Article Banner

Fox Tempest: AI-Themed Malvertising Delivers Signed Malware at Scale

Published on June 17, 2026 | By Focused Hunts

Cybercriminals are cashing in on the excitement around artificial intelligence. Microsoft uncovered a wave of attacks that disguise malware as popular AI tools like ChatGPT, Claude, and DeepSeek. Victims who search for these tools find fake installers and ads that deliver password-stealing malware instead of the real software.

What makes this campaign effective is a forgery service. One criminal group runs a business that stamps malware with fake digital signatures, the same seal of approval that tells a computer a program is safe. Think of it as a counterfeit notary that makes fraudulent documents look official. With that trusted stamp, the malware slips past defenses that normally block unknown programs.

The payoff is stolen data. Once installed, the malware harvests saved passwords, browser sessions, and login tokens, and it opens the door for ransomware groups. Microsoft found campaigns reaching tens of thousands of organizations across multiple countries. For businesses, the risk is account takeover, financial fraud, and follow-on attacks that begin with one employee chasing a popular AI tool.

Hunting Controls & Observations

This activity links an initial access broker (Storm-3075), a malware-signing-as-a-service operation (Fox Tempest), and downstream actors who distribute information stealers and ransomware. Because the malware carries valid signatures, detection depends on behavior and certificate context rather than trust alone. Organizations can detect this activity through multiple telemetry sources:

  • Endpoint Controls: EDR/XDR, Sysmon (Events 1, 3, 7, 11), antivirus detections, and code-signing certificate context (signer, issue date, revocation status)
  • Network Controls: Firewall and proxy logs, DNS query logs, and TLS inspection for connections to malvertising redirectors and command-and-control hosts
  • Identity & Access Controls: Microsoft Entra (Azure AD) sign-in logs, risky sign-in and token anomaly detections, and impossible-travel signals
  • Cloud & SaaS Controls: Email gateway logs with Safe Links, code-signing service audit logs, and search or advertisement referrer data

Behavioral Indicators of Attack

The following behaviors distinguish this activity from legitimate software installation:

  • Execution of installers carrying valid but very recently issued, short-lived code-signing certificates, or certificates that are later revoked
  • Fake AI-tool installers writing a Python downloader saved as pythonw.exe alongside a LICENSE.txt file into the user's local application data folder
  • A checkpoint or "Continue" prompt that gates payload execution to evade automated sandbox analysis
  • A signed binary downloading shellcode from an external host and loading an information stealer in memory
  • Newly signed, trojanized versions of legitimate remote-access tools such as Teams, AnyDesk, PuTTY, and Webex
  • Bulk access to browser credential stores and session cookies shortly after installation
  • Token replay, impossible travel, and sign-ins from unfamiliar properties following a malware execution
  • Outbound connections to advertising redirectors and command-and-control domains after an ad click or search result

MITRE Enterprise ATT&CK Tactics and Techniques

This activity spans resource development through command and control:

Controls' Observables

Endpoint Controls

Endpoint platforms can identify the activity by correlating signature context with execution behavior:

  • Short-lived or revoked code-signing certificate execution: Signed binaries whose certificates were issued within days of execution or later revoked.
    • Related MITRE Techniques: T1553.002, T1588.003
    • Detection Difficulty: HIGH
  • Fake AI installer dropping a Python downloader: An installer writing pythonw.exe and LICENSE.txt into local application data, then executing it.
    • Related MITRE Techniques: T1204.002, T1059.006, T1036.005
    • Detection Difficulty: MEDIUM
  • In-memory stealer loading: A signed or scripted process retrieving shellcode and loading an information stealer without writing it to disk.
    • Related MITRE Techniques: T1620, T1555.003
    • Detection Difficulty: HIGH

Network Controls

Network telemetry exposes delivery and command-and-control:

  • Connections to malvertising redirectors and C2 hosts: Traffic to known redirector and command-and-control domains following an ad click or search result.
    • Related MITRE Techniques: T1071.001, T1583.008
    • Detection Difficulty: MEDIUM
  • Payload retrieval by a freshly installed binary: A newly executed installer immediately fetching a second-stage payload from an external host.
    • Related MITRE Techniques: T1071.001
    • Detection Difficulty: MEDIUM

Identity & Access Controls

Identity telemetry reveals the token theft that follows infostealer execution:

  • Risky sign-ins and token anomalies: Impossible travel, anomalous tokens, and sign-ins from unfamiliar properties after a malware run.
    • Related MITRE Techniques: T1557, T1555.003
    • Detection Difficulty: MEDIUM

Cloud & SaaS Controls

Email and code-signing telemetry catch the lure and the forgery:

  • AI-themed phishing with malicious links: Inbound mail impersonating AI brands and linking to fake installer or sign-in pages.
    • Related MITRE Techniques: T1566.002
    • Detection Difficulty: LOW
  • Anomalous code-signing service usage: Bursts of short-validity certificate issuance from cloud signing services tied to unfamiliar tenants.
    • Related MITRE Techniques: T1588.003
    • Detection Difficulty: HIGH

Insights and Recommendation

Organizations that fall victim face information-stealer theft of saved passwords, browser cookies, and session tokens, which enables account takeover even where multifactor authentication is enabled. Because Fox Tempest signs payloads for ransomware operators, including Rhysida, INC, Qilin, and BlackByte, an initial infostealer infection can escalate into full encryption and extortion. Recovery requires credential and session-token rotation, multifactor re-enrollment, removal of trust for revoked certificates, and review of any access the stolen tokens permitted.

Security teams should prioritize detection of fraudulent code signing. Treat the execution of binaries signed with short-lived or revoked certificates as high priority, and block the known certificate thumbprint where supported. Enforce SmartScreen and cloud-delivered antivirus protection, and tune for the fake AI-installer chain that drops a Python downloader into local application data. On the identity side, deploy phishing-resistant multifactor authentication and token protection, and revoke risky sessions automatically. Finally, guide users to obtain AI tools only from official vendor domains rather than search ads or code repositories.

Source and Credits

This summary is based on Microsoft Threat Intelligence's research article "AI brands as bait: How threat actors are using the AI hype in social engineering" published on June 8, 2026, with additional detail from "Exposing Fox Tempest: A malware-signing service operation" published on May 19, 2026.

Threat Hunting IOCs & Queries

The indicators below are a representative subset drawn from the Microsoft reports. Because the operators rotate certificates and infrastructure rapidly, prioritize the behavioral queries that follow over static matching.

Known Indicators of Compromise

  • Code-Signing Certificate Thumbprint (SHA-1): 4f5c5b3ef45cfff7721754487a86aeff9a2e6e32
  • Command-and-Control Domains: brokeapt[.]com, pan.ssffaa19[.]xyz, pan.rongtv[.]xyz
  • Phishing Infrastructure: dash.awaydouble[.]org, servicing.pureplantcravings[.]com
  • Redirector Services: grupoconstat[.]bitrix24[.]com[.]br, awstrack[.]me
  • Malware-Signing Portal: signspace[.]cloud (Telegram contact @arbadakarba2000)
  • Malicious Code Repositories: GitHub repositories "shippingtechnologymovie" and "DeepSeek-V4"
  • Associated Malware: Vidar and Lumma (information stealers), Oyster (backdoor); ransomware families signed via the service include Rhysida, INC, Qilin, and BlackByte
  • Host Artifacts: pythonw.exe and LICENSE.txt written to %LOCALAPPDATA%; Microsoft Defender detections Trojan:Win32/Vidar, Trojan:Win32/Malgent, Trojan:Win32/Malcert

Fake AI Installer Dropping a Python Downloader

Behavior Targeted: Detects an installer writing a Python downloader (pythonw.exe) and a LICENSE.txt file into the user's local application data folder, a pattern used by the AI-themed installers.
MITRE ATT&CK: T1204.002, T1059.006, T1036.005
Expected Results: Executable installers creating pythonw.exe and LICENSE.txt under AppData\Local, often immediately followed by pythonw.exe network activity.
False Positive Likelihood: MEDIUM. Some legitimate apps bundle Python runtimes.
Tuning Guidance: Allowlist known software that ships an embedded Python runtime and prioritize the co-occurrence of pythonw.exe with LICENSE.txt in the same user-writable path.

Splunk SPL Query

index=sysmon sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=11
    earliest=-30d
    (TargetFilename="*\\AppData\\Local\\*pythonw.exe"
        OR TargetFilename="*\\AppData\\Local\\*LICENSE.txt")
| stats values(TargetFilename) AS files dc(TargetFilename) AS file_variety
    min(_time) AS firstSeen max(_time) AS lastSeen by Computer, User, Image
| where file_variety > 1
| sort - lastSeen

// TUNING: Allowlist apps that legitimately bundle an embedded Python runtime
// FALSE POSITIVES: Developer tooling and packaged Python apps
// TELEMETRY: Requires Sysmon Event ID 11 (file create)

Microsoft KQL Query (Defender/Sentinel)

DeviceFileEvents
| where Timestamp > ago(30d)
| where FileName in~ ("pythonw.exe","LICENSE.txt")
| where FolderPath has "AppData\\Local"
| summarize FileSet=make_set(FileName, 5), Paths=make_set(FolderPath, 10),
    FirstSeen=min(Timestamp), LastSeen=max(Timestamp)
    by DeviceName, AccountName, InitiatingProcessFileName
| where array_length(FileSet) > 1
| order by LastSeen desc

// TUNING: Allowlist software that legitimately ships an embedded Python runtime
// FALSE POSITIVES: Packaged Python applications
// TELEMETRY: Microsoft Defender for Endpoint (DeviceFileEvents)

Note: These queries were generated with AI assistance. Test thoroughly in your environment before production use.

Python Downloader Beaconing to External Infrastructure

Behavior Targeted: Detects the Python downloader or a freshly installed binary retrieving a second-stage payload from an external host.
MITRE ATT&CK: T1071.001, T1620
Expected Results: pythonw.exe or recently created installers making outbound web connections to uncommon external hosts shortly after execution.
False Positive Likelihood: MEDIUM. Legitimate Python apps make network calls.
Tuning Guidance: Scope to processes launched from user-writable paths and to first-seen destination domains.

Splunk SPL Query

index=sysmon sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=3
    earliest=-30d
    Image="*\\pythonw.exe"
| stats count values(DestinationHostname) AS hosts values(DestinationIp) AS ips
    min(_time) AS firstSeen max(_time) AS lastSeen by Computer, User, Image
| sort - count

// TUNING: Allowlist known internal/SaaS destinations; prioritize first-seen external hosts
// FALSE POSITIVES: Legitimate Python applications with network features
// TELEMETRY: Requires Sysmon Event ID 3 (network connection); enrich with proxy logs

Microsoft KQL Query (Defender/Sentinel)

DeviceNetworkEvents
| where Timestamp > ago(30d)
| where InitiatingProcessFileName =~ "pythonw.exe"
| where RemoteUrl !endswith "microsoft.com" and isnotempty(RemoteUrl)
| summarize Count=count(), Hosts=make_set(RemoteUrl, 15),
    FirstSeen=min(Timestamp), LastSeen=max(Timestamp)
    by DeviceName, InitiatingProcessFolderPath
| order by LastSeen desc

// TUNING: Allowlist sanctioned destinations; weight processes from user-writable folders
// FALSE POSITIVES: Legitimate Python apps with update or telemetry features
// TELEMETRY: Microsoft Defender for Endpoint (DeviceNetworkEvents)

Note: These queries were generated with AI assistance. Test thoroughly in your environment before production use.

Connections to Known Malvertising and C2 Infrastructure

Behavior Targeted: Detects endpoint connections to the campaign's command-and-control and redirector domains.
MITRE ATT&CK: T1071.001, T1583.008
Expected Results: Endpoints resolving or connecting to the listed attacker domains.
False Positive Likelihood: LOW for the specific domains.
Tuning Guidance: Treat matches as high fidelity; expand the domain list as new infrastructure is published.

Splunk SPL Query

index=network (sourcetype=pan:traffic OR sourcetype=stream:dns OR sourcetype=zscaler)
    earliest=-30d
    (query="brokeapt.com" OR query="pan.ssffaa19.xyz" OR query="pan.rongtv.xyz"
        OR dest_host="brokeapt.com" OR dest_host="dash.awaydouble.org"
        OR dest_host="servicing.pureplantcravings.com")
| stats count min(_time) AS firstSeen max(_time) AS lastSeen
    by src_ip, query, dest_host
| sort - count

// TUNING: High-fidelity domain match; add new C2 domains as they are reported
// FALSE POSITIVES: Rare; validate any benign lookalike domains
// TELEMETRY: DNS query logs, proxy logs, or firewall traffic logs

Microsoft KQL Query (Defender/Sentinel)

let c2Domains = dynamic(["brokeapt.com","pan.ssffaa19.xyz","pan.rongtv.xyz",
    "dash.awaydouble.org","servicing.pureplantcravings.com"]);
DeviceNetworkEvents
| where Timestamp > ago(30d)
| where RemoteUrl has_any (c2Domains) or RemoteIPType == "Public" and RemoteUrl in~ (c2Domains)
| summarize Count=count(), FirstSeen=min(Timestamp), LastSeen=max(Timestamp)
    by DeviceName, InitiatingProcessFileName, RemoteUrl
| order by LastSeen desc

// TUNING: High-fidelity match; maintain the c2Domains list as new infrastructure is reported
// FALSE POSITIVES: Rare; confirm benign lookalikes
// TELEMETRY: Microsoft Defender for Endpoint (DeviceNetworkEvents)

Note: These queries were generated with AI assistance. Test thoroughly in your environment before production use.

Risky Sign-Ins and Token Anomalies After Infection

Behavior Targeted: Detects the account takeover that follows infostealer execution, including impossible travel and anomalous token use.
MITRE ATT&CK: T1557, T1555.003
Expected Results: Elevated-risk sign-ins or token anomalies for users whose endpoints showed stealer activity.
False Positive Likelihood: MEDIUM. Travel and VPN use can raise risk scores.
Tuning Guidance: Correlate risky sign-ins with endpoints that triggered the dropper or C2 queries above to raise fidelity.

Splunk SPL Query

index=azure sourcetype="azure:aad:signin"
    earliest=-30d
    (riskLevelDuringSignIn="high" OR riskLevelDuringSignIn="medium" OR riskState="atRisk")
| stats count values(ipAddress) AS ips values(appDisplayName) AS apps
    min(_time) AS firstSeen max(_time) AS lastSeen by userPrincipalName, riskLevelDuringSignIn
| sort - count

// TUNING: Correlate with endpoints flagged by the dropper/C2 queries to reduce noise
// FALSE POSITIVES: Legitimate travel and VPN egress can elevate risk
// TELEMETRY: Microsoft Entra (Azure AD) sign-in logs

Microsoft KQL Query (Defender/Sentinel)

SigninLogs
| where TimeGenerated > ago(30d)
| where RiskLevelDuringSignIn in ("high","medium") or RiskState == "atRisk"
| summarize Count=count(), IPs=make_set(IPAddress, 10), Apps=make_set(AppDisplayName, 10),
    FirstSeen=min(TimeGenerated), LastSeen=max(TimeGenerated)
    by UserPrincipalName, RiskLevelDuringSignIn
| order by LastSeen desc

// TUNING: Join to DeviceNetworkEvents/DeviceFileEvents hits to confirm endpoint compromise
// FALSE POSITIVES: Legitimate travel and VPN usage
// TELEMETRY: Microsoft Entra (Azure AD) sign-in logs ingested into Sentinel

Note: These queries were generated with AI assistance. Test thoroughly in your environment before production use.

Back to Hunting off the Red