On Tuesday, Microsoft announced the disruption of a malware-signing-as-a-service (MSaaS) operation that exploited its Artifact Signing system. This operation has been implicated in worldwide ransomware attacks, affecting thousands of systems globally.
Unveiling Fox Tempest’s Role
The tech giant identified the malicious activities as originating from a group it has named Fox Tempest. This entity is suspected of facilitating cybercriminals by disguising malware as legitimate software. Fox Tempest has been active since May 2025, and Microsoft’s counteroperation to dismantle this threat has been named OpFauxSign.
Steven Masada, assistant general counsel at Microsoft’s Digital Crimes Unit, stated that the disruption involved taking down the website signspace[.]cloud, deactivating numerous virtual machines involved in the operation, and blocking a site that hosted the malicious code.
Widespread Implications of the Operation
Fox Tempest’s operations enabled the deployment of various malware families, including Rhysida ransomware, through groups such as Vanilla Tempest. This highlights the significant influence Fox Tempest had within the cybercrime community.
The operation also revealed connections between Fox Tempest and several notorious ransomware strains like INC, Qilin, BlackByte, and Akira. These attacks have targeted sectors such as healthcare, education, government, and finance in countries including the U.S., France, India, and China.
Exploiting Artifact Signing for Cybercrime
Artifact Signing, previously known as Azure Trusted Signing, is a Microsoft service that ensures the legitimacy of software by providing end-to-end signing solutions. Fox Tempest exploited this system to generate fraudulent, short-lived code-signing certificates to distribute trusted malware.
Microsoft indicated that the threat actor likely used stolen identities from the U.S. and Canada to navigate the stringent identity verification processes required to obtain these certificates.
SignSpace, a platform built on Artifact Signing, allowed cybercriminals to upload malware for signing with these fraudulently obtained certificates. This service, priced between $5,000 and $9,000, enabled malware to masquerade as legitimate applications, such as AnyDesk and Microsoft Teams.
Adapting to Countermeasures
In February 2026, Fox Tempest adjusted its operations by offering pre-configured virtual machines hosted on Cloudzy. This allowed for easier upload of artifacts to attacker-controlled infrastructure, enhancing the delivery of signed malware.
Microsoft’s continued countermeasures, such as disabling fraudulent accounts and revoking certificates, forced Fox Tempest to explore alternative code-signing services. In their efforts, Microsoft collaborated with a cooperative source to test the illicit service, revealing insights into its operations.
Microsoft emphasized the importance of this disruption, stating, “When attackers can make malicious software look legitimate, it undermines how people and systems decide what’s safe.” The company remains committed to raising the cost of cybercrime by dismantling such services.
