Fox Tempest Malware Signing Takedown
Key Questions
What action did Microsoft take against the Fox Tempest platform?
Microsoft seized a fake certificate signing service operated as malware-signing-as-a-service for ransomware groups including Rhysida and Akira. Over 1,000 fraudulent certificates were revoked in the operation.
How did Fox Tempest help ransomware gangs evade detection?
The service allowed attackers to obtain legitimate-looking digital signatures for malware, bypassing security controls that trust signed code. This tactic significantly scaled the use of signed malware in campaigns.
Which ransomware groups were linked to the Fox Tempest signing service?
The disrupted platform was tied to prominent groups such as Rhysida and Akira that relied on it to sign malicious binaries. The takedown disrupts a key infrastructure component supporting their operations.
Microsoft disrupts fake code-signing service used by Rhysida/Akira; 1k+ certs revoked since May 2025.
Sources (2)
Updated May 20, 2026