"This fraudulent code-signing acts as a fake ID that lets cybercriminals get into the systems by walking right through the front door," Steven Masada, global head of Microsoft DCU, said during Microsoft's briefing on May 18, 2026.
Microsoft Digital Crimes Unit undercover engagement and legal action
On May 19, 2026, Microsoft unsealed a civil case in the US District Court for the Southern District of New York aimed at Fox Tempest, a group Microsoft describes as a financially motivated enabler in the malware and ransomware supply chain. The company said its Digital Crimes Unit (DCU) used undercover personas to engage the group's operators, gathered evidence of the operation, and partnered with hosting companies to disrupt infrastructure. Microsoft is now working with the FBI and Europol’s European Cybercrime Centre (EC3) to identify the people behind Fox Tempest.
Fox Tempest’s “malware-signing-as-a-service” (MSaaS)
Microsoft assessed that Fox Tempest operated a commercial offering it labeled "malware-signing-as-a-service" (MSaaS). According to DCU investigators, the service allowed customers to disguise malware as legitimate software by applying fraudulent code-signing, including abuse of code-signing systems such as Microsoft's Artifact Signing (introduced as Trusted Signing in 2024). DCU principal investigator Maurice Mason described the group as operating "in the upstream in the malware and ransomware supply chain, as an enabler."
Microsoft observed that access to the signing service was brokered by a seller identified as SamCodeSign, who had been selling code-signing certificates since at least 2020. The DCU recorded three pricing tiers offered by SamCodeSign: a standard queue at $5,000; a priority sale at $7,500; and an expedited sale at $9,500.
Connections to Rhysida, Storm-2501, Storm-0249 and other malware strains
The lawsuit named Rhysida — tracked by Microsoft as Vanilla Tempest — as a co-conspirator. Microsoft said Fox Tempest worked closely with several ransomware groups, including Storm-2501, Storm-0249 and Rhysida. Rhysida has been linked by Microsoft to multiple cyber-attacks between 2023 and April 2026 against schools, hospitals, medical institutions and other critical infrastructure organizations worldwide; Microsoft also cited specific incidents including an October 2023 hack of the British Library and a September 2024 data extortion attack against Seattle-Tacoma International Airport.
Microsoft identified the Fox Tempest signing tool within deployments of numerous malware strains, including Aurora, Lumma Stealer, Malcert, Oyster, Vidar and others. The tool was also detected in some campaigns attributed by several experts to MuddyWater, a cyber-espionage group several experts associate with Iran's Ministry of Intelligence and Security (MOIS), according to Microsoft.
Infrastructure, takedown actions and observed effects
DCU investigators traced initial Fox Tempest infrastructure to a site called Signspace[dot]cloud and identified hosting support from legitimate providers including UK-based Freak Hosting and Estonia-based Wavecom. In January 2026, Microsoft said the group shifted its infrastructure to Cloudzy, a Dubai-based VPS provider.
On May 5, Microsoft filed a civil action in the Southern District of New York and obtained a court order three days later. With that authority and cooperation from hosting providers, the DCU transferred malicious domains to a Microsoft-owned sinkhole, disabled hundreds of virtual machines hosted on Cloudzy, took down roughly 1,000 accounts, and suspended the threat actor's repository. Microsoft reported a significant decrease in Fox Tempest-made certificates after those actions.
What this means for technologists, law enforcement, and affected institutions
- Technologists and security teams: Microsoft highlighted how labels such as “verified,” “secure” and “safe to install” can be manipulated when fraudulently signed code is used. The DCU's observations — including a measurable drop in Fox Tempest-made certificates — underline the operational effect of coordinated disruption against signing abuse.
- Law enforcement and international partners: The company is coordinating with the FBI and Europol’s EC3 to identify actors behind Fox Tempest, illustrating cross-border investigative work tied to a US civil court filing and cooperation with hosting providers in multiple jurisdictions.
- Affected institutions (schools, hospitals, airports): Microsoft linked Rhysida-associated operations to attacks on education, healthcare and critical infrastructure organizations worldwide, reinforcing the DCU's framing of Fox Tempest as an upstream enabler whose services amplified downstream harm.
Microsoft framed the takedown as a rare, public action against an often-invisible enabler within the cybercrime ecosystem. "For the first time, Microsoft is taking public action against a powerful, but often unseen, enabler within the cybercrime ecosystem," Steven Masada said, adding that the disruption targeted how criminals prepare and optimize their success rates. The company continues to pursue identity discovery through legal channels and international law-enforcement partners as it works to limit the availability of fraudulent code-signing services.




