- What: Microsoft's DCU dismantled Fox Tempest's
OpFauxSignmalware-signing-as-a-service, which abused Microsoft Artifact Signing to issue 72-hour certificates for ransomware and infostealer payloads at $5,000-$9,000 per signing. - Impact: Thousands of machines compromised across healthcare, education, government, and financial services; Rhysida, Lumma Stealer, Vidar, and Oyster/CleanUpLoader distributed as apparently legitimate signed software.
- Fix / mitigation: Treat code-signing as a degraded control: add behavioral/EDR detection, flag short-lived (under 72-hour) certificates signing executables, and add secondary verification for remote-access tool downloads.
- Who's at risk: Any org relying on code-signing as a primary trust signal, particularly those downloading AnyDesk, Microsoft Teams, PuTTY, or Cisco Webex via web search rather than vendor portals.
Microsoft has disrupted a sophisticated malware-signing-as-a-service operation that turned the company's own Artifact Signing system into a weapon for cybercriminals. The operation, dubbed OpFauxSign, targeted Fox Tempest—a threat actor that enabled ransomware groups and malware distributors to disguise malicious code as legitimate software signed by Microsoft's trusted certificate infrastructure.
The takedown involved seizing the signspace[.]cloud domain, taking offline hundreds of virtual machines running the operation, and blocking access to infrastructure hosting the underlying code. Fox Tempest's service played a central role in the deployment of Rhysida ransomware and multiple information-stealing malware families, compromising thousands of machines globally across healthcare, education, government, and financial services sectors.
Exploiting Microsoft's Trust Infrastructure
Fox Tempest weaponized Microsoft's Artifact Signing—a legitimate code-signing service designed to verify software authenticity—by obtaining fraudulent certificates through stolen identities. The threat actor used compromised credentials from individuals in the United States and Canada to pass Microsoft's identity validation processes, which comply with industry-standard verifiable credentials requirements.
The certificates generated through this scheme were time-limited to 72 hours, creating a narrow detection window. This allowed Fox Tempest to operate a turnkey malware-signing service where cybercriminal customers could upload malicious files through an admin panel and receive legitimately signed binaries that bypassed security controls.
Fox Tempest's operation fundamentally undermined code-signing trust mechanisms. By obtaining legitimate certificates through identity theft and offering them as a service, the threat actor enabled even unsophisticated criminals to distribute malware that appeared as trusted software from vendors like AnyDesk, Microsoft Teams, PuTTY, and Cisco Webex.
Infrastructure Evolution and Criminal Ecosystem
Starting in February 2026, Fox Tempest evolved its operational model by shifting from a web-based signing service to providing pre-configured virtual machines hosted on Cloudzy infrastructure. This architectural change reduced operational friction for customers and improved the threat actor's security posture by allowing direct uploads to attacker-controlled infrastructure without exposing the signing mechanisms.
Microsoft's investigation uncovered extensive connections between Fox Tempest and multiple ransomware operations. The service enabled Vanilla Tempest to deploy Rhysida ransomware, while affiliates of INC, Qilin, BlackByte, and Akira ransomware strains also leveraged the signed malware capabilities. Additional malware families distributed through the service included Oyster (CleanUpLoader), Lumma Stealer, and Vidar.
Distribution Through Malvertising
Threat actors utilizing Fox Tempest's service employed sophisticated distribution methods, including malicious advertising campaigns. Vanilla Tempest purchased legitimate advertisements that redirected users searching for Microsoft Teams to fraudulent download pages hosting signed malicious binaries. These downloads deployed Oyster, a modular loader responsible for delivering Rhysida ransomware payloads.
The combination of legitimate code signatures and paid advertising created a highly effective infection vector that exploited user trust at multiple levels. Victims believed they were downloading official software from legitimate search results, only to receive malware that security tools recognized as properly signed and trusted.
Microsoft worked with a cooperative source to purchase and test the malware-signing service between February and March 2026. This undercover operation provided critical intelligence about Fox Tempest's operations, pricing structure, and technical capabilities that informed the disruption strategy.
Persistent Adaptation to Countermeasures
Fox Tempest demonstrated sophisticated operational security throughout its lifespan. As Microsoft enacted countermeasures—including disabling fraudulent accounts and revoking illicitly obtained certificates—the threat actor continuously adapted its tactics. Microsoft observed attempts to shift to alternative code-signing services, indicating the operation's determination to maintain its revenue stream despite enforcement actions.
The threat actor's ability to repeatedly compromise Microsoft's identity validation processes suggests access to high-quality stolen identity data and understanding of certificate authority verification procedures. This highlights the challenge facing certificate authorities in distinguishing legitimate requests from sophisticated fraud attempts using stolen credentials.
Implications for Defense Strategies
The Fox Tempest operation exposes critical weaknesses in trust-based security models that rely on code-signing verification. Organizations can no longer assume that digitally signed software is inherently safe, particularly when signatures are recent or from unfamiliar publishers.
- Implement application control policies that extend beyond signature verification to include reputation scoring and behavioral analysis
- Monitor for short-lived certificates (72 hours or less) signing executable code, which may indicate fraudulent signing operations
- Deploy endpoint detection and response solutions capable of identifying malicious behavior regardless of code-signing status
- Establish secondary verification channels for software downloads, particularly for commonly targeted applications like remote access tools
- Review and strengthen identity verification processes for obtaining code-signing certificates within your organization
Strategic Takeaways
The Microsoft takedown of Fox Tempest represents a significant disruption to the malware-as-a-service ecosystem, but the operational model will likely reappear. The $5,000-$9,000 price point demonstrates substantial demand for code-signing capabilities among cybercriminals, creating strong financial incentives for other threat actors to fill the void.
Security teams should reassess detection strategies that prioritize signed software over unsigned binaries. The commoditization of code-signing through criminal services means that signature validity is no longer a reliable primary indicator of software legitimacy. Multi-layered defenses incorporating behavioral detection, threat intelligence, and user awareness remain essential as attackers continue exploiting trust mechanisms at scale.
For certificate authorities and code-signing platforms, the incident underscores the need for enhanced identity verification processes and anomaly detection systems capable of identifying patterns consistent with stolen identity use. The industry must evolve beyond static identity verification toward continuous monitoring of certificate usage patterns to detect and respond to abuse more rapidly.
Questions about your exposure?
RedEye Security provides assessments for organizations that need to understand their real risk.
Talk to us