Full Report
'Thousands' of US victims, including 12+ machines owned and operated by Redmond
Analysis Summary
# Incident Report: Fox Tempest Malware-Signing Exploitation
## Executive Summary
Microsoft’s Digital Crimes Unit (DCU) disrupted a major "Malware Signing-as-a-Service" operation run by a threat group known as Fox Tempest. The group leveraged over 580 fraudulent Microsoft accounts and fake identities to abuse the Microsoft Artifact Signing service, providing legitimate code-signing certificates to various ransomware affiliates. This operation facilitated the infection of thousands of U.S. machines, including those belonging to Microsoft itself, by allowing malware to bypass standard security warnings and appear authentic.
## Incident Details
- **Discovery Date:** February 2026 (via undercover purchase)
- **Incident Date:** May 2025 – May 2026
- **Affected Organization:** Microsoft (internal systems) and thousands of US-based victims
- **Sector:** Technology, Infrastructure, and various sectors targeted by ransomware
- **Geography:** Global, with a high concentration of victims in the United States
## Timeline of Events
### Initial Access
- **Date/Time:** May 2025
- **Vector:** Identity Theft / Account Fraud
- **Details:** Fox Tempest created more than 580 fraudulent Microsoft accounts using fake identities and impersonated organizations to gain access to the Artifact Signing service.
### Lateral Movement
- **Details:** Once legitimate signing credentials were obtained, the "customers" (ransomware gangs) used signed malware (e.g., Oyster backdoor) to infiltrate victim networks, moving laterally using standard ransomware TTPs.
### Data Exfiltration/Impact
- **Details:** Thousands of U.S. victims were infected. Multiple ransomware families (INC, Qilin, Akira, Vanilla Tempest) used these certificates to exfiltrate data, encrypt systems, and extort victims for payment.
### Detection & Response
- **February – March 2026:** Microsoft DCU launched an investigation using a cooperating source to conduct "test purchases" of the signing service from "SamCodeSign" (John Doe 2).
- **May 19, 2026:** Microsoft unsealed court documents, seized website domains, and deactivated hundreds of virtual machines used to host the criminal infrastructure.
## Attack Methodology
- **Initial Access:** Fraudulent registration for developer services using stolen or fake identities.
- **Persistence:** Creation of over 580 distinct accounts to ensure redundancy if some were flagged.
- **Defense Evasion:** Use of legitimate digital signatures to bypass Antivirus (AV) and Endpoint Detection and Response (EDR) alerts that typically flag unsigned or self-signed binaries.
- **Lateral Movement:** Facilitated for "clients" through the deployment of the Oyster backdoor.
- **Exfiltration:** Standard ransomware techniques facilitated by the initial "trusted" execution of signed payloads.
- **Impact:** System encryption and data extortion.
## Impact Assessment
- **Financial:** Certificates sold for $5,000 to $9,500 each; significant costs associated with ransomware recovery for thousands of victims.
- **Data Breach:** Exfiltration of personal and confidential information by ransomware affiliates.
- **Operational:** Disruption to thousands of organizations, including 12+ Microsoft-owned machines.
- **Reputational:** Abuse of Microsoft’s own trust-based services (Artifact Signing) to facilitate crime.
## Indicators of Compromise
- **Network indicators:**
- `noticeofpleadings[.]net` (Legal notice domain related to the case)
- **File indicators:**
- Malware families identified: Oyster (Backdoor), Lumma (Infostealer), Vidar (Infostealer).
- **Behavioral indicators:**
- Software signed by Microsoft Artifact Signing but exhibiting anomalous behavior (e.g., unauthorized data collection or encryption).
## Response Actions
- **Containment:** Legal seizure of domains and shutdown of infrastructure (VMs) used by Fox Tempest.
- **Eradication:** Deactivation of over 580 fraudulent Microsoft accounts and revocation of certificates.
- **Recovery:** Ongoing support for "thousands" of impacted customers identified via telemetry.
## Lessons Learned
- **Know Your Customer (KYC) Failures:** The ability for threat actors to create 580+ fraudulent accounts suggests a need for more rigorous verification during the developer onboarding process for signing services.
- **Trust as a Weapon:** Threat actors are increasingly moving away from "cracking" security and toward "borrowing" legitimacy via valid certificates.
## Recommendations
- **Enhanced Verification:** Implement secondary identity verification and manual review for organizations applying for high-trust services like Artifact Signing.
- **Certificate Monitoring:** Monitor the telemetry of apps signed via Artifact Signing to detect "mass-deployment" of signed binaries that exhibit malware-like behavior.
- **Defense in Depth:** Organizations should not rely solely on digital signatures as a mark of safety; behavioral analysis and "Least Privilege" remain critical.