Skip to main content
Emerging ThreatsMalware & Ransomware

Microsoft Disrupts Malware-Signing Service Used in Ransomware Attacks

Rows of servers and equipment in a data center, some partially disassembled.

"To disrupt the service, we seized Fox Tempest's website signspace[.]cloud, took offline hundreds of the virtual machines running the operation, and blocked access to a site hosting the underlying code," Steven Masada, assistant general counsel at Microsoft's Digital Crimes Unit, said.

OpFauxSign: seizure and scope

Microsoft said the action — codenamed OpFauxSign — removed a malware-signing-as-a-service (MSaaS) operation that the company attributed to a threat actor it calls Fox Tempest. According to Microsoft, Fox Tempest has been active since May 2025 and weaponized the company's Artifact Signing system to generate fraudulent code-signing certificates and deliver signed malware at scale. Microsoft reported seizing the SignSpace website (signspace[.]cloud), taking offline hundreds of virtual machines, and blocking access to a site that hosted the operation's underlying code.

How Fox Tempest's MSaaS worked

Microsoft described SignSpace as a service built on Artifact Signing that enabled secure file signing through an admin panel and user page, leveraging Azure subscriptions, certificates, and a structured user-and-file database. The threat actor allegedly obtained legitimate signed certificates through Artifact Signing — formerly Azure Trusted Signing — after passing the platform's identity-validation processes. Microsoft said these verifiable-credential (VC) checks suggest Fox Tempest very likely used stolen identities based in the United States and Canada to masquerade as legitimate entities.

The company said the certificates generated by Fox Tempest were deliberately short‑lived — valid for only 72 hours — and that the service charged criminal customers between $5,000 and $9,000. Starting in February 2026, Microsoft said the operation shifted to supplying customers with pre‑configured virtual machines hosted on Cloudzy, allowing direct upload of artifacts to attacker‑controlled infrastructure and return of signed binaries.

Malware families, affiliates, and victims

Microsoft tied Fox Tempest's service to the deployment of Rhysida ransomware by actors such as Vanilla Tempest, and to other malware families including Oyster, Lumma Stealer, and Vidar. It also reported connections between Fox Tempest and affiliates associated with prominent ransomware strains INC, Qilin, BlackByte, and Akira. According to Microsoft, attacks using signed malware targeted healthcare, education, government, and financial services across the U.S., France, India, and China.

The company said signed malware was made to resemble legitimate applications — AnyDesk, Microsoft Teams, PuTTY, and Cisco Webex — and that actors like Vanilla Tempest distributed signed binaries via legitimately purchased advertisements that redirected users searching for Microsoft Teams to bogus download pages. Microsoft identified Oyster (also called Broomstick or CleanUpLoader) as a modular implant and loader used to deliver Rhysida ransomware in that chain.

Microsoft's countermeasures and Fox Tempest's adaptations

Microsoft said it repeatedly disabled fraudulent accounts and revoked illicitly obtained certificates as it detected abuse. The company added that Fox Tempest continually adapted its tradecraft in response, including shifting to the Cloudzy‑hosted VM model and attempting to move to a different code‑signing service. Court documents cited by Microsoft show the company worked with a "cooperative source" to purchase and test the signing service between February and March 2026.

Microsoft framed the takedown as an effort to restore trust in software provenance. "When attackers can make malicious software look legitimate, it undermines how people and systems decide what's safe," Redmond said. "Disrupting that capability is key to raising the cost of cybercrime."

What this means for technologists, policymakers, and enterprises

  • Technologists and security teams: Microsoft’s account underscores a need to inspect signed artifacts with fresh skepticism — short‑lived certificates and legitimate‑looking installers can still be malicious, and operational defenses may need to track signing origin, certificate issuance timing, and anomalous distribution methods such as redirected ad traffic.
  • Policymakers and procurement leaders: The alleged use of stolen U.S. and Canadian identities to pass verifiable‑credential checks highlights a gap between identity‑proofing controls and abuse prevention; procurement rules that assume signed software equals safe software may need reevaluation in light of MSaaS abuse.
  • End users and enterprise IT: Microsoft’s findings show that attackers can mimic widely used tools (AnyDesk, Microsoft Teams, PuTTY, Cisco Webex) and that legitimate advertising channels can be abused to funnel victims to malicious installers, so verification of download sources and stronger distribution controls remain immediate priorities.

Microsoft's disruption of Fox Tempest removed a ready-made capability that criminal customers used to make malware look legitimate, but the company's own disclosures show the operation adapted repeatedly as Microsoft intervened. The seizure raises a pointed question left in the record: whether short‑lived certificate issuance and current identity verification processes are sufficient to prevent a commercially run MSaaS from reemerging. As Microsoft framed it, raising the cost of these services is the objective — how industry and policy respond to that challenge will determine whether the disruption is temporary or structural.

https://thehackernews.com/2026/05/microsoft-takes-down-malware-signing.html