**Microsoft** has taken down a significant Malware-Signing-as-a-Service (MSaaS) operation that abused its own **Azure Artifact Signing** service. The operation, run by threat actors tracked as **Fox Tempest**, generated fraudulent code-signing certificates used by ransomware groups and other cybercriminals. ### Azure Artifact Signing Abuse **Azure Artifact Signing** (previously Trusted Signing) is a cloud-based service launched by **Microsoft** in 2024, designed to allow developers to easily sign their programs. However, **Fox Tempest** exploited this service to create short-lived certificates, allowing malware to be digitally signed and trusted as legitimate software by both users and operating systems. **Microsoft** reports that the financially motivated threat actor created over 1,000 certificates and hundreds of **Azure** tenants and subscriptions as part of the operation. They also unsealed a legal case in the U.S. District Court for the Southern District of New York targeting the cybercrime operation. "**Fox Tempest** has created over a thousand certificates and established hundreds of **Azure** tenants and subscriptions to support its operations. **Microsoft** has revoked over one thousand code signing certificates attributed to **Fox Tempest**," **Microsoft** stated. ### Disruption of the MSaaS Operation In May 2026, **Microsoft's** Digital Crimes Unit (DCU), with support from industry partners, disrupted **Fox Tempest's** MSaaS offering, targeting the infrastructure and access model that enables its broader criminal use. **Microsoft** seized the signspace[.]cloud domain used by the service, took hundreds of virtual machines tied to the operation offline, and blocked access to infrastructure hosting the cybercrime platform. The site now redirects visitors to a **Microsoft**-operated site explaining the domain seizure as part of a lawsuit against the malware-signing-as-a-service scheme. ### Malware and Ransomware Connections The operation was linked to numerous malware and ransomware campaigns involving Oyster, Lumma Stealer, Vidar, as well as the Rhysida, Akira, INC, Qilin, and BlackByte ransomware operations. Threat actors, including Vanilla Tempest (INC Ransomware members), Storm-0501, Storm-2561, and Storm-0249, used the signed malware in their attacks. **Microsoft** also named the Vanilla Tempest ransomware operation as a co-conspirator in the legal action, stating that the group used the service to distribute malware and ransomware in attacks targeting organizations worldwide. The MSaaS was operated through signspace[.]cloud and allowed cybercriminal customers to upload malicious files for code-signing using fraudulently obtained certificates.  These signed malware files were then used by threat actors to impersonate legitimate software such as **Microsoft Teams**, AnyDesk, PuTTY, and Webex, adding legitimacy to the downloads. "When unsuspecting victims executed the falsely named **Microsoft Teams** installer files, those files delivered a malicious loader, which in turn installed the fraudulently signed Oyster malware and ultimately deployed Rhysida ransomware," reads **Microsoft's** complaint. "Because the Oyster malware was signed by a certificate from **Microsoft's Artifact Signing** service, the Windows operating system initially recognized the malware as legitimate software, when it would otherwise be flagged as suspicious or blocked entirely by security controls in the Windows operating system." ### Identity Theft and Short-Lived Certificates **Microsoft** believes the operators likely used stolen identities from the United States and Canada to pass Artifact Signing identity verification requirements and obtain the signing credentials. When obtaining certificates, the threat actors reportedly used only short-lived certificates valid for 72 hours to reduce the risk of detection. ### Previous Abuse of Trusted Signing BleepingComputer previously reported in March 2025 on threat actors abusing **Microsoft's** Trusted Signing service to sign malware used in a Crazy Evil Traffers crypto-theft campaign and a Lumma Stealer campaign. While those malware were also signed with 3-day certificates, it is unclear if they were signed by the **Fox Tempest** cybercrime platform. ### Evolution of Fox Tempest's Operations **Microsoft** also detailed how **Fox Tempest** evolved its operation earlier this year by providing customers with pre-configured virtual machines hosted through Cloudzy infrastructure. Customers uploaded malware to the VM environments and received signed binaries using **Fox Tempest**-controlled certificates. The malware-signing platform was promoted on a Telegram channel named "EV Certs for Sale by SamCodeSign," with pricing ranging from $5,000 to $9,000 in bitcoin for access to the platform. **Microsoft** says the operation generated millions of dollars in profits and is a well-resourced group capable of managing infrastructure, customer relations, and financial transactions. [](https://hubs.li/Q048zztN0) ## [The Validation Gap: Automated Pentesting Answers One Question. You Need Six.](https://hubs.li/Q048zztN0) Automated pentesting tools deliver real value, but they were built to answer one question: can an attacker move through the network? They were not built to test whether your controls block threats, your detection rules fire, or your cloud configs hold. This guide covers the 6 surfaces you actually need to validate. [Download Now](https://hubs.li/Q048zztN0)