Microsoft has announced it had disrupted a major cybercrime operation that enabled threat actors to distribute ransomware and other malware through fake code-signing certificates.
The company said a threat actor it tracks as Fox Tempest operated a malware-signing-as-a-service (MSaaS) platform that abused Microsoft Artifact Signing to generate short-term certificates that allowed malware to appear as legitimate software.
According to Microsoft, Fox Tempest created more than 1,000 code-signing certificates and set up hundreds of Azure tenants and subscriptions to support the operation. The company said it has now revoked over 1,000 certificates linked to the group.
Microsoft has monitored Fox Tempest since September 2025 and said the service was used by several ransomware operators, including Vanilla Tempest, which Microsoft previously targeted in October 2025. The infrastructure was reportedly used to distribute ransomware strains including Rhysida, Qilin, Akira, and Inc ransomware, as well as Lumma Stealer, Oyster, and Vidar malware families.
The attacks affected organizations across multiple sectors, including healthcare, education, government, and financial services, with victims reported in countries such as United States, France, India, and China. Microsoft believes the service generated millions of dollars in revenue for the operators.
Microsoft said it seized core infrastructure, removed fraudulent accounts, and strengthened verification measures for abused services. The company also filed lawsuits against Fox Tempest and Vanilla Tempest.
In a separate report, the Windows maker has detailed a malicious campaign orchestrated by Storm-2949, aimed at stealing sensitive data from a target organization’s most valuable cloud assets. Instead of using traditional malware, the attackers abused legitimate cloud and Azure management tools to gain access to Microsoft 365, file-hosting platforms, and Azure production environments. By exploiting both control-plane and data-plane permissions, they remotely executed code on virtual machines and accessed critical resources such as Key Vaults and storage accounts.