Microsoft on Tuesday said it had disrupted the functionality of a malware-signing-as-a-service (MSaaS) that enabled the company’s Artifact Signing system to deliver malicious code and execute ransomware and other attacks, compromising thousands of devices and networks around the world.
The tech giant says the job was created for a dangerous actor it calls him Fox Tempestwhich said it offers an MSaS program to allow hackers to disguise malware as legitimate software. The threat actor has been active since May 2025. The kidnapping attempt is codenamed OpFauxSign.
“In order to disrupt the service, we intercepted the location of the Fox Tempest website signals[.]cloud, took out hundreds of virtual machines running the project, and blocked access to the site containing the underlying code,” said Steven Masada, assistant general counsel at Microsoft’s Digital Crimes Unit.
Microsoft noted that this program enabled the use of Rhysida ransomware by threat actors such as Vanilla Tempest, as well as other malware families such as Oyster, Lumma Stealer, and Vidar, indicating the important role played by Fox Tempest within the cybercrime ecosystem.
In addition, connections between the threat actor and affiliates associated with several prominent ransomware brands, including INC, Qilin, BlackByte, and Akira, have been revealed. Attacks by these operations have targeted healthcare, education, government, and financial services across the US, France, India, and China.
Artifact Signing (formerly Azure Trusted Signing) is Microsoft’s fully managed, signing solution that allows developers to easily build and distribute applications, while ensuring that the software is legitimate and has not been modified by unauthorized parties.
Fox Tempest allegedly used this technique to generate temporary, fake code-signing certificates and use them to deliver trusted, signed malware and bypass security controls. Certificates were only valid for 72 hours.
“In order to obtain official certificates signed with Artifact signing, the applicant must pass detailed verification procedures in accordance with verified industry credentials (VC), suggesting that the threat actor may have used stolen identities from the United States and Canada to conduct legitimate business and obtain the digital information required to sign,” explains Microsoft.
“The SignSpace website was built on Artifact Signing and enabled secure file signing through an admin panel and user page, premium Azure subscriptions, certificates, and a structured database for managing users and files.”
The service allowed paying cybercrime customers to upload malicious files for code signing using certificates obtained fraudulently by Fox Tempest. This, in turn, allowed malware and ransomware to impersonate legitimate software such as AnyDesk, Microsoft Teams, PuTTY, and Cisco Webex. The service costs between $5,000 and $9,000.
As of February 2026, the threat actor is said to have switched to providing customers with pre-configured virtual machines (VMs) hosted on Cloudzy, making it possible to upload the required artifacts to the infrastructure controlled by the attacker and receive signed binaries in return.
“This infrastructure innovation has reduced friction for customers, improved the operational security of Fox Tempest, and improved the delivery of malicious but trusted, signed malware at scale,” Microsoft said.
Threat actors such as Vanilla Tempest have been found to be distributing two services signed with legitimately purchased ads that redirect users looking for Microsoft Teams to fake download pages, paving the way for the distribution of Oyster (also known as Broomstick or CleanUpLoader), a modular implant and loader responsible for delivering Rnsohysida.
Microsoft said Fox Tempest has been repairing its trade as the company takes countermeasures, such as disabling fake accounts and revoking illegally obtained certificates, as the threat actor tries to switch to another code-signing service. Court documents reveal that Microsoft worked with a “cooperative source” to purchase and test the service between February and March 2026.
“If attackers can make malicious software look legitimate, it undermines how people and systems decide what’s safe,” Redmond said. “Disrupting that ability is critical to increasing the cost of cybercrime.”
