Microsoft has successfully disrupted "Fox Tempest," a sophisticated malware-signing-as-a-service (MSaaS) operation that enabled cybercriminals to disguise malicious software as legitimate applications. This operation, active since May 2025, compromised thousands of machines globally and facilitated ransomware attacks. Microsoft's action, codenamed "OpFauxSign," involved seizing Fox Tempest's website, taking down hundreds of virtual machines, and blocking access to its underlying code, significantly raising the cost and difficulty for cybercriminals.

Key Takeaways

• Microsoft disrupted Fox Tempest, a malware-signing-as-a-service (MSaaS) operation.

• The service allowed cybercriminals to sign malware, making it appear legitimate.

• Fox Tempest facilitated ransomware attacks, including those by Rhysida (Vanilla Tempest).

• Other malware families like Oyster, Lumma Stealer, and Vidar were also deployed.

• Microsoft seized the operation's website and infrastructure.

The Fox Tempest Operation

Fox Tempest operated by fraudulently leveraging Microsoft's Artifact Signing system, a service designed to verify the legitimacy of software. The threat actor created short-lived, fraudulent code-signing certificates, often using stolen identities from the United States and Canada, to sign malicious files. These signed files could then masquerade as legitimate software from well-known applications like AnyDesk, Microsoft Teams, PuTTY, and Cisco Webex, bypassing security controls and tricking users into executing them.

The service, which cost between $5,000 and $9,000, was used by various threat actors. Microsoft identified connections between Fox Tempest and affiliates associated with prominent ransomware strains such as INC, Qilin, BlackByte, and Akira. Attacks facilitated by this service have targeted critical sectors including healthcare, education, government, and financial services across the U.S., France, India, and China.

Microsoft's Disruption Efforts

Microsoft's Digital Crimes Unit (DCU) led the disruption effort, codenamed "OpFauxSign." This involved seizing Fox Tempest's website, , taking offline hundreds of virtual machines used to run the operation, and blocking access to the underlying code. The company also worked with hosting providers and law enforcement agencies, including Europol's European Cybercrime Centre (EC3) and the FBI, to dismantle the infrastructure.

Fox Tempest demonstrated adaptability, shifting to third-party-hosted virtual machines in February 2026 to maintain operations after Microsoft began disabling fraudulent accounts and revoking illicit certificates. However, Microsoft's persistent countermeasures and legal actions have significantly hampered the service's ability to operate at scale.

Evolving Cybercrime Landscape

This operation highlights the evolving nature of cybercrime, which is increasingly modular, with specialized services like Fox Tempest acting as crucial enablers for other criminal groups. By making malware appear legitimate, Fox Tempest removed a significant barrier for attackers, increasing the success rate of their campaigns. Microsoft's action aims to raise the cost and complexity of such operations, thereby disrupting the cybercrime ecosystem.

Sources

• Microsoft Takes Down Malware-Signing Service Behind Ransomware Attacks, The Hacker News.

• A cybercrime service that turned “verified” software into a pathway for ransomware -Microsoft On the Issues, The Official Microsoft Blog.

• Microsoft disrupts Fox Tempest malware-signing-as-a-service platform tied to ransomware gangs, The Record from Recorded Future News.

• Microsoft takes down MSaaS used by ransomware gangs, Risky Business Newsletters.

• Microsoft Takes Down Group Operating Ransomware-Enabling Signing Tool, Infosecurity Magazine.