Microsoft Disrupts Malware-Signing Operation Linked to Cybercrime Group
On Tuesday, Microsoft announced a significant disruption to a hazardous operation known as malware-signing-as-a-service (MSaaS), which exploited the company’s Artifact Signing system to distribute malicious software, including ransomware, across thousands of machines and networks globally. This cyber initiative, attributed to a group identified as Fox Tempest, began its activities in May 2025, and the anti-malware effort has been codenamed OpFauxSign.
According to Microsoft officials, Fox Tempest’s operation allowed cybercriminals to disguise harmful software as legitimate applications. By compromising the signing process, these actors successfully delivered malicious code under the guise of trusted software, raising serious concerns about cybersecurity across various sectors.
Steven Masada, an assistant general counsel at Microsoft’s Digital Crimes Unit, elaborated on the company’s efforts, stating, "To disrupt the service, we seized Fox Tempest’s website signspace[.]cloud, took offline hundreds of the virtual machines running the operation, and blocked access to a site hosting the underlying code." This statement underscores the scale and precision of Microsoft’s intervention against this cybercriminal operation.
Microsoft’s investigation revealed that Fox Tempest played a critical role within the broader cybercrime landscape, facilitating the deployment of the Rhysida ransomware and other malware variants linked to various criminal organizations. Among those affiliated with Fox Tempest are noted groups such as Vanilla Tempest, which has been involved in significant attacks on sectors including healthcare, education, government, and financial services located in countries like the United States, France, India, and China.
The Artifact Signing service, previously known as Azure Trusted Signing, provides developers with a secure method to build and distribute applications while verifying the integrity of the software. However, Fox Tempest exploited this mechanism to create short-lived, fraudulent code-signing certificates, allowing them to deliver trusted, signed malware. Microsoft noted that these certificates were only valid for 72 hours, complicating tracking efforts.
Microsoft explained that acquiring legitimate signed certificates through Artifact Signing necessitates detailed identity validation processes. This strongly suggests that Fox Tempest used stolen identities, predominantly from the United States and Canada, to pose as legitimate entities in acquiring the digital credentials necessary for signing. This revelation highlights the sophisticated methods employed by cybercriminals to elude security systems.
The compromised SignSpace website, built upon the Artifact Signing framework, permitted cybercriminals to upload malicious files through an administrative panel. This system enabled them to obtain code-signatures using certificates illicitly acquired by Fox Tempest. Through this operation, malware could easily masquerade as reputable software, such as AnyDesk, Microsoft Teams, PuTTY, and Cisco Webex, with service prices ranging from $5,000 to $9,000.
The threat actor later adapted its model, beginning in February 2026, by providing customers with pre-configured virtual machines (VMs) hosted on Cloudzy. This shift facilitated direct uploads of the required artifacts to the attacker-controlled infrastructure, further streamlining the process of obtaining signed binaries. Microsoft emphasized that this evolution in infrastructure not only reduced the friction for customers but also improved operational security for Fox Tempest, enabling the mass distribution of trusted, yet malicious, software.
The menace posed by threats such as Vanilla Tempest, which utilized the service to distribute signed binaries, was exacerbated through targeted advertisements that lured users seeking Microsoft Teams to counterfeit download pages. These actions led to the deployment of additional malware, including the Oyster backdoor—a versatile implant responsible for delivering Rhysida ransomware.
Despite the proactive measures undertaken by Microsoft, including the revocation of illicitly obtained certificates and the disabling of fraudulent accounts, Fox Tempest exhibited a relentless adaptability to its tactics, even attempting to pivot to alternative code-signing services. Legal documentation has surfaced revealing that Microsoft collaborated with a "cooperative source" to test and purchase access to this illicit MSaaS between February and March 2026.
Conclusively, Microsoft asserted, "When attackers can make malicious software look legitimate, it undermines how people and systems decide what’s safe. Disrupting that capability is key to raising the cost of cybercrime." This statement elucidates the critical importance of undermining the methods that allow cybercriminals to disguise their operations as legitimate, ultimately aiming to elevate the risks associated with engaging in cybercrime. The ongoing battle against such malicious entities continues to evolve as technology and strategies advance in tandem.