Microsoft’s Digital Crimes Unit has taken significant legal action against Fox Tempest, a criminal enterprise that has been selling fraudulently signed malware to ransomware groups as a subscription service. This operation has had far-reaching consequences, affecting hospitals, schools, and critical infrastructure across ten countries. The lawsuit, filed on May 19 in the U.S. District Court for the Southern District of New York, highlights the vulnerabilities in software security that impact anyone who downloads applications on Windows.
Criminal Marketplace Built Inside Microsoft’s Own Infrastructure
Fox Tempest, which has been active since at least May 2025, created a sophisticated portal at signspace[.]cloud. This platform featured an authenticated dashboard and a user-friendly drag-and-drop interface for uploading malicious files. Customers could purchase code-signing engagements through a bilingual form, receiving certificates valid for up to 72 hours. For those willing to pay a premium, priority access was available. Court documents reveal that the group generated over 580 fraudulent Microsoft accounts using fake identities, allowing them to bypass identity verification for Artifact Signing.
Described as an enterprise SaaS offering, Fox Tempest provided pre-configured virtual machines that enabled customers to upload malicious payloads directly into their controlled environments, receiving signed binaries in return. Maurice Mason, a principal cybercrime investigator at Microsoft, noted that Fox Tempest operated “in the upstream in the malware and ransomware supply chain,” effectively enabling cybercriminals to quickly deploy their operations with signed code.
As Microsoft took steps to disable fraudulent accounts and revoke certificates leading up to the lawsuit, Fox Tempest adapted its operations. By February 2026, the group had transitioned to utilizing third-party virtual machines hosted on Cloudzy, a U.S.-based virtual private server provider, to enhance operational security and streamline customer access.
How a Signed Installer Becomes a Ransomware Attack
In the days preceding the unsealing of the case, Microsoft’s threat intelligence team documented the complete attack chain orchestrated by Fox Tempest. Victims searching for Microsoft Teams online would encounter poisoned search results leading to a counterfeit download page. The downloaded file, masquerading as a legitimate Teams installer, was signed with a short-lived Fox Tempest certificate, which Windows accepted as genuine. Executing this file deployed a modular backdoor known as Oyster, which established persistent remote access, followed by the introduction of Rhysida ransomware.
This attack chain was notably linked to campaigns run by Vanilla Tempest, identified as a co-conspirator in the lawsuit. Vanilla Tempest distributed Fox Tempest-signed binaries through manipulated advertising and SEO tactics, impersonating download pages for popular software like Teams, AnyDesk, PuTTY, and Cisco Webex. The confirmed customer list for Fox Tempest includes various ransomware families, extending to tools used by cyber-espionage groups.
Rhysida’s Trail: British Library, Seattle Airport, Children’s Hospital
Rhysida, the ransomware strain most directly facilitated by Fox Tempest, has been responsible for some of the most damaging attacks on public institutions since 2023. In October 2023, the British Library suffered a breach that exfiltrated approximately 600GB of sensitive data, leading to a recovery cost estimated between £6 to £7 million. Similarly, in September 2024, Seattle-Tacoma International Airport was targeted, with a ransom demand of .8 million, prompting advisories from the FBI and the Cybersecurity and Infrastructure Security Agency.
Microsoft’s Civil Litigation Model Moves Faster Than Criminal Indictments
Microsoft’s Digital Crimes Unit opted for civil litigation in this case, allowing for a more expedited legal process compared to traditional criminal indictments. This approach enabled the unit to secure a court order swiftly, leading to the seizure of the signspace[.]cloud domain, the takedown of numerous virtual machines, and the suspension of around 1,000 Fox Tempest accounts. The domain now redirects to a Microsoft-operated page detailing the seizure.
As investigations continue, the FBI and Europol’s European Cybercrime Centre are working to identify the individuals behind Fox Tempest. Microsoft has engaged directly with key sellers during the undercover phase of the investigation, revealing the operational complexities of this criminal enterprise.
Operators Are Rebuilding: Code Signatures Cannot Be Taken at Face Value
Despite the legal actions taken, Microsoft acknowledges that Fox Tempest has already begun to shift its operations to alternative code-signing services. The landscape of cybercrime has evolved into a modular ecosystem where various services are bought and sold, complicating the security landscape. As a result, enterprise security teams and individual users must recognize that a valid Windows code-signing certificate is no longer a definitive indicator of software safety. Verifying software through independent channels has become a necessary practice to mitigate risks associated with signed executables.
Fox Tempest’s confirmed targets spanned organizations in the United States, France, India, China, Brazil, Germany, Japan, the United Kingdom, Italy, and Spain.
