- Microsoft disrupted Fox Tempest, a malware-signing-as-a-service that weaponized its Artifact Signing system to legitimize ransomware and other malware.
- The service sold for between $5,000 and $9,000, enabling attacks on thousands of machines globally in sectors like healthcare and government.
- The operation facilitated the distribution of Rhysida, Oyster, Lumma Stealer, and Vidar malware, often disguised as legitimate software like AnyDesk or Microsoft Teams.
- Microsoft seized the operation’s website, signspace[.]cloud, and took hundreds of virtual machines offline in an effort codenamed OpFauxSign.
In a significant crackdown on a critical cybercrime enabler, Microsoft announced it has dismantled a sophisticated malware-signing service that abused its own security tools to legitimize ransomware attacks globally. The tech giant, working through its Digital Crimes Unit, attributed the operation to a threat actor it tracks as Fox Tempest, which had been active since May 2025.
Steven Masada, assistant general counsel at Microsoft, said the disruption involved seizing the service’s website and taking hundreds of virtual machines offline. Consequently, the scheme, which Microsoft codenamed OpFauxSign, was a key distributor for ransomware groups like Vanilla Tempest. The service fraudulently obtained short-lived code-signing certificates through Microsoft’s Artifact Signing system, making malicious files appear trusted.
Paying customers, including affiliates linked to INC, Qilin, BlackByte, and Akira ransomware, used the service to sign malware for between $5,000 and $9,000. Microsoft explained that the threat actor likely used stolen identities to pass validation checks. This allowed malware like Rhysida ransomware and the Oyster loader to be disguised as legitimate software.
Meanwhile, the operation evolved in early 2026 to provide pre-configured virtual machines for greater efficiency and security. However, Microsoft enacted countermeasures, such as revoking illicit certificates and disabling fraudulent accounts. “When attackers can make malicious software look legitimate, it undermines how people and systems decide what’s safe,” the company stated, emphasizing the importance of such disruptions.
✅ Follow BITNEWSBOT on Telegram, Facebook, LinkedIn, X.com, and Google News for instant updates.
