Microsoft Takes Down Malware-Signing Service Behind Ransomware Attacks

Microsoft recently announced a significant disruption of a malware-signing-as-a-service (MSaaS) operation that had been weaponizing the company's Artifact Signing system to deliver malicious code and conduct ransomware attacks worldwide. The operation, codenamed OpFauxSign, targeted thousands of machines and networks across various industries and countries.

The Fox Tempest Threat Actor

Microsoft attributed the MSaaS operation to a threat actor it calls Fox Tempest, which has been active since May 2025. The group offered a sophisticated service allowing cybercriminals to disguise malware as legitimate software through fraudulently obtained code-signing certificates.

"To disrupt the service, we seized Fox Tempest's website signspace[.]cloud, took offline hundreds of the virtual machines running the operation, and blocked access to a site hosting the underlying code," said Steven Masada, assistant general counsel at Microsoft's Digital Crimes Unit.

Scale and Impact of the Operation

The Microsoft Artifact Signing system (formerly Azure Trusted Signing) is designed to help developers build and distribute legitimate applications while ensuring software hasn't been modified by unauthorized parties. Fox Tempest exploited this system to generate short-lived, fraudulent code-signing certificates that were valid for only 72 hours.

"The certificates were obtained through detailed identity validation processes, which suggests the threat actor very likely used stolen identities based in the United States and Canada to masquerade as a legitimate entity," Microsoft explained in a technical analysis.

The service cost between $5,000 and $9,000 and enabled cybercriminals to upload malicious files for code-signing, making malware appear legitimate. The signed malware masqueraded as popular software like AnyDesk, Microsoft Teams, PuTTY, and Cisco Webex.

Malware Families and Affiliations

The operation facilitated the deployment of several prominent malware families, including:

• Rhysida ransomware (distributed by Vanilla Tempest)
• Oyster (also known as Broomstick or CleanUpLoader)
• Lumma Stealer
• Vidar

Microsoft also uncovered connections between Fox Tempest and affiliates associated with several prominent ransomware strains, including INC, Qilin, BlackByte, and Akira. These operations targeted healthcare, education, government, and financial services across the U.S., France, India, and China.

Evolution of the Service

Starting in February 2026, Fox Tempest shifted its business model to provide customers with pre-configured virtual machines hosted on Cloudzy. This evolution allowed customers to directly upload artifacts to attacker-controlled infrastructure and receive signed binaries in return.

"This infrastructure evolution reduced friction for customers, improved operational security for Fox Tempest, and further streamlined the delivery of malicious but trusted, signed malware at scale," Microsoft noted in their report.

Threat actors like Vanilla Tempest distributed signed binaries through legitimate advertisements that redirected users searching for Microsoft Teams to bogus download pages, facilitating the deployment of Oyster, which is responsible for delivering Rhysida ransomware.

Microsoft's Investigation and Legal Action

Court documents reveal that Microsoft worked with a "cooperative source" to purchase and test the service between February and March 2026. This investigation provided crucial insights into the operation's mechanics and scale.

Fox Tempest continually adapted its tradecraft as Microsoft implemented countermeasures, such as disabling fraudulent accounts and revoking illicitly obtained certificates. The threat actor even attempted to shift to a different code-signing service.

Implications for Cybersecurity

"When attackers can make malicious software look legitimate, it undermines how people and systems decide what's safe," Microsoft stated. "Disrupting that capability is key to raising the cost of cybercrime."

This operation highlights the growing sophistication of cybercriminal services and the lengths attackers will go to bypass security controls. The use of legitimate code-signing infrastructure represents a significant challenge for traditional security approaches.

Recommendations for Organizations

Based on this incident, security experts recommend the following measures:

1. Implement strict verification processes for software downloads, even from seemingly legitimate sources
2. Deploy advanced endpoint detection and response (EDR) solutions capable of identifying suspicious behavior regardless of code-signing status
3. Educate users about the risks of downloading software from unverified sources, even when presented as legitimate applications
4. Monitor network traffic for unusual download patterns or connections to known malicious infrastructure
5. Regularly update and patch all software to minimize exposure to potential vulnerabilities

The Future of Code Signing Security

Microsoft's action against Fox Tempest represents an important step in securing code signing infrastructure. However, the incident also underscores the need for continuous innovation in security practices as threat actors evolve their tactics.

Organizations should consider implementing additional layers of verification beyond code signatures, such as application whitelisting, behavior analysis, and sandboxing to detect potentially malicious signed applications.

As cybersecurity threats continue to evolve, collaboration between technology providers, law enforcement, and the security community remains essential to effectively counter sophisticated cybercriminal operations like the one disrupted by Microsoft's Digital Crimes Unit.