Cybersecurity company **Microsoft** announced this week that it successfully dismantled **Fox Tempest**, a sophisticated service that provided cybercriminals with code-signing capabilities to legitimize malware. This operation, detailed in a recent U.S. District Court filing, disrupts a critical link in the cybercrime supply chain. ### Fox Tempest: Malware-Signing-as-a-Service **Fox Tempest** operated as a Malware-Signing-as-a-Service (MSaaS) since May 2025, offering cybercriminals the ability to sign their malicious code with fraudulent certificates. This allowed malware to bypass security controls, masquerading as legitimate software. According to **Steven Masada**, assistant general counsel at **Microsoft**’s Digital Crimes Unit, the service enabled cybercriminals to deliver malware and ransomware, infecting thousands of machines and compromising networks worldwide. "Malicious software that should have been blocked or flagged by antivirus and other safeguards was more likely to be opened, allowed to run, or pass security checks — essentially allowing malware to hide in plain sight," he stated. ### Weaponizing Legitimate Code Signing **Fox Tempest** abused **Microsoft**’s Artifact Signing, designed to verify software legitimacy. By creating short-lived, fraudulent code-signing certificates, the platform allowed malware to resemble legitimate applications like **AnyDesk**, **Teams**, **Putty**, and **Webex**, bypassing security measures and increasing the likelihood of successful execution. Ransomware affiliates associated with groups like **Rhysida**, **INC**, **Qilin**, and **Akira** reportedly utilized **Fox Tempest** to legitimize their malware. They would upload their malicious code to the platform, obtain signed certificates, and then distribute the malware through fake websites designed to mimic legitimate software download platforms. ### Microsoft's Response **Microsoft** seized **Fox Tempest**’s website, took hundreds of virtual machines offline, and blocked access to the underlying code. They also revoked over 1,000 code-signing certificates attributed to **Fox Tempest**. "When attackers can make malicious software look legitimate, it undermines how people and systems decide what’s safe. Disrupting that capability is key to raising the cost of cybercrime," **Masada** explained. ### The MSaaS Business Model **Microsoft** highlighted that **Fox Tempest** operated as a well-resourced organization with departments handling infrastructure, customer relations, and financial transactions. The platform created over a thousand certificates and established hundreds of **Azure** tenants and subscriptions to support its operations. Analysis of cryptocurrency payments revealed that **Fox Tempest** received millions of dollars from ransomware affiliates. The service was used in attacks targeting organizations in the U.S., China, France, and India. This MSaaS model signifies a shift in the cybercriminal ecosystem, where advanced services are offered at scale. Unlike lower-cost infrastructure providers, **Fox Tempest** demonstrates that sophisticated actors are willing to invest heavily in capabilities that enhance attack success rates and reduce detection probabilities. html <a rel="noopener" href="https://www.recordedfuture.com/?utm_source=therecord&amp;utm_medium=ad"><figure><img src="https://cms.therecord.media/uploads/2025_0514_Record_Ads_970x250_1_d144dbf901.png" data-nimg="1" decoding="async" height="500" width="1000" alt="Recorded Future"></figure></a>