May 20, 2026 15:45:00

Microsoft has revoked over 1,000 certificates that allowed malware to be mistaken for 'legitimate software.'

On May 19, 2026, Microsoft announced that it had revoked over 1,000 code signing certificates issued by the attack group 'Fox Tempest,' which operated a 'malware signing service' that made malware look like legitimate software. Fox Tempest had been exploiting Microsoft Artifact Signing to illegally obtain code signing certificates that were only valid for a short period, making it difficult to detect malware, including ransomware.

Exposing Fox Tempest: A malware-signing service operation | Microsoft Security Blog

https://www.microsoft.com/en-us/security/blog/2026/05/19/exposing-fox-tempest-a-malware-signing-service-operation/

A code signing certificate is a mechanism for verifying the publisher of software and whether it has been tampered with. Windows and security products use code signing as one of the factors in determining whether software is legitimate. In other words, if malware is given a seemingly genuine code signing certificate, even a dangerous file can appear to be legitimate software.

According to Microsoft, Fox Tempest did not infiltrate victim organizations itself, but rather provided a 'malware signing service' to other cybercriminals. Fox Tempest allegedly exploited Microsoft Artifact Signing to illegally obtain certificates with a validity period of 72 hours, enabling it to sign malware disguised as legitimate software such as AnyDesk, Microsoft Teams, PuTTY, and Webex. It is stated that Fox Tempest had been providing this service since at least May 2025.

Fox Tempest created over 1,000 certificates and used hundreds of Azure tenants and subscriptions as its operational infrastructure. Microsoft revoked over 1,000 code signing certificates that it determined were associated with Fox Tempest, and its

digital crime prevention unit , in cooperation with security firm Resecurity , also disrupted Fox Tempest's malware signing service.

Fox Tempest's services were also used in ransomware attacks. Microsoft states that attack groups such as Vanilla Tempest, Storm-0501, Storm-2561, and Storm-0249 used malware signed by Fox Tempest in actual attacks. For example, Vanilla Tempest used Fox Tempest's services to code-sign fake Microsoft Teams installers. Attackers used search ads and fake download pages to lure users searching for Microsoft Teams to pages under their control. When users ran the file believing it to be a legitimate Teams installer, the Oyster backdoor was deployed.

Furthermore, Fox Tempest's signature service was reportedly involved in the deployment of the Rhysida ransomware, as well as the distribution of other malware such as Lumma Stealer and Vidar.

Microsoft states that the Fox Tempest case illustrates a shift in cybercrime from 'attackers doing everything themselves' to 'combining specialized services.' Malware signing services make malware more easily recognizable as legitimate software, allowing it to evade detection by security products and user vigilance. Therefore, services like Fox Tempest played a crucial role in supporting ransomware attacks.