Exposing Fox Tempest: A malware-signing service operation
Essential information
- Published
- 19/05/2026 19:52
- Modified
- 21/05/2026 00:36
- Source / Author
- AlienVault
- Confidence
- 100/100
- Report type(s)
- threat-report
- Labels / Tags
- akira azure abuse blackbyte code-signing certificates inc lumma stealer malware-signing-as-a-service msaas oyster oyster backdoor qilin ransomware enabler rhysida vanilla tempest vidar
- Tags
- 2026-05-19 akira azure abuse blackbyte code-signing certificates inc lumma stealer malware-signing-as-a-service msaas oyster oyster backdoor qilin ransomware enabler rhysida vanilla tempest vidar
- Related entities
- 4 indicators, 4 observables, 1 intrusion sets (apt), 20 techniques (mitre), 9 malware, 10 others
Description
Fox Tempest is a financially motivated threat actor operating a malware-signing-as-a-service (MSaaS) business used by cybercriminals to distribute malicious code, including ransomware. The actor abuses Microsoft Artifact Signing to generate fraudulent code-signing certificates, allowing malware to evade security controls. Fox Tempest created over a thousand certificates and established hundreds of Azure tenants to support operations. Microsoft revoked over one thousand certificates and disrupted the service in May 2026 through the Digital Crimes Unit. The operation enabled ransomware deployment including Rhysida by threat actors like Vanilla Tempest, and distributed malware families including Oyster, Lumma Stealer, and Vidar. The MSaaS was available through signspace[.]cloud, charging between $5000-$9000 USD. Attacks impacted healthcare, education, government, and financial services sectors globally.