Signed, Sealed, and Weaponized: Disrupting a Malware‑Signing‑as‑a‑Service Operation

Maurice Mason | Nick Monaco

Fox Tempest represents a pivotal escalation in the cybercrime ecosystem, operationalizing Malware Signing as a Service (MSaaS) at scale by abusing legitimate code‑signing workflows. Beginning in May 2025, the service issued short‑lived fraudulent certificates that enabled ransomware and malware operators, including Vanilla Tempest and Storm‑2561, to deploy payloads such as Oyster, Vidar, Lumma, and ultimately Rhysida while bypassing security controls. In this session, Microsoft’s Digital Crimes Unit (DCU) presents an end‑to‑end case study of Fox Tempest’s operations, from the subversion of trusted signing processes to the use of resilient, globally distributed infrastructure. Drawing on undercover purchases, blockchain analysis, and threat intelligence, DCU investigators trace millions in illicit proceeds back to the service, expose a critical Operational Security (OPSEC) failure enabling attribution, and outline Microsoft’s legal and strategic disruption efforts amid the challenges of cross‑border enforcement.