cyberscoop.com via Reddit

Microsoft sinks Fox Tempest malware-signing network

microsoft cybersecurity cybersecurity ransomware microsoft

Key insights

  • Fox Tempest abused Microsoft's Artifact Signing infrastructure to make malware appear as legitimately verified software since May 2025.
  • Microsoft disabled approximately 1,000 accounts and hundreds of cloud VMs using court orders and cloud-provider cooperation.
  • This marks the first legal action Microsoft has taken against abuse of its own software-verification pipeline as an attack delivery mechanism.

Why this matters

Software signing and artifact verification are cornerstones of the trusted supply-chain model that AI infrastructure teams rely on for model weights, SDKs, and deployment tooling, and this operation demonstrates those trust signals can be systematically rented out as attack infrastructure. The co-conspirator status of Vanilla Tempest, a group that has previously targeted hospitals, signals that signing-as-a-service operations are now an intermediary layer in ransomware chains rather than a niche abuse case. Founders building on cloud-native artifact pipelines should treat this as a forcing function to audit which signing authorities their CI/CD stacks implicitly trust, since a compromised verification layer can nullify every downstream security control.

Summary

Microsoft's Digital Crimes Unit has taken down Fox Tempest, a criminal operation that turned Microsoft's own software-verification pipeline into a malware delivery service. Since May 2025, Fox Tempest sold access to what amounted to a code-signing laundromat, taking ransomware and infostealers from paying clients and pushing them back out stamped with Microsoft's legitimate Artifact Signing infrastructure, making them appear as verified software to endpoint defenses. A civil lawsuit unsealed in the Southern District of New York gave Microsoft the legal leverage to sinkhole Fox Tempest's malicious domains, pull down roughly 1,000 accounts, and work with cloud providers to disable hundreds of virtual machines. Vanilla Tempest, a ransomware group with a documented history of hitting hospitals and schools, is named as a co-conspirator in the filing. Essentially: (Microsoft, Vanilla Tempest) Fox Tempest was the signing infrastructure layer that made Vanilla Tempest's payloads bypass trust controls at scale. - Microsoft disabled approximately 1,000 accounts and hundreds of cloud VMs through coordinated cloud-provider cooperation. - This is the first time Microsoft has brought legal action specifically against abuse of its own software-verification pipeline as an attack vector. - Vanilla Tempest's co-conspirator status in the filing means civil discovery could expose the group's broader operational infrastructure. The broader implication is that trust signals built into software supply chains are now primary attack surfaces, not secondary ones.

Potential risks and opportunities

Risks

  • Enterprises that ingested Fox Tempest-signed binaries before the sinkhole may have latent infostealers or ransomware staging files that bypassed detection because the signing certificates were valid at scan time, requiring retroactive endpoint audits.
  • Other ransomware groups currently using similar signing-as-a-service intermediaries face accelerated law enforcement scrutiny now that Microsoft has established the legal template for civil action against signing infrastructure abuse.
  • Microsoft's Artifact Signing service faces customer trust erosion if audits reveal the abuse window extended beyond the May 2025 start date disclosed in the filing, particularly among regulated-industry customers in healthcare and education already targeted by Vanilla Tempest.

Opportunities

  • Code-signing integrity vendors and supply-chain security platforms (Sigstore, Chainguard, Venafi) gain credibility and procurement urgency with enterprise security teams reassessing artifact trust models in the next 30-60 days.
  • Managed detection and response providers that can retroactively scan for Fox Tempest certificate fingerprints across customer fleets have a concrete, time-sensitive upsell to existing accounts.
  • Legal and compliance practices specializing in cyber civil litigation gain a reference case from this action that could accelerate similar suits from other platform vendors whose verification infrastructure is abused, expanding the addressable market for proactive IP-protection engagements.

What we don't know yet

  • Whether Microsoft has identified and notified all organizations whose endpoints received Fox Tempest-signed payloads between May 2025 and the takedown date.
  • Which specific cloud providers cooperated to disable the virtual machine infrastructure, and whether their cooperation required separate legal orders or fell under existing terms-of-service agreements.
  • Whether Vanilla Tempest's operational leadership has been identified and referred to law enforcement, or if the co-conspirator designation remains limited to the civil proceeding.

Originally reported by cyberscoop.com

Read the original article →

Original headline: Microsoft Disrupts Fox Tempest — Ransomware-Enabling Malware-Signing-as-a-Service That Disguised Malware as Verified Software