< Back to all clusters
[CRIME] · United States, France, India, China · 2 sources

Microsoft dismantles Fox Tempest code‑signing cybercrime service

Microsoft has seized the infrastructure of the Fox Tempest threat group, a “malware‑signing‑as‑a‑service” operation that sold more than 1,000 forged code‑signing certificates. The company blocked the group’s website, removed over 1,000 accounts and virtual machines, and obtained a court order in New York to disrupt the service.

Fox Temped used Microsoft’s Artifact Signing system to impersonate legitimate organisations, charging up to $9,500 per certificate. The signed malware was used by ransomware gangs such as Rhysida, Vanilla Tempest, Storm‑0501 and others, facilitating attacks on healthcare, education, government and financial services. The campaign hit organisations most heavily in the United States, France, India and China.

Microsoft says the takedown will raise the cost for attackers and hopes it will curb the emerging cyber‑crime economy that relies on counterfeit code‑signing to bypass security defenses.