Answer Brief
Microsoft's Digital Crimes Unit has disrupted 'SignSpace,' a prolific malware-signing-as-a-service operation run by the threat actor Fox Tempest. By weaponizing Microsoft's own Artifact Signing system via stolen identities, the actor provided valid digital certificates to ransomware groups including Vanilla Tempest, Akira, and Qilin, allowing malicious payloads to bypass enterprise security controls globally.
Signal Timeline
A quick visual path for analysts before reading the full brief.
- 1
Fox Tempest commences malware-signing-as-a-service operations
- 2
Actor shifts to pre-configured virtual machines on Cloudzy to streamline operations
- 3
Microsoft begins undercover purchase and testing of the SignSpace service
- 4
Microsoft executes OpFauxSign to seize domains and take hundreds of VMs offline
Executive Summary: Microsoft's Digital Crimes Unit has disrupted 'SignSpace,' a prolific malware-signing-as-a-service operation run by the threat actor Fox Tempest. By weaponizing Microsoft's own Artifact Signing system via stolen identities, the actor provided valid digital certificates to ransomware groups including Vanilla Tempest, Akira, and Qilin, allowing malicious payloads to bypass enterprise security controls globally.
Why It Matters
The takedown of the Fox Tempest infrastructure, dubbed OpFauxSign, reveals a sophisticated evolution in how the cybercrime ecosystem subverts the 'root of trust' in modern operating systems. By weaponizing Microsoft’s Artifact Signing system, Fox Tempest provided a bridge for various threat actors to transition from untrusted, easily detected binaries to signed payloads that inherit the reputation of a global platform provider. This shift significantly complicates the defensive posture for organizations that rely on application whitelisting or signature-based trust models as a primary security layer. The operational model of SignSpace—using stolen North American identities to pass verifiable credential checks—indicates that the bottleneck for malware distribution is no longer the technical creation of the payload, but the successful acquisition of legitimate signing authority. From a technical standpoint, the use of short-lived certificates (valid for only 72 hours) demonstrates a high level of operational awareness. These temporary certificates are sufficient for the initial 'blast' phase of a ransomware campaign, where the loader must bypass immediate detection, but they expire quickly enough to make retroactive analysis and revocation difficult for platform owners. Security teams must recognize that a valid signature is increasingly a signal of identity, not necessarily of intent. In this case, the identities were legitimate, but they were stolen and used to authorize illegitimate content. This highlights a critical monitoring implication: organizations must move toward behavioral analysis that inspects what a 'signed' binary actually does post-execution, rather than granting it implicit trust based on its certificate status. Furthermore, the evolution of Fox Tempest's delivery mechanism—shifting to pre-configured virtual machines on Cloudzy in early 2026—suggests a trend toward 'private-cloud' crime infrastructure. By centralizing the signing process within attacker-controlled VMs, Fox Tempest reduced the metadata trail left on client systems and streamlined the workflow for their customers. This evolution made the service more attractive to high-tier ransomware affiliates like those of Akira and Qilin, who require high-velocity deployment cycles. The disruption of hundreds of these virtual machines likely caused a significant, though potentially temporary, degradation in the ability of these groups to deploy signed loaders like Oyster. Decision points for IT and security leadership now center on the validity of 'Trusted' software lists. When attackers can masquerade as legitimate tools like Microsoft Teams or Cisco Webex using valid platform signatures, the traditional perimeter is effectively neutralized. Teams should verify if their EDR/XDR configurations are set to automatically exclude signed binaries from deep inspection. If so, these policies should be reviewed to include 'low-prevalence' or 'newly-signed' binary alerts, even if the signer is a known entity. The use of search engine advertisements as a delivery vector for these signed binaries adds another layer of risk, as it weaponizes user trust in search results to drive traffic to malicious, but technically 'trusted,' downloads. Uncertainty remains regarding the resiliency of Fox Tempest. Microsoft noted the actor had already attempted to migrate to alternative code-signing services prior to the final seizure of signspace[.]cloud. This suggests that the actor possesses the capital and identity-theft pipelines to rebuild elsewhere. Monitoring implications for the next quarter should focus on the emergence of new domain names offering similar high-cost 'secure' signing services and any shift in the infrastructure patterns of the Rhysida and Vanilla Tempest groups. The partnership between Microsoft and a 'cooperative source' for undercover testing indicates that proactive, offensive counter-intelligence is now a requirement to map the supply chains of these high-importance threat actors before they can achieve global scale.
Event Type: security
Importance: high
Affected Companies
- AnyDesk
- Cisco
- Cloudzy
- Microsoft
Affected Sectors
- Education
- Financial Services
- Government
- Healthcare
- Technology
Key Numbers
- Service price range: $5,000 – $9,000
- Certificate validity duration: 72 hours
Timeline
- Fox Tempest commences malware-signing-as-a-service operations
- Actor shifts to pre-configured virtual machines on Cloudzy to streamline operations
- Microsoft begins undercover purchase and testing of the SignSpace service
- Microsoft executes OpFauxSign to seize domains and take hundreds of VMs offline
Frequently Asked Questions
What specifically is Malware-Signing-as-a-Service (MSaaS)?
MSaaS is a specialized cybercrime offering where a provider (like Fox Tempest) obtains legitimate digital certificates to sign malicious files for other attackers. This allows malware to appear as trusted software from reputable vendors, helping it bypass antivirus and Endpoint Detection and Response (EDR) systems that rely on digital signatures to verify file integrity.
How did Fox Tempest bypass Microsoft's identity verification for Artifact Signing?
The threat actor utilized stolen identities belonging to individuals and entities in the United States and Canada. By masquerading as legitimate developers, they were able to pass industry-standard verifiable credential (VC) checks required by Microsoft's Artifact Signing system (formerly Azure Trusted Signing).
Which specific malware families were supported by this infrastructure?
The service was primarily used to sign the Oyster loader (also known as Broomstick or CleanUpLoader), which frequently leads to Rhysida ransomware. Other signed malware included Lumma Stealer, Vidar, and payloads associated with ransomware operations like BlackByte, INC, and Akira.
What was the role of Cloudzy in this operation?
Starting in February 2026, Fox Tempest evolved its infrastructure by providing customers with pre-configured virtual machines hosted on Cloudzy. This allowed attackers to upload their malicious artifacts directly to controlled infrastructure, reducing friction and improving operational security for the service provider.