Resecurity Teams Up with Microsoft DCU to Tackle Fox Tempest’s Cybercrime Code-Signing Network
Resecurity has partnered with Microsoft’s Digital Crimes Unit (DCU) to strategically disrupt Fox Tempest, a financially driven threat group specializing in malware-signing-as-a-service (MSaaS) that cybercriminals exploit to make harmful files appear legitimate.
On May 19, 2026, Microsoft initiated legal action in the U.S. District Court for the Southern District of New York against Fox Tempest. This cybercrime operation misused Microsoft Artifact Signing to acquire fraudulent code-signing certificates. As per Microsoft, this illegal service enabled cybercriminals to pass off malware as trusted software, significantly increasing the likelihood that harmful files would evade security measures and get executed by unsuspecting victims.
In the course of this enforcement action, Microsoft seized the Fox Tempest website signspace[.]cloud, shut down hundreds of virtual machines that were part of the operation, blocked access to the infrastructure hosting the underlying malicious code, and revoked over 1,000 code-signing certificates linked to Fox Tempest.
Fox Tempest was instrumental within the ransomware ecosystem. Avoiding direct attacks on victims, this group offered specialized services to help other threat actors digitally sign malware. This tactic enhanced the efficiency of malicious distribution campaigns and gave malware a façade of legitimacy. Microsoft has associated Fox Tempest with ransomware and malware scams that involve various families, including Vanilla Tempest, Rhysida, Oyster, Lumma Stealer, Vidar, INC, Qilin, Akira, and others.
Through collaboration with Microsoft DCU, Resecurity gained insights into the operational methods of Fox Tempest. Microsoft’s actions included working alongside Europol’s European Cybercrime Centre (EC3) and the Federal Bureau of Investigation (FBI), highlighting the vital role of public-private partnerships in tackling cybercrime infrastructure effectively.
This case illustrates a significant trend in cybercrime: attackers are increasingly utilizing modular, commercialized services that streamline the attack process. By weaponizing code signing, Fox Tempest made harmful software appear trustworthy, reducing user vigilance and elevating the probability of successful attacks.
Addressing these services at their source is crucial. When malicious code-signing operations are disrupted, ransomware attackers and malware distributors lose essential capabilities, making their attacks harder to scale. This disruption also provides defenders a greater opportunity to neutralize threats before they reach potential victims.
