### Fox Tempest's Malicious Service **Microsoft** announced the disruption of **Fox Tempest**, a threat actor providing a malware-signing-as-a-service (MSaaS) scheme active since May 2025. This scheme enabled cybercriminals to disguise malware as legitimate software using fraudulently obtained code-signing certificates. "To disrupt the service, we seized **Fox Tempest**'s website signspace[.]cloud, took offline hundreds of the virtual machines running the operation, and blocked access to a site hosting the underlying code," said Steven Masada, assistant general counsel at **Microsoft**'s Digital Crimes Unit. ### Ransomware and Malware Deployment The operation facilitated the deployment of **Rhysida** ransomware by threat actors like **Vanilla Tempest**, along with other malware families including **Oyster**, **Lumma Stealer**, and **Vidar**. This highlights **Fox Tempest**'s significant role in the cybercrime ecosystem. Connections have been established between the threat actor and affiliates linked to prominent ransomware strains like **INC**, **Qilin**, **BlackByte**, and **Akira**. These attacks have targeted healthcare, education, government, and financial services across the U.S., France, India, and China. ### Abusing Artifact Signing **Artifact Signing** (formerly Azure Trusted Signing), **Microsoft**'s managed signing solution, was abused by **Fox Tempest** to generate short-lived, fraudulent code-signing certificates. These certificates, valid for only 72 hours, allowed them to deliver trusted, signed malware, bypassing security controls. "To obtain legitimate signed certificates through **Artifact Signing**, the requestor must pass detailed identity validation processes in keeping with industry standard verifiable credentials (VC), which suggests the threat actor very likely used stolen identities based in the United States and Canada to masquerade as a legitimate entity and obtain the necessary digital credentials for signing," **Microsoft** explained. The SignSpace website, built on **Artifact Signing**, enabled secure file signing through an admin panel and user page, leveraging Azure subscriptions, certificates, and a structured database for managing users and files. ### Operation Details and Costs The service allowed cybercriminal customers to upload malicious files for code-signing using certificates fraudulently obtained by **Fox Tempest**. This enabled malware and ransomware to masquerade as legitimate software such as AnyDesk, **Microsoft Teams**, PuTTY, and **Cisco Webex**. The service was priced between $5,000 and $9,000. ### Infrastructure Evolution From February 2026, **Fox Tempest** shifted to providing customers with pre-configured virtual machines (VMs) hosted on **Cloudzy**, streamlining the delivery of signed binaries. This evolution reduced friction for customers and improved operational security for **Fox Tempest**. ### Tactics and Countermeasures Threat actors like **Vanilla Tempest** distributed binaries signed through the service via legitimately purchased advertisements, redirecting users searching for **Microsoft Teams** to bogus download pages. This paved the way for the deployment of **Oyster** (aka Broomstick or CleanUpLoader), which delivers **Rhysida** ransomware. **Microsoft** has actively countered **Fox Tempest**'s tradecraft by disabling fraudulent accounts and revoking illicitly obtained certificates. Court documents reveal that **Microsoft** worked with a "cooperative source" to purchase and test the service between February and March 2026. "When attackers can make malicious software look legitimate, it undermines how people and systems decide what's safe," **Microsoft** said. "Disrupting that capability is key to raising the cost of cybercrime."