Fox Tempest

Fox Tempest, also referred to as Forging Marauder, is a financially motivated threat actor operating a malware-signing-as-a-service (MSaaS) offering used by other cybercriminals. Active since at least May 2025, the group abused Microsoft Artifact Signing (formerly Trusted Signing / Azure Artifact Signing) to generate short-lived fraudulent code-signing certificates, allowing malicious binaries to appear legitimate and evade security controls. Microsoft reported that Fox Tempest created more than 1,000 fraudulent certificates and hundreds of Azure tenants and subscriptions, and operated infrastructure including signspace[.]cloud and later pre-configured third-party virtual machines to let customers upload malware and receive signed binaries. Fox Tempest functioned primarily as an upstream enabler in the malware and ransomware ecosystem rather than as a direct intrusion actor. Reporting links its signing service to malware and ransomware activity involving Oyster, Lumma Stealer, Vidar, Rhysida, Akira, INC, Qilin, and BlackByte, and to customer or associated actors including Vanilla Tempest, Storm-0501, Storm-2561, and Storm-0249. Microsoft also named Vanilla Tempest as a co-conspirator in legal action tied to the disruption. Signed malware was disguised as legitimate software such as Microsoft Teams, AnyDesk, PuTTY, and Webex, and was distributed through techniques including malvertising, SEO poisoning, fake download pages, and other social engineering lures. Microsoft and partners disrupted Fox Tempest in May 2026 by seizing signspace[.]cloud, taking offline hundreds of virtual machines, blocking access to supporting infrastructure, and revoking more than 1,000 code-signing certificates. Reporting also states the service was advertised through Telegram, charged thousands of dollars in Bitcoin, and generated millions of dollars in revenue.