On Tuesday, Microsoft announced a significant disruption in a malware-signing-as-a-service (MSaaS) operation that exploited the company’s Artifact Signing system to facilitate malware delivery, spearheading ransomware and other cyberattacks. This revelation underscores the escalating sophistication of cybercrime, with thousands of machines and networks around the globe reportedly compromised through this insidious scheme.
The tech giant has attributed these nefarious activities to a group it refers to as Fox Tempest, which reportedly began offering its MSaaS capabilities as early as May 2025. The company’s initiative to dismantle this operation has been designated the code name OpFauxSign. Steven Masada, an assistant general counsel at Microsoft’s Digital Crimes Unit, elaborated on the company’s actions to disrupt Fox Tempest’s operations, stating that they seized the group’s website, signspace[.]cloud, disabled several virtual machines that were integral to the operation, and blocked access to a site containing the foundational code.
This operation’s significance is further pronounced, as Microsoft noted its role in the deployment of Rhysida ransomware by various threat actors, including one known as Vanilla Tempest. Additionally, Fox Tempest is linked to other malware families such as Oyster, Lumma Stealer, and Vidar, highlighting its pivotal role within a broader cybercrime ecosystem. Connections to several other prominent ransomware strains, including INC, Qilin, BlackByte, and Akira, have also been uncovered. The consequences of these attacks have been extensive, affecting critical sectors like healthcare, education, government, and financial services across diverse locations including the United States, France, India, and China.
Microsoft’s Artifact Signing service—formerly known as Azure Trusted Signing—provides a fully managed, end-to-end signing solution that enables developers to create and distribute applications while simultaneously ensuring the software’s authenticity. Unfortunately, Fox Tempest exploited this platform to fabricate short-lived, fraudulent code-signing certificates, thereby enabling the distribution of malware disguised as trustworthy applications. These counterfeit certificates remained valid for a mere 72 hours, creating a challenging environment for security defenses.
The authentication process to secure legitimate signed certificates through the Artifact Signing service demands comprehensive identity validation in accordance with industry standards for verifiable credentials. This suggests that Fox Tempest may have employed stolen identities from individuals based in the United States and Canada to impersonate legitimate entities and acquire the necessary credentials for fraudulent code signing.
The infrastructure set up by Fox Tempest also included a SignSpace website that facilitated secure file signing through an administrative panel and a user page, efficiently managing users and files via Azure subscriptions and certificates. This scheme allowed paying cybercriminal clients to upload malicious files for code-signing, leveraging the counterfeit certificates acquired by Fox Tempest to make their malware appear legitimate. Notably, the service was financially accessible, costing between $5,000 and $9,000.
By February 2026, intelligence revealed that Fox Tempest had adapted its approach further, offering clients pre-configured virtual machines (VMs) hosted on Cloudzy. This evolution streamlined the process, enabling customers to upload the necessary artifacts to the operator-controlled infrastructure directly and receive signed binaries in return. The shift not only improved the operational security of Fox Tempest but also facilitated the efficient delivery of malicious yet ostensibly authorized software on a large scale.
The implications of such tactics are profound. Cybercriminals, such as those affiliated with Vanilla Tempest, have been reported to promote binaries signed through Fox Tempest’s service using legitimately purchased advertisements. These ads redirected users searching for legitimate software like Microsoft Teams to counterfeit download pages, paving the way for the distribution of malware such as Oyster (also known as Broomstick or CleanUpLoader), which is responsible for delivering Rhysida ransomware.
As Microsoft has enacted various countermeasures—including disabling fraudulent accounts and revoking illicitly obtained certificates—Fox Tempest has continuously adapted its methods in response. Court documents indicate that the tech giant collaborated with a "cooperative source" to procure and evaluate the service from February to March 2026.
In the words of a Microsoft representative, the ability of attackers to cloak malicious software in a guise of legitimacy fundamentally undermines the criteria individuals and systems use to determine safety. By disrupting this capability, Microsoft aims to raise the stakes for cybercriminal endeavors, further emphasizing the critical nature of combatting such sophisticated threats in the digital landscape. As the fight against cybercrime continues, this latest disruption illustrates the importance of vigilance and security in an increasingly interconnected world.