Fox Tempest operated a malware-signing-as-a-service that exploited Microsoft Artifact Signing to issue short-lived code-signing certificates. These certificates were used to sign malware, enabling it to appear legitimate and evade security detection. The group created over a thousand certificates and established hundreds of Azure tenants and subscriptions to facilitate their operations. Their service supported distribution of multiple ransomware and malware families affecting diverse sectors worldwide. Microsoft tracked Fox Tempest since September 2025 and has revoked over one thousand certificates attributed to them. The company also disrupted infrastructure and initiated legal actions to dismantle the operation and prevent further abuse of its services.

The abuse of Microsoft Artifact Signing by Fox Tempest allowed cybercriminals to distribute ransomware and malware that appeared legitimate, increasing the likelihood of successful infections. The downstream impact included attacks on healthcare, education, government, and financial sectors globally, affecting organizations in the United States, France, India, China, and other countries. The operation facilitated ransomware campaigns and malware distribution that could lead to data breaches, operational disruption, and financial loss for victims.

Microsoft has revoked over one thousand malicious code-signing certificates and removed fraudulent Azure accounts associated with Fox Tempest. The company strengthened verification processes for its Artifact Signing service to prevent similar abuse. Organizations should ensure their security solutions validate code-signing certificates and monitor for suspicious signed binaries. Since Microsoft has disrupted the service and taken legal action, this threat is currently mitigated by these interventions. Patch status is not applicable as this is an abuse of a legitimate service rather than a software vulnerability.