Microsoft Takes Down Malware-Signing Service Behind Ransomware Attacks

Microsoft Disrupts Fox Tempest Malware-Signing Service That Delivered Ransomware Globally

TL;DR Microsoft has taken down a malware-signing-as-a-service operation run by Fox Tempest that fraudulently obtained code-signing certificates through Microsoft's own Artifact Signing system. The operation, active since May 2025, sold signing services for $5,000 to $9,000 and enabled delivery of ransomware and malware families including Rhysida, Oyster, Lumma Stealer, and Vidar to thousands of machines worldwide. The disruption effort, codenamed OpFauxSign, involved seizure of the signspace[.]cloud website and takedown of hundreds of virtual machines.

What happened

Fox Tempest operated a malware-signing-as-a-service (MSaaS) platform that weaponized Microsoft's Artifact Signing system—a legitimate code-signing solution for developers—to generate fraudulent but valid code-signing certificates. According to Microsoft, the threat actor very likely used stolen identities based in the United States and Canada to pass Microsoft's identity validation processes and obtain legitimate digital credentials for signing.

The SignSpace website, which hosted the service, allowed paying customers to upload malicious files for code-signing using certificates fraudulently obtained by Fox Tempest. Certificates generated through the scheme were valid for only 72 hours, a short lifespan designed to reduce detection windows. The service cost between $5,000 and $9,000 per use.

By signing malware with these fraudulent but cryptographically valid certificates, threat actors could make their malicious code appear legitimate and trusted to endpoint security controls and users. The service enabled distribution of malware impersonating legitimate applications including AnyDesk, Microsoft Teams, PuTTY, and Cisco Webex.

Starting in February 2026, Fox Tempest shifted operational model by providing customers with pre-configured virtual machines hosted on Cloudzy. This infrastructure evolution allowed direct upload of malicious artifacts to attacker-controlled systems and return of signed binaries, reducing friction for customers and improving operational security for the threat actor.

Microsoft's disruption operation, codenamed OpFauxSign, involved seizure of the signspace[.]cloud website, takedown of hundreds of virtual machines running the operation, and blocking access to infrastructure hosting the underlying code. Steven Masada, assistant general counsel at Microsoft's Digital Crimes Unit, confirmed the action. Microsoft also disabled fraudulent accounts associated with Fox Tempest and revoked illicitly obtained certificates.

Why it matters

Code-signing certificates are a critical trust anchor in software distribution. When legitimate certificates sign malicious code, endpoint detection and response (EDR) systems, user access control (UAC) prompts, and user decision-making can all be undermined. Defenders cannot distinguish between signed legitimate software and signed malware based on signature validity alone.

The operation connected Fox Tempest to a broad ransomware ecosystem. Confirmed connections include threat actors operating Rhysida, INC, Qilin, BlackByte, and Akira ransomware, as well as operators of Oyster, Lumma Stealer, and Vidar malware. Attacks targeted healthcare, education, government, and financial services across the United States, France, India, and China.

For SOC analysts and defenders in the MENA region, the disruption reduces one attack vector but does not eliminate the underlying threat model: attackers continue to seek ways to obtain or forge valid code-signing credentials. Organizations should review their file reputation and code-signing verification controls and assume that signature validity alone does not guarantee benign intent.

Affected systems and CVEs

Microsoft Artifact Signing (formerly Azure Trusted Signing)
AnyDesk (impersonated by signed malware)
Microsoft Teams (impersonated by signed malware)
PuTTY (impersonated by signed malware)
Cisco Webex (impersonated by signed malware)
Cloudzy (VM hosting provider used by Fox Tempest)
Rhysida ransomware (distributed through signed malware)
Oyster / Broomstick / CleanUpLoader malware
Lumma Stealer malware
Vidar malware
INC ransomware
Qilin ransomware
BlackByte ransomware
Akira ransomware

No CVE assigned at the time of publication.

What to do

Review code-signing certificate validation controls and supplement signature verification with additional reputation and behavior-based detection.
Monitor for binaries signed by certificates issued between May 2025 and the disruption date; revoke trust in any certificates linked to Fox Tempest's fraudulent accounts.
Cross-reference indicators of compromise released by Microsoft against network logs, EDR telemetry, and file integrity monitoring systems.
Implement application whitelisting policies that do not rely solely on code-signing validity.
For organizations in targeted sectors (healthcare, education, government, financial services) in the United States, France, India, and China, conduct incident response reviews to identify whether signed malware was delivered or executed.
Review administrative access logs for Azure subscriptions to detect unauthorized certificate generation requests.

Open questions

The source does not disclose the total number of machines and networks compromised, stating only "thousands."
Specific stolen identities used by Fox Tempest to obtain fraudulent credentials are not named.
The complete list of malware families delivered through the service is not provided; only Rhysida, Oyster, Lumma Stealer, Vidar, INC, Qilin, BlackByte, and Akira are confirmed.
The identity of the "cooperative source" that helped Microsoft purchase and test the service between February and March 2026 is not disclosed.
The current operational status of Fox Tempest following the disruption is not specified.
Geographic distribution of attacks beyond the four countries mentioned (U.S., France, India, China) is not detailed.