Microsoft Disrupts Fox Tempest Malware-Signing Service

Microsoft’s Digital Crimes Unit executed an operation codenamed OpFauxSign to seize signspace[.]cloud, take hundreds of virtual machines offline and block a site hosting the underlying code. The company attributed the activity to Fox Tempest, a malware‑signing‑as‑a‑service operation active since May 2025.

Steven Masada, assistant general counsel at Microsoft’s Digital Crimes Unit, described the disruption: “To disrupt the service, we seized Fox Tempest’s website signspace[.]cloud, took offline hundreds of the virtual machines running the operation, and blocked access to a site hosting the underlying code.”

Microsoft reported that Fox Tempest used Artifact Signing (formerly Azure Trusted Signing) to produce short‑lived code‑signing certificates valid for 72 hours. The SignSpace platform relied on Azure subscriptions, certificates and a database to manage users and files. Criminal customers could upload malicious files and receive digitally signed binaries in return.

The group charged between $5,000 and $9,000 for the service. Beginning in February 2026, Fox Tempest shifted to supplying preconfigured virtual machines hosted on Cloudzy. That change allowed direct uploads to attacker‑controlled infrastructure and returned signed artifacts without additional steps by the customer, Microsoft noted.

Signed binaries created by the service were used in wider distribution chains. Microsoft linked the operation to campaigns that used purchased advertisements to redirect users searching for Microsoft Teams to fake download pages. Those pages enabled deployment of the Oyster loader (also called Broomstick or CleanUpLoader), which has been used to deliver Rhysida ransomware. Microsoft identified one distributor, Vanilla Tempest, that used signed payloads to spread Rhysida.

Analysts also connected Fox Tempest to other malware families, including Lumma Stealer and Vidar, and to affiliates associated with ransomware strains INC, Qilin, BlackByte and Akira. Targeted victims included organizations in healthcare, education, government and financial services across the United States, France, India and China.

Microsoft worked with a cooperative source to purchase and test the service between February and March 2026 as part of the disruption effort. The company warned: “When attackers can make malicious software look legitimate, it undermines how people and systems decide what’s safe.” Microsoft added that Fox Tempest adjusted its tradecraft in response to countermeasures, at times attempting to move to other code‑signing services after accounts were disabled and fraudulent certificates revoked.