Microsoft dismantles Fox Tempest 'malware-signing-as-a-service' that abused Azure Artifact Signing for 1,000+ certificates
Microsoft's Digital Crimes Unit, supported by law enforcement, has disrupted Fox Tempest, a 'malware-signing-as-a-service' offering that abused Azure Artifact Signing (formerly Trusted Signing) to issue legitimate Microsoft-signed certificates for malware. Operators created more than 1,000 certificates and hundreds of Azure tenants using stolen US and Canadian identities, all valid for 72 hours to reduce takedown risk. Microsoft has revoked the certificates, seized the signspace[.]cloud domain, and taken hundreds of supporting VMs offline. The service signed Oyster, Lumma Stealer, Vidar, and ransomware payloads for Rhysida, Akira, INC, Qilin, and BlackByte, used by groups including Vanilla Tempest and Storm-0501.
- Check
- Search EDR and Defender SmartScreen logs for binaries signed by Microsoft Azure Artifact Signing certificates between 2025 and 2026-05-19. Cross-reference Microsoft's revoked certificate list.
- Affected
- Endpoints that trust Microsoft Azure Artifact Signing certificates without additional publisher verification. Especially relevant if previously targeted by Vanilla Tempest, Storm-0501, Storm-2561, or Storm-0249.
- Fix
- Tighten Defender SmartScreen and AppLocker rules so a publisher signature alone is not sufficient trust. Verify the named publisher of any Microsoft Artifact Signing-signed binary matches the expected software vendor.