Microsoft has announced the disruption of a major malware-signing-as-a-service (MSaaS) operation that abused the company’s Artifact Signing platform to distribute malicious software disguised as legitimate applications.
The cybercriminal operation, tracked by Microsoft as Fox Tempest, allegedly helped threat actors deploy ransomware and malware across thousands of compromised systems worldwide. The takedown effort has been internally named Operation FauxSign (OpFauxSign).
According to Microsoft, Fox Tempest had been active since May 2025 and provided cybercriminals with a service that digitally signed malware using fraudulently obtained certificates. This made malicious files appear trustworthy and allowed them to bypass security defenses.
Microsoft Seizes Infrastructure Behind the Operation
Steven Masada, Assistant General Counsel at Microsoft’s Digital Crimes Unit, confirmed that the company seized the domain signspace[.]cloud, shut down hundreds of virtual machines tied to the operation, and blocked access to infrastructure hosting the service’s source code.
The operation played a key role in enabling attacks involving several malware families and ransomware groups, including:
- Rhysida ransomware
- Oyster malware
- Lumma Stealer
- Vidar malware
Microsoft also linked Fox Tempest to affiliates connected with well-known ransomware strains such as:
- INC
- Qilin
- BlackByte
- Akira
Victims reportedly included organizations in the healthcare, education, government, and financial sectors across countries including the United States, France, India, and China.
How the Attack Worked
Fox Tempest abused Microsoft’s Artifact Signing service, previously known as Azure Trusted Signing, which is designed to help developers securely sign legitimate applications.
The attackers allegedly used stolen identities from the United States and Canada to pass Microsoft’s identity verification checks and obtain valid signing credentials. These certificates remained active for only 72 hours, making them difficult to detect before abuse occurred.
Cybercriminal customers could upload malware through a dedicated admin panel and receive digitally signed malicious binaries in return. Signed malware was then disguised as trusted software such as:
- AnyDesk
- Microsoft Teams
- PuTTY
- Cisco Webex
The service reportedly charged customers between $5,000 and $9,000.
Shift to Pre-Configured Virtual Machines
Beginning in February 2026, Fox Tempest evolved its operation by offering pre-configured virtual machines hosted through Cloudzy. This allowed customers to directly upload malware to attacker-controlled infrastructure and receive signed binaries more efficiently.
Microsoft said the move improved operational security for the criminals and streamlined large-scale malware delivery.
Fake Microsoft Teams Ads Used in Attacks
One notable attack chain involved threat actors linked to Vanilla Tempest, who purchased legitimate online advertisements that redirected users searching for Microsoft Teams to fake download websites.
Victims unknowingly downloaded malware signed through the Fox Tempest service, leading to infections with Oyster malware and eventually the deployment of Rhysida ransomware.
Microsoft Says Cybercriminals Adapted Quickly
Microsoft revealed that Fox Tempest continuously adjusted its tactics whenever the company disabled fraudulent accounts or revoked malicious certificates. The threat actor even attempted to migrate to alternative code-signing services.
Court documents also show that Microsoft investigators worked with a cooperative source to secretly purchase and test the service between February and March 2026 as part of the investigation.
Why This Matters
Digitally signed software is generally trusted by operating systems and security tools. By abusing trusted signing services, attackers can make malware appear legitimate, significantly increasing the success rate of cyberattacks.
Microsoft emphasized that disrupting these services is critical to weakening the cybercrime ecosystem and increasing operational costs for ransomware groups.
“When attackers can make malicious software look legitimate, it undermines how people and systems decide what’s safe,” Microsoft stated.
