Microsoft has taken significant action against a cybercrime operation known as Fox Tempest, which allegedly sold code-signing certificates to ransomware gangs. This operation has been active since May 2025 and has reportedly allowed criminals to disguise their malware as legitimate software, affecting thousands of machines in the United States, including at least 12 owned by Microsoft itself.
Details of the Operation
Fox Tempest exploited Microsoft’s Artifact Signing service, which is designed for developers to sign their applications digitally. By creating over 580 fraudulent Microsoft accounts using fake identities, the Fox Tempest crew, identified in court documents as John Doe 1 and 2, misused this service to obtain real code-signing credentials. These certificates were then sold to other criminals for substantial sums.
Impact on Ransomware Activities
Among the customers of Fox Tempest was a ransomware group tracked by Microsoft as Vanilla Tempest, also known as Vice Spider, Vice Society, and Rhysida. This group allegedly utilized the certificates to sign various types of malware, including the Windows backdoor Oyster and infostealers Lumma and Vidar. The use of these certificates enabled the deployment of malware on victims’ computers without their consent, leading to unauthorized access and data theft.
Investigation and Findings
Microsoft’s Digital Crimes Unit (DCU) conducted an investigation that included test purchases of the code-signing service from one of the operators, known as SamCodeSign. This investigation revealed operational details of Fox Tempest and identified cryptocurrency wallets used by its operators. The pricing for the certificates varied, with standard costs at $5,000 and expedited services reaching up to $9,500.
Ongoing Criminal Activity
According to the civil complaint filed by Microsoft, the criminal activities associated with Fox Tempest are ongoing. The operation has resulted in significant impacts on victims, including the exfiltration of personal and confidential information and extortion through ransomware attacks. Microsoft continues to monitor the situation and has linked Fox Tempest to various other ransomware affiliates.
This article was produced by NeonPulse.today using human and AI-assisted editorial processes, based on publicly available information. Content may be edited for clarity and style.
