Microsoft's Digital Crimes Unit has disrupted a criminal service that helped ransomware gangs slip past Windows security by making their malware look like legitimate, signed software. The takedown matters to everyday PC users because the same fake-but-signed installers — disguised as familiar apps like Microsoft Teams, AnyDesk, PuTTY and Webex — have been spreading through Google ads and search results, infecting home and small-business Windows machines.
What Microsoft just shut down
Fox Tempest is a financially motivated threat actor that operates a malware-signing-as-a-service (MSaaS) used by other cybercriminals to more effectively distribute malicious code, including ransomware. In plain English: criminals paid Fox Tempest to put a valid-looking Microsoft signature on their malware so antivirus and Windows itself would trust it.
The threat actor abuses Microsoft Artifact Signing to generate short-lived, fraudulent code-signing certificates to appear legitimately signed, allowing malware to evade security controls. Fox Tempest has created over a thousand certificates and established hundreds of Azure tenants and subscriptions to support its operations.
In May 2026, Microsoft's Digital Crimes Unit (DCU), with support from industry partner Resecurity, disrupted Fox Tempest's MSaaS offering, targeting the infrastructure and access model that enables its broader criminal use. Microsoft also revoked over a thousand of the fraudulent certificates the group had issued.
Why this matters to your home or office PC
The whole point of code signing is to tell Windows, "this installer is real — let it run." Fox Tempest broke that trust. This use of short-life certificates from a trusted source allowed malware and ransomware to masquerade as legitimate software (like AnyDesk, Teams, Putty, and Webex) to bypass security controls, significantly increasing the likelihood of execution and successful delivery.
How does this stuff reach normal users? Malware delivery in these attacks have included use of legitimate purchased advertisements, malvertising, and SEO poisoning. Translation: someone searches Google for "download Teams" or "AnyDesk free," clicks a sponsored result, and installs what looks like the real program — except it quietly drops ransomware or a remote-access tool in the background. If your PC starts acting strange after an install like that, it's time for a professional malware and ransomware cleanup before files start getting encrypted.
The ransomware connection
Fox Tempest didn't deploy ransomware itself — it sold signing services to the gangs that do. Cryptocurrency analysis associated with Fox Tempest has identified clear links tying the actor to ransomware affiliates responsible for delivering several prominent ransomware families, including INC, Qilin, Akira, and others, with observed proceeds in the millions.
Microsoft Threat Intelligence has linked the actor to various ransomware groups including Vanilla Tempest, Storm-0501, Storm-2561, and Storm-0249, who have all leveraged Fox Tempest-signed malware in active intrusions. These are the same crews that have been encrypting small-business networks and demanding five- and six-figure ransoms. If your drive ends up encrypted, paying is rarely the answer — bringing the machine in for drive and file recovery often gets more files back than negotiating with criminals.
What to do right now
This is a national story, not a York-specific incident, but the attack pattern is hitting home users and small businesses everywhere. A few practical steps:
- Stop clicking sponsored search results for software downloads. Type the vendor's address directly (teams.microsoft.com, anydesk.com, putty.org). - Keep Windows Update and Microsoft Defender current — Microsoft has been pushing certificate revocations through normal updates. - If you've installed something "free" in the last few weeks and your PC is suddenly slow, crashing, or showing strange pop-ups, get it scanned before logging into banking or email. A slow, sluggish machine after a bad install often just needs a clean wipe and a fresh SSD setup to get back to normal. - For small businesses: make sure you have offline backups. Signed malware is specifically designed to slip past the protections that stop unsigned junk.
What This Means for York, PA
York-area small businesses and home users are exactly the target profile for these signed-malware campaigns — one wrong click on a fake "Teams" installer can lock up a whole office network. If you suspect an infection or your PC is behaving oddly after a recent download, walk it into York Computer Repair at 2069 Carlisle Rd before the problem spreads to shared drives or backups.