To the point: Fox Tempest operated a malware signing service for ransomware gangs, which Microsoft disrupted through Operation OpFauxSign via server takedowns and website seizures.
Microsoft has dismantled a criminal infrastructure that abused its own Artifact Signing system to issue fraudulent code signature certificates. The so-called Fox Tempest thereby obtained legitimacy for ransomware and malware that compromised thousands of systems worldwide.
Microsoft has dismantled a Malware-Signing-as-a-Service (MSaaS) operation called Fox Tempest, which had been active since May 2025. The company seized the website signspace[.]cloud, took hundreds of virtual machines belonging to the operation offline, and blocked access to servers hosting the underlying infrastructure. The action is codenamed OpFauxSign.
Fox Tempest used Microsoft’s Artifact Signing system (formerly Azure Trusted Signing) to issue fraudulent code signature certificates. Each was valid for only 72 hours. To obtain legitimate certificates through the system, one must undergo strict identity verification – Fox Tempest likely obtained stolen identities from the USA and Canada to gain access to the digital certificates as a legitimate organization. The signspace[.]cloud service enabled paying cybercriminals to upload and have their malware files signed; the fee ranged between $5,000 and $9,000 per signature. The signed malware could thus impersonate legitimate software such as AnyDesk, Microsoft Teams, PuTTY, or Cisco Webex.
Fox Tempest distributed malware variants such as Rhysida ransomware, Oyster (CleanUpLoader), Lumma Stealer, and Vidar to customer groups. Connections exist to affiliates of the ransomware families INC, Qilin, BlackByte, and Akira. Attacks targeted institutions in healthcare, education, government, and financial sectors in the USA, France, India, and China.
From February 2026 onwards, Fox Tempest shifted its business model to preconfigured virtual machines hosted via Cloudzy – customers could upload malware artifacts directly and receive signed binaries. This infrastructure evolution lowered barriers for customer orders and improved the operational security of the offering. Threat actors such as Vanilla Tempest distributed the signed malware through purchased advertisements that directed searchers for Microsoft Teams to fake download pages.
Source: ainews-dev.lumi-systems.io · Published May 20, 2026
Lumi AI News — AI-assisted curation pursuant to Art. 50 EU AI Act. Paraphrase and classification via Lumi News Pipeline v1.5.2.