Fox Tempest MSaaS: Defending Against Malicious Code Signing Abuse

The discovery of Fox Tempest marks a significant evolution in the cybercriminal ecosystem. This financially motivated actor is not merely deploying malware; they are operating a Malicious Software-signing-as-a-Service (MSaaS). By selling code-signing capabilities to other prominent threat groups, including Vanilla Tempest and various Storm-affiliated actors, Fox Tempest is systematically dismantling a core pillar of Windows defense: the trust model.

This operation allows cybercriminals to distribute malicious payloads—primarily ransomware and encryption-based tools—that appear legitimate to operating systems and endpoint security solutions. When a binary is signed with a valid certificate, it bypasses critical security controls like Microsoft Defender SmartScreen and can evade application control (AppLocker) policies that trust specific publishers.

Defenders can no longer rely on file signature validity as a sole indicator of trust. We must shift our posture to inspecting the behavior of signed binaries and auditing the provenance of certificates executing within our environments.

Technical Analysis

Threat Actor: Fox Tempest (aka Proxy Life) Alias/Associations: Vanilla Tempest, Storm-xxxxx groups Service Type: Malicious Software-signing-as-a-Service (MSaaS)

The Attack Chain

Payload Generation: A customer (e.g., a ransomware affiliate) develops the malicious payload (e.g., an encryption binary or loader).
Signing Service: The payload is submitted to Fox Tempest.
Malicious Signing: Fox Tempest signs the binary using a compromised or fraudulently obtained code-signing certificate.
Distribution: The "trusted" malware is distributed, often via ISO files or phishing attachments.
Execution & Bypass: The victim opens the file. Windows validates the signature, sees it is valid, and allows execution without triggering standard "unverified publisher" warnings or SmartScreen blocks.

Affected Components:

Windows Authenticode: The primary mechanism being abused.
Code Signing Policies: Trust stores that validate the root and intermediate CAs.

Exploitation Status: Microsoft confirms active exploitation in the wild. This is not theoretical; Fox Tempest is currently facilitating high-impact encryption-based incidents. While there is no single CVE to patch, this is a vulnerability in the trust validation logic of many security architectures.

Detection & Response

Detecting MSaaS abuse requires looking for anomalies in where signed code runs and what it does, rather than just trusting the signature itself.

SIGMA Rules

The following rules target the suspicious execution of signed binaries from user-writable directories (a common TTP for signed malware droppers).

YAML

---
title: Fox Tempest MSaaS - Signed Binary Executing from User Profile
id: 8d4e2a1f-9c5b-4b7d-8e3f-1a2b3c4d5e6f
status: experimental
description: Detects the execution of a validly signed binary from a user-writable directory (AppData, Downloads, Public), a common indicator of MSaaS abuse or signed malware delivery.
references:
  - https://www.microsoft.com/en-us/security/blog/2026/05/19/exposing-fox-tempest-a-malware-signing-service-operation/
author: Security Arsenal
date: 2026/05/20
tags:
  - attack.defense_evasion
  - attack.signed_binary_proxy
  - attack.t1218
logsource:
  category: process_creation
  product: windows
detection:
  selection:
    SignatureStatus: 'Valid'
    Image|contains:
      - '\AppData\'
      - '\Downloads\'
      - '\Public\'
      - '\Desktop\'
  filter_legit:
    Image|contains:
      - '\Teams\'
      - '\Microsoft\Edge\'
      - '\Google\Chrome\'
      - '\Mozilla\Firefox\'
      - '\Zoom\'
      - '\Slack\'
  condition: selection and not filter_legit
falsepositives:
  - Legitimate software installers or updates launched from user downloads (rare for enterprise managed endpoints)
level: high
---
title: Suspicious Code Signing Activity on Endpoint
id: 9f5e3b2a-0d6c-4e8a-9f1a-2b3c4d5e6f7a
status: experimental
description: Detects the usage of code signing tools (signtool.exe) on non-developer workstations. Fox Tempest signs the malware before delivery, but internal compromise to sign tools is also a risk.
references:
  - https://attack.mitre.org/techniques/T1116/
author: Security Arsenal
date: 2026/05/20
tags:
  - attack.defense_evasion
  - attack.t1116
logsource:
  category: process_creation
  product: windows
detection:
  selection:
    Image|endswith:
      - '\signtool.exe'
      - '\certutil.exe'
    CommandLine|contains:
      - 'sign'
      - '-p'
  filter_developer:
    Image|contains:
      - '\Windows Kits\'
      - '\Microsoft SDKs\'
      - '\Program Files (x86)\Windows Kits\'
  condition: selection and not filter_developer
falsepositives:
  - Administrators signing scripts on management servers (rare)
level: medium

KQL (Microsoft Sentinel)

This hunt queries for processes that are signed but executed from suspicious locations, leveraging DeviceProcessEvents.

KQL — Microsoft Sentinel / Defender

DeviceProcessEvents
| where Timestamp > ago(7d)
| where isnotempty(Signer)
| where FolderPath startswith @"C:\Users\" and (FolderPath contains @"\AppData\" or FolderPath contains @"\Downloads\")
// Filter out common browsers and known safe signed apps in user directories
| where FileName !in ~("chrome.exe", "msedge.exe", "firefox.exe", "teams.exe", "zoom.exe", "slack.exe", "outlook.exe")
| extend SignerStatus = iff(IsSigned == true, "Signed", "Unsigned")
| where SignerStatus == "Signed"
| project Timestamp, DeviceName, AccountName, FileName, FolderPath, SHA256, Signer, ProcessCommandLine
| sort by Timestamp desc

Velociraptor VQL

This VQL artifact hunts for signed files in user directories that are not part of the standard OS or known software catalog.

VQL — Velociraptor

-- Hunt for signed binaries in user-writable directories
SELECT FullPath, Size, Mtime, 
       parse_string(data=Name, regex='.*\.(exe|dll|sys)') as Extension,
       hash(path=FullPath) as Hash
FROM glob(globs="/*/*/Users/*/AppData/**/*.{exe,dll}", 
          nosymlink=TRUE)
WHERE signature(filename=FullPath).Status = "VALID"
  // Optional: Exclude specific common benign paths if noisy
  AND FullPath NOT =~ "Microsoft"
  AND FullPath NOT =~ "Google"
  AND FullPath NOT =~ "Mozilla"

Remediation Script (PowerShell)

Use this script to audit and identify potentially suspicious signed executables in user profiles that may have been delivered via Fox Tempest services. This does not automatically delete files but flags them for investigation.

PowerShell

<#
.SYNOPSIS
    Audit Script: Detects suspicious signed executables in user profiles.
.DESCRIPTION
    Scans user directories for signed executables and exports findings for IR review.
#>

$SuspiciousPaths = @(
    "$env:SystemDrive\Users\*\Downloads\*.exe",
    "$env:SystemDrive\Users\*\AppData\Local\Temp\*.exe",
    "$env:SystemDrive\Users\*\Desktop\*.exe",
    "$env:SystemDrive\Users\*\AppData\Roaming\*.exe"
)

$Report = @()

foreach ($Path in $SuspiciousPaths) {
    if (Test-Path $Path) {
        Get-ChildItem -Path $Path -Recurse -ErrorAction SilentlyContinue | ForEach-Object {
            $File = $_
            try {
                $Sig = Get-AuthenticodeSignature -FilePath $File.FullName
                if ($Sig.Status -eq 'Valid') {
                    # Filter out very common trusted publishers to reduce noise, or remove for full audit
                    if ($Sig.SignerCertificate.Subject -notmatch "Microsoft" -and 
                        $Sig.SignerCertificate.Subject -notmatch "Google" -and
                        $Sig.SignerCertificate.Subject -notmatch "Oracle") {
                        
                        $Report += [PSCustomObject]@{
                            Path         = $File.FullName
                            Signer       = $Sig.SignerCertificate.Subject
                            Issuer       = $Sig.SignerCertificate.Issuer
                            Status       = $Sig.Status
                            TimeStamp    = $File.LastWriteTime
                            SizeMB       = [math]::Round($File.Length / 1MB, 2)
                        }
                    }
                }
            }
            catch {
                # Ignore access errors
            }
        }
    }
}

if ($Report.Count -gt 0) {
    $Report | Format-Table -AutoSize
    $Report | Export-Csv -Path "C:\Temp\FoxTempest_SignedAudit.csv" -NoTypeInformation
    Write-Host "[+] Audit complete. Report saved to C:\Temp\FoxTempest_SignedAudit.csv" -ForegroundColor Cyan
} else {
    Write-Host "[+] No suspicious signed executables found in user directories." -ForegroundColor Green
}

Remediation

Isolate and Investigate: If the Sigma rules or audit script identify signed executates in AppData or Downloads, do not trust them solely based on their signature. Isolate the host and submit the file to a sandbox (e.g., VirusTotal, Hybrid Analysis) for behavioral analysis.
Certificate Revocation: While Fox Tempest often uses compromised certificates, verify if the identified signer certificate is known to be compromised. If so, add the certificate thumbprint to your organization's "Untrusted Certificates" store via Group Policy.
Application Control (AppControl/WDAC): Move beyond a trust-list model. Implement Windows Defender Application Control (WDAC) in "Audit Mode" initially, configured to require specific signing policies rather than just any valid signature.
Update Mark-of-the-Web (MotW) Policies: Ensure your SmartScreen settings are aggressive. Ensure that files downloaded from the internet are flagged with MotW and that PowerShell policies prevent running scripts or executables that bypass MotW.
User Awareness: Reiterate to users that a "Publisher: Verified" dialog box is no longer a guarantee of safety. Caution should still be exercised with unexpected attachments.

Related Resources

Security Arsenal Penetration Testing Services AlertMonitor Platform Book a SOC Assessment vulnerability-management Intel Hub