Microsoft Dismantles Fox Tempest, a Malware-Signing Service That Issued Over a Thousand Fraudulent Certificates Through Azure
Microsoft's Digital Crimes Unit seized signspace.cloud and revoked more than 1,000 fraudulent code-signing certificates after Fox Tempest sold access to Azure Artifact Signing for $5,000–$9,000 per transaction to ransomware groups including Rhysida, Akira, and Qilin.
Overview
Microsoft’s Digital Crimes Unit on May 19, 2026 disrupted Fox Tempest, a financially motivated threat actor that operated a malware-signing-as-a-service (MSaaS) platform through the website signspace[.]cloud. The operation created over a thousand certificates and established hundreds of Azure tenants and subscriptions, enabling paying cybercriminals to receive short-lived, fraudulent code-signing certificates that made their malware appear legitimate to Windows security checks, according to the Microsoft Security Blog. The group generated millions in proceeds while infecting thousands of machines across healthcare, education, government, and financial services organizations in the United States, France, India, and China, Microsoft On the Issues reported.
How the Service Worked
Fox Tempest built signspace[.]cloud on top of Microsoft Artifact Signing, a legitimate Azure service designed for software publishers to cryptographically authenticate their builds. According to The Hacker News, “The SignSpace website was built on Artifact Signing and enabled secure file signing through an admin panel and user page, leveraging Azure subscriptions, certificates, and a structured database for managing users and files.”
Certificates issued through the service were valid for only 72 hours, a design choice that reduced detection risk. To pass the identity verification required by the Artifact Signing platform, Fox Tempest likely used stolen identities from the United States and Canada, according to BleepingComputer. Customers paid between $5,000 and $9,000 per transaction depending on their subscription tier, with higher-paying customers receiving priority queue access, the Microsoft Security Blog noted.
Starting in February 2026, Fox Tempest shifted to providing customers with pre-configured virtual machines hosted through Cloudzy’s US-based infrastructure, allowing threat actors to upload malicious files directly and receive signed binaries without direct interaction with the web portal, as documented by BleepingComputer.
The Attack Chain
The signed certificates enabled malware to impersonate trusted software including AnyDesk, Microsoft Teams, PuTTY, and Cisco Webex, according to The Hacker News. A representative attack chain documented by Microsoft began when victims executed falsely named Microsoft Teams installer files: “those files delivered a malicious loader, which in turn installed the fraudulently signed Oyster malware and ultimately deployed Rhysida ransomware,” according to TechRadar. The Oyster malware succeeded in bypassing initial defenses because “the Windows operating system initially recognized the malware as legitimate software,” TechRadar reported.
Fox Tempest’s customer base included ransomware and infostealer operations relying on the certificates to evade detection. The Microsoft Security Blog identified Vanilla Tempest as a customer since June 2025, alongside Storm-0501, Storm-2561, and Storm-0249. The malware families distributed through the service included Rhysida, Oyster (Broomstick), Lumma Stealer, Vidar, INC, Qilin, Akira, and BlackByte.
Rhysida, the ransomware variant delivered through several Fox Tempest campaigns, has previously been used in high-profile attacks. According to Microsoft On the Issues, the variant “both encrypts files and steals data, often used for double extortion” and has been used “to steal and leak internal documents from the British Library and to disrupt operations at Seattle-Tacoma International Airport.”
Disruption and Legal Action
Microsoft unsealed a legal case in the US District Court for the Southern District of New York on May 19, 2026, targeting the Fox Tempest service, Microsoft On the Issues reported. As part of the enforcement action, Microsoft’s Digital Crimes Unit, working with Resecurity and Cloudzy, seized the signspace[.]cloud website, took offline hundreds of the virtual machines running the operation, blocked access to a site hosting the underlying code, revoked fraudulently obtained code-signing certificates, and removed fraudulent accounts, The Hacker News reported. Microsoft also said it strengthened the Artifact Signing verification processes as a systemic fix.
Microsoft stated it is also collaborating with Europol’s European Cybercrime Centre (EC3) and the Federal Bureau of Investigation (FBI) in the broader investigation, according to Microsoft On the Issues.
“Every day, we decide what software to trust in seconds guided by simple labels such as ‘verified,’ ‘secure,’ and ‘safe to install,’” said Steven Masada, Assistant General Counsel at Microsoft’s Digital Crimes Unit, in Microsoft On the Issues. “This action wasn’t about stopping one actor. It sought to strategically neutralize a vital service that many attackers, particularly ransomware groups, rely on.”
What We Don’t Know
Microsoft did not disclose the full identities of Fox Tempest’s operators, who remain unnamed in the legal filings made public so far. The precise count of organizations compromised through malware signed with Fox Tempest certificates has not been published. The court case was unsealed on May 19, 2026, but no further details about defendants or indictments have been publicly released. Whether the disruption will permanently cripple the service or prompt a reconstitution under a different infrastructure is also unclear.
Analysis
The Fox Tempest operation illustrates a structural risk in cloud-based code signing: when identity verification depends on credentials that can be stolen, the entire trust model downstream of that check can be weaponized. Microsoft’s Artifact Signing service — like similar offerings from other cloud providers — was designed to extend trust from institutional publishers to their software. By inserting fraudulent Azure tenants into that pipeline, Fox Tempest converted a security signal into cover for malware delivery at scale.
The 72-hour certificate lifespan was a deliberate operational security choice: short-lived certificates limit the window during which a revoked cert would expose past campaigns. The shift to pre-configured virtual machines in February 2026 further lowered the technical barrier for customers, suggesting the service was actively refining its model toward higher volume and lower customer sophistication.
Microsoft’s response combined legal action, infrastructure seizure, and systemic platform hardening. The involvement of Europol EC3 and the FBI alongside the civil complaint in the Southern District of New York signals that prosecutors and law enforcement are treating malware-signing-as-a-service as a discrete criminal market, not merely a tool-sharing arrangement among existing threat actors.