Microsoft announced on Tuesday that it had disrupted a Malware Signing-as-a-Service (MSaaS) operation that used its Artifact Signing system as a weapon to distribute malicious code, carry out ransomware and other attacks, and compromise thousands of machines and networks around the world.
The tech giant attributed the activity to a threat actor called Fox Tempest, which it said offered an MSaaS scheme that allowed cybercriminals to disguise malware as legitimate software. This threat actor has been active since May 2025. The code name for this seizure activity is OpFauxSign.
“We occupied the sign space on the Fox Tempest website in order to disrupt service.”[.]”We used the cloud to take hundreds of virtual machines running the operation offline and blocked access to the sites hosting the underlying code,” said Steven Masada, assistant attorney general in Microsoft’s Digital Crimes Division.
Microsoft noted that this operation enabled the deployment of Rhysida ransomware by threat actors such as Vanilla Tempest, in addition to other malware families such as Oyster, Lumma Stealer, and Vidar, demonstrating the important role that Fox Tempest plays within the cybercrime ecosystem.
Additionally, connections between this actor and affiliates associated with several prominent ransomware stocks including INC, Qilin, BlackByte, and Akira were uncovered. Attacks launched by these operations target healthcare, education, government, and financial services across the United States, France, India, and China.
Artifact Signing (formerly known as Azure Trusted Signing) is Microsoft’s fully managed end-to-end signing solution that allows developers to easily build and distribute applications while ensuring that the software is genuine and has not been modified by unauthorized parties.
Fox Tempest is said to have leveraged this mechanism to generate rogue code-signing certificates with short expirations and use them to distribute trusted signed malware and bypass security controls. The certificate was valid for only 72 hours.
“Obtaining a legitimate signed certificate through artifact signing requires a requester to pass a detailed identity verification process that complies with the industry standard Verifiable Credentials (VC). This suggests that threat actors likely used stolen identities based in the United States and Canada to impersonate legitimate entities and obtain the digital credentials needed for signing,” Microsoft explained.
“The SignSpace website was built on Artifact Signing, leveraging Azure subscriptions, certificates, and a structured database for user and file management, enabling secure file signing through the admin panel and user page.”
The service allowed paying cybercrime customers to upload malicious files for code signing using certificates that Fox Tempest had fraudulently obtained. This allows malware and ransomware to impersonate legitimate software such as AnyDesk, Microsoft Teams, PuTTY, and Cisco Webex. Service costs range from $5,000 to $9,000.
Starting in February 2026, threat actors are said to have transitioned to providing customers with preconfigured virtual machines (VMs) hosted on Cloudzy, allowing them to upload required artifacts directly to attacker-controlled infrastructure and receive signed binaries in return.
“This infrastructure evolution reduces friction for our customers, improves Fox Tempest’s operational security, and further streamlines the delivery of malicious but trusted signed malware at scale,” Microsoft said.
Attackers like Vanilla Tempest were found to distribute signed binaries through the service via legitimately purchased ads, redirecting users searching for Microsoft Teams to a fake download page, paving the way for the deployment of Oyster (also known as Broomstick or CleanUpLoader), a modular implant and loader responsible for delivering Rhysida ransomware.
According to Microsoft, Fox Tempest continues to modify its methods as it takes measures such as disabling fraudulent accounts and revoking fraudulently obtained certificates, and attackers are also attempting to migrate to other code signing services. Court documents reveal that Microsoft worked with “cooperating sources” to purchase and test the service between February and March 2026.
“If attackers can make malicious software appear legitimate, it undermines how people and systems decide what is safe,” Redmond said. “Interfering with that ability is key to increasing the cost of cybercrime.”
Source link
