Exposing Fox Tempest: A malware-signing service operation

Microsoft Threat Intelligence describes Fox Tempest, an MSaaS operator that abused Microsoft Artifact Signing to create short-lived legitimate-looking code-signing certificates used by other criminals to deliver signed malware and ransomware globally; the report documents operational details, linkage to downstream ransomware groups (e.g., Vanilla Tempest, Rhysida), IOCs (domains, certificate hashes, file hashes), and mitigation/detection recommendations.