempest, Fox Tempest's confirmed customer list included Storm-0501, Storm-2561, and Storm-0249, as well as affiliates of the Akira, INC, Qilin, and BlackByte ransomware families. Its signed malware catalog extended to the infostealers Lumma Stealer and Vidar, and to tooling used by MuddyWater, a cyber-espionage group attributed to Iran's Ministry of Intelligence and Security.
Rhysida's Trail: British Library, Seattle Airport, Children's Hospital
Rhysida — the ransomware strain Fox Tempest most directly enabled — has produced some of the most damaging attacks on public institutions recorded since 2023. In October 2023, Rhysida hit the British Library, exfiltrating approximately 600GB of data including staff personnel records and user information. The Library refused a ransom demand of roughly £600,000. Recovery cost an estimated £6 to £7 million — approximately 40 percent of the institution's financial reserves — and disrupted services for months.
In September 2024, Rhysida attacked Seattle-Tacoma International Airport, demanding $5.8 million. The FBI and the Cybersecurity and Infrastructure Security Agency have issued joint advisories on Rhysida, noting its predominant targeting of education, healthcare, manufacturing, and government sectors since May 2023.
Microsoft's Civil Litigation Model Moves Faster Than Criminal Indictments
Microsoft's Digital Crimes Unit pursued this action through civil litigation, obtaining a court order before engaging federal and international law enforcement partners — a model the unit has also used against nation-state infrastructure. The civil route allows Microsoft to move on legal timelines rather than waiting for government-led criminal indictments, which can take years. The court order enabled the seizure of the signspace[.]cloud domain, the takedown of hundreds of virtual machines hosted on Cloudzy, the suspension of approximately 1,000 Fox Tempest accounts, and the revocation of more than 1,000 code-signing certificates. The domain now redirects visitors to a Microsoft-operated page explaining the seizure.
The FBI and Europol's European Cybercrime Centre are continuing efforts to identify the individuals behind Fox Tempest, who appear in court documents only as John Doe 1 and John Doe 2. Microsoft's internal tracking name for a key seller of the service is SamCodeSign; DCU investigators engaged with that individual directly over Telegram during the undercover phase of the investigation, which included test purchases between February and March 2026. Fox Tempest's operational communications were translated from Russian by a third-party partner for the investigation.
"To disrupt the service, we seized Fox Tempest's website signspace[.]cloud, took offline hundreds of the virtual machines running the operation, and blocked access to a site hosting the underlying code," Steven Masada, assistant general counsel at Microsoft's Digital Crimes Unit, wrote in a May 19 blog post. "This action builds upon persistent internal efforts to revoke fraudulently obtained code-signing certificates and enhance our defenses. It's already having an impact: cybercriminals are complaining about challenges accessing the current service."
Operators Are Rebuilding: Code Signatures Cannot Be Taken at Face Value
Microsoft acknowledged that Fox Tempest has already attempted to shift operations and its customer base to a different code-signing service following the seizure. "What once required a single group to carry out an attack from start to finish is now broken into a modular ecosystem where services are bought and sold and work interchangeably with one another," Masada wrote. "Some services are inexpensive and widely used. Others, like Fox Tempest, are highly specialized and expensive because they remove friction or bypass obstacles that make attacks fail."
For enterprise security teams and individual users alike, the case establishes that a valid Windows code-signing certificate is no longer sufficient evidence that software is safe to run — particularly when it arrives through an advertisement, a redirected search result, or an unofficial download page. The attack chains Fox Tempest enabled were specifically designed to exploit the trust Windows places in signed executables. Verifying software through independent channels, rather than relying on the digital signature alone, is now a practical defensive requirement.
Fox Tempest's confirmed targets spanned organizations in the United States, France, India, China, Brazil, Germany, Japan, the United Kingdom, Italy, and Spain.
ⓒ 2026 TECHTIMES.com All rights reserved. Do not reproduce without permission.
