Critical Threat Research : The Iranian Cyber War Intensifies!
Comprehensive Threat Exposure Management Platform
Fox Tempest is a financially motivated threat actor that operated a malware-signing-as-a-service (MSaaS) offering branded as SignSpace, first seen in May 2025. The Fox Tempest service abused Microsoft Artifact Signing to issue short-lived, fraudulently obtained code-signing certificates valid for 72 hours, allowing customer-supplied malware and ransomware to masquerade as legitimately signed Windows software such as AnyDesk, Microsoft Teams, PuTTY, and Webex.
Fox Tempest targeted the United States, France, India, and China, primarily impacting healthcare, education, government, and financial services organizations. Fox Tempest does not directly compromise victims; instead, it operates as a malware-signing-as-a-service capability that downstream ransomware and commodity malware operators consume to gain initial access against end-user environments. Customers of Fox Tempest, including Vanilla Tempest, Storm-0501, Storm-2561, and Storm-0249, distribute the resulting fraudulently signed binaries through legitimately purchased advertisements, malvertising, and SEO poisoning.
Fox Tempest is a financially motivated threat actor that does not directly compromise victims; instead, it operates a malware-signing-as-a-service capability that downstream ransomware and commodity malware operators consume to gain initial access against end-user environments. Customers of Fox Tempest, including Vanilla Tempest, Storm-0501, Storm-2561, and Storm-0249, distribute the resulting fraudulently signed binaries through legitimately purchased advertisements, malvertising, and SEO poisoning that redirect victims searching for popular enterprise tools such as AnyDesk, Microsoft Teams, PuTTY, and Webex to attacker-controlled download pages.
Because the Fox Tempest installers are signed with short-lived Microsoft-issued code-signing certificates obtained through Microsoft Artifact Signing and valid for only 72 hours, they appear to originate from a trusted publisher and bypass reputation, allow-list, and publisher-trust controls that would otherwise flag unsigned or unknown executables. To obtain the certificates, Fox Tempest is assessed to have used stolen identities based in the United States and Canada to defeat the identity validation processes required by Artifact Signing.
Once a victim executes the trojanized installer, such as the malicious MSTeamsSetup.exe deployed in the Vanilla Tempest case study, the fraudulently signed binary launched by Fox Tempest launches a follow-on payload from the Fox Tempest-enabled distribution catalog. Observed Fox Tempest payloads include the Oyster backdoor (also known as Broomstick), Lumma Stealer, and Vidar. Oyster is a modular, multi-stage implant that establishes persistent remote access, initiates command-and-control communications, collects host-level information, and enables the delivery of additional payloads, while blending into normal enterprise activity by virtue of its legitimate-looking signed parent installer. The Vanilla Tempest attack chain depicts scheduled tasks being created as part of the Oyster deployment, supporting persistent execution across reboots.
Following the establishment of initial access via Fox Tempest-signed malware, downstream operators have been observed conducting hands-on-keyboard activity within victim environments. Microsoft Defender for Endpoint detections cited in the source reporting include user accounts created under suspicious circumstances, new groups added suspiciously, and new local administrator accounts created using Net commands, indicating credential and privilege manipulation consistent with preparation for lateral movement and broader environment compromise enabled by Fox Tempest.
The downstream impact of Fox Tempest-enabled access is overwhelmingly ransomware deployment. In observed Vanilla Tempest engagements, the same Oyster-led intrusion chain enabled by Fox Tempest culminated in the deployment of Rhysida ransomware within the victim environment. Cryptocurrency analysis associated with Fox Tempest has identified clear links to ransomware affiliates responsible for deploying multiple prominent ransomware families, including Rhysida, INC, Qilin, Akira, and BlackByte, with observed proceeds in the millions of dollars. The resulting Fox Tempest-enabled attacks have impacted healthcare, education, government, and financial services organizations across the United States, France, India, and China, demonstrating that Fox Tempest functions as a vital trust-laundering operator within the broader cybercrime ecosystem.
Organizations should not rely on code signing as a standalone trust control against Fox Tempest. Layer Authenticode signature verification with behavioral analytics, EDR telemetry, and execution restrictions, because a valid Microsoft-issued certificate alone is no longer a reliable indicator of software trustworthiness given the fraudulent issuance through Artifact Signing observed in the Fox Tempest campaign.
Enable tenant-wide tamper protection to defend against Fox Tempest. Activate tenant-wide tamper protection in Microsoft Defender for Endpoint to prevent attackers who achieve initial execution via Fox Tempest-signed payloads from disabling Defender or modifying antivirus exclusions, and enable DisableLocalAdminMerge to block GPO-based exclusion tampering.
Deploy SmartScreen-enabled browsers to block Fox Tempest distribution. Standardize on Microsoft Edge or other browsers supporting Microsoft Defender SmartScreen to block known malicious download pages, malvertising, and SEO-poisoned search results that redirect to counterfeit AnyDesk, Teams, PuTTY, and Webex installers signed by Fox Tempest.
Validate application allow-listing with behavioral validation against Fox Tempest. Augment Windows Defender Application Control or similar allow-listing solutions so that newly observed signed binaries are not automatically trusted on the basis of a valid signature alone, and require behavioral validation or hash-based approval for execution to defend against Fox Tempest-signed malware.
The Fox Tempest campaign employs numerous MITRE ATT&CK tactics and techniques. For Resource Development, Fox Tempest uses Acquire Infrastructure (T1583) including Domains (T1583.001), Virtual Private Server (T1583.003), and Malvertising (T1583.008); Establish Accounts (T1585) including Social Media Accounts (T1585.001) and Cloud Accounts (T1585.003); Compromise Accounts (T1586); Develop Capabilities (T1587) via Code Signing Certificates (T1587.002); and Stage Capabilities (T1608) through SEO Poisoning (T1608.006).
For Initial Access, Fox Tempest leverages Drive-by Compromise (T1189). Under Execution, Fox Tempest uses User Execution (T1204) via Malicious File (T1204.002). For Persistence, Fox Tempest employs Scheduled Task/Job (T1053) through Scheduled Task (T1053.005) and Create Account (T1136) via Local Account (T1136.001).
Defense Evasion tactics employed by Fox Tempest include Subvert Trust Controls (T1553) through Code Signing (T1553.002) and Masquerading (T1036) via Match Legitimate Resource Name or Location (T1036.005). For Discovery, Fox Tempest uses System Information Discovery (T1082). Credential Access includes Credentials from Password Stores (T1555).
Command and Control tactics employed by Fox Tempest include Application Layer Protocol (T1071) and Ingress Tool Transfer (T1105). Finally, Impact tactics include Data Encrypted for Impact (T1486) deployed by Fox Tempest-enabled ransomware operators.
Fox Tempest indicators include the domain signspace[.]cloud. SHA1 hashes associated with Fox Tempest are dc0acb01e3086ea8a9cb144a5f97810d291020ce and 7e6d9dac619c04ae1b3c8c0906123e752ed66d63. SHA256 hashes linked to Fox Tempest malware are f0668ce925f36ff7f3359b0ea47e3fa243af13cd6ad9661dfccc9ff79fb4f1cc, 11af4566539ad3224e968194c7a9ad7b596460d8f6e423fc62d1ea5fc0724326, and f0a6b89ec7eee83274cd484cea526b970a3ef28038799b0a5774bb33c5793b55.
The Fox Tempest Telegram Channel is “EV Certs for Sale by SamCodeSign” and the associated Telegram Username is arbadakarba2000.
Get through updates and upcoming events, and more directly in your inbox