Microsoft Disrupts Malware-Signing-As-A-Service Operation
Microsoft recently announced the disruption of a malware-signing-as-a-service (MSaaS) operation that exploited the company’s Artifact Signing system to distribute malicious code and execute ransomware attacks, impacting numerous machines and networks globally.
Fox Tempest: The Threat Actor Behind the Scheme
Identified as Fox Tempest, the threat actor behind the MSaaS operation has been active since May 2025. Microsoft’s seizure effort, codenamed OpFauxSign, aimed to dismantle the service by taking down Fox Tempest’s website, signspace[.]cloud, and shutting down virtual machines associated with the operation.
Role of Fox Tempest in the Cybercrime Ecosystem
Fox Tempest facilitated the deployment of various malware strains, including Rhysida ransomware, Oyster, Lumma Stealer, and Vidar. The threat actor’s connections with ransomware affiliates such as INC, Qilin, BlackByte, and Akira have led to targeted attacks on sectors like healthcare, education, government, and financial services in countries like the U.S., France, India, and China.
Utilization of Artifact Signing System
Artifact Signing, formerly known as Azure Trusted Signing, is Microsoft’s solution for secure software distribution. Fox Tempest leveraged this system to generate fraudulent code-signing certificates, allowing the delivery of signed malware to evade security measures. These certificates had a short lifespan of 72 hours.
Modus Operandi of Fox Tempest
Fox Tempest obtained stolen identities from the U.S. and Canada to masquerade as legitimate entities and acquire the necessary digital credentials for signing. The SignSpace website, built on Artifact Signing, facilitated the upload of malicious files for code-signing, enabling malware to appear as trusted software applications like AnyDesk and Microsoft Teams.
Evolution of Malicious Service
Starting February 2026, Fox Tempest transitioned to offering pre-configured virtual machines hosted on Cloudzy, streamlining the delivery of signed malware to customers. This infrastructure enhancement enhanced operational security for the threat actor and simplified the distribution of malicious software.
Countermeasures and Continuous Adaptation
Microsoft actively countered Fox Tempest’s activities by disabling fraudulent accounts, revoking illicit certificates, and even testing the service through a cooperative source. The threat actor continuously adapted its tactics in response to Microsoft’s interventions, highlighting the ongoing battle against cybercrime.
Conclusion
The disruption of the MSaaS operation underscores the importance of thwarting attempts to legitimize malicious software. By raising the cost of cybercrime, organizations like Microsoft aim to safeguard users and systems from potential threats in the digital landscape.
