Fox Tempest: The Dark Web Storefront That Sold Microsoft's Trust to Ransomware Gangs
Why It Matters
By weaponizing legitimate Microsoft signatures, Fox Tempest enabled ransomware to bypass traditional defenses, threatening critical infrastructure and highlighting a systemic weakness in code‑signing trust models.
Key Takeaways
- •Fox Tempest sold genuine Microsoft code‑signing certificates to ransomware groups.
- •Fraudulent Microsoft accounts generated over 580 certificates via Azure signing service.
- •Prices ranged $5,000‑$9,500, paid with Bitcoin, with full customer support.
- •Microsoft’s Digital Crimes Unit shut down the operation in May 2026.
- •Compromised certificates enabled attacks on health systems and even Microsoft devices.
Summary
The video exposes Fox Tempest, a dark‑web storefront that sold authentic Microsoft code‑signing certificates to ransomware operators, effectively turning Windows’ built‑in trust mechanism into a weapon.
The operators created more than 580 fraudulent Microsoft accounts using fabricated identities, then leveraged Azure’s artifact signing service to obtain real certificates. They offered standard, priority and expedited certificates for $5,000‑$9,500, accepted Bitcoin, and provided virtual‑machine access and step‑by‑step signing instructions, complete with customer support.
Customers included notorious gangs such as Quillin, which recently breached Covenant Health and exposed nearly 480,000 patient records, and even Microsoft‑owned machines were infected. Microsoft’s Digital Crimes Unit uncovered the scheme through undercover purchases, traced the crypto wallets, and dismantled the infrastructure on May 19, 2026.
The episode shows that code‑signing, long considered a baseline security control, can be monetized by threat actors, forcing organizations to reassess reliance on signed binaries and to implement stricter verification of certificate provenance.
Comments
Want to join the conversation?
Loading comments...