Microsoft Disrupts Malware-Signing-as-a-Service Operation
Recent reports from Microsoft reveal that a sophisticated threat actor known as Fox Tempest has been engaging in a malicious scheme called MSaaS (malware-signing-as-a-service), utilizing the company’s Artifact Signing system to distribute harmful code and carry out ransomware attacks. This operation has impacted numerous machines and networks worldwide.
Operation Code-named OpFauxSign
Microsoft has taken action against this threat actor, code-named Fox Tempest, who has been operating since May 2025. The initiative to disrupt this service has been named OpFauxSign, involving the seizure of Fox Tempest’s website signspace[.]cloud, shutting down virtual machines associated with the operation, and blocking access to the underlying code hosting site.
Connection to Ransomware and Malware Families
Fox Tempest’s activities have facilitated the deployment of various ransomware strains such as Rhysida, along with other malware families like Oyster, Lumma Stealer, and Vidar. These actions highlight the critical role played by Fox Tempest in the cybercrime ecosystem.
Utilization of Artifact Signing System
Artifact Signing, formerly known as Azure Trusted Signing, is Microsoft’s solution for secure application distribution, ensuring the authenticity and integrity of software. Fox Tempest exploited this system to generate fraudulent code-signing certificates, allowing them to distribute malware disguised as legitimate software.
Evolution of Malicious Service
Starting February 2026, Fox Tempest transitioned to offering pre-configured virtual machines hosted on Cloudzy, streamlining the process of uploading malicious artifacts and receiving signed binaries. This evolution enhanced operational security and scalability for the threat actor.
Countermeasures and Adaptation
Microsoft has been actively countering Fox Tempest’s activities by disabling fraudulent accounts, revoking illicitly obtained certificates, and even collaborating with a “cooperative source” to test the service. Despite these efforts, the threat actor has continued to adapt their tactics, emphasizing the need to disrupt their capability to make malicious software appear legitimate.
Impact on Cybercrime
By disrupting the MSaaS operation orchestrated by Fox Tempest, Microsoft aims to raise the cost of cybercrime and safeguard users from falling victim to deceptive practices. This proactive approach underscores the importance of maintaining vigilance against evolving threats in the digital landscape.
