Exposing Fox Tempest: A malware-signing service operation

Key Points:

• Fox Tempest operates a malware-signing-as-a-service (MSaaS) that provides fraudulent code-signing certificates to cybercriminals, enabling the distribution of various malware, including ransomware.
• The impact includes facilitating attacks against multiple sectors globally, with notable links to ransomware groups such as Vanilla Tempest and the deployment of malware like Rhysida and Oyster. Microsoft has revoked over a thousand certificates associated with this operation.
• Recommended actions include enabling cloud-delivered protection in Microsoft Defender, utilizing Safe Links and Safe Attachments, and implementing tenant-wide tamper protection to prevent attackers from disabling security measures.

Technical Details: Fox Tempest abused Microsoft Artifact Signing to create short-lived fraudulent certificates, allowing malicious binaries to evade detection. The service operated through signspace[.]cloud until its disruption by Microsoft's Digital Crimes Unit in May 2026.

MITRE ATT&CK Techniques:

• T1078 - Valid Accounts (Defense Evasion)
• T1190 - Exploit Public-Facing Application (Initial Access)
• T1059.001 - Command and Scripting Interpreter: PowerShell (Execution)
• T1566 - Phishing (Initial Access)

IOCs Mentioned:

• signspace[.]cloud (Domain)
• dc0acb01e3086ea8a9cb144a5f97810d291020ce (Signer SHA-1 Certificate)
• 7e6d9dac619c04ae1b3c8c0906123e752ed66d63 (Signer SHA-1 Certificate)
• 11af4566539ad3224e968194c7a9ad7b596460d8f6e423fc62d1ea5fc0724326 (SHA-256 File Hash)
• f0a6b89ec7eee83274cd484cea526b970a3ef28038799b0a5774bb33c5793b55 (SHA-256 File Hash)