Microsoft Dismantles Fox Tempest Malware-Signing Service Fueling Global Ransomware Campaigns

Microsoft has struck at the heart of a cybercrime operation that turned legitimate code-signing tools into weapons for ransomware groups. The target, a service known as Fox Tempest, let attackers disguise malicious software as trusted applications. Thousands of machines fell victim worldwide. The action marks a significant push against specialized services that make attacks cheaper and more effective.

The company detailed the disruption in a blog post on May 19, 2026. Its Digital Crimes Unit seized the group’s main website at signspace.cloud. Hundreds of virtual machines went offline. Access to underlying code was blocked. And over 1,000 fraudulent code-signing certificates were revoked. But the story runs deeper than one seizure.

Fox Tempest launched in May 2025. It operated what Microsoft calls a malware-signing-as-a-service model. Customers uploaded payloads. The service signed them using certificates obtained through Microsoft’s own Artifact Signing platform. Those certificates lasted just 72 hours. Yet they carried enough weight to bypass security warnings. Malware looked legitimate. Defenses hesitated. Execution followed.

Attackers paid between $5,000 and $9,000 per use. Some reports cite a narrower $5,000 to $7,500 range. The group generated millions in proceeds. Orders flowed through a Telegram channel and a simple Google Form. Buyers received signed binaries that masqueraded as tools like Microsoft Teams, AnyDesk, PuTTY or Webex. One fake Teams installer deployed the Oyster backdoor, also tracked as Broomstick or CleanUpLoader. From there, Rhysida ransomware often followed.

The Hacker News reported the operation compromised thousands of machines across healthcare, education, government and financial sectors. Targets spanned the United States, France, India and China. Additional countries including Brazil, Germany, Japan, the United Kingdom, Italy and Spain appeared in broader assessments. Vanilla Tempest, a ransomware affiliate, leaned heavily on the service starting in June 2025. Other linked groups include those behind INC, Qilin, Akira and BlackByte campaigns.

Steven Masada, assistant general counsel for Microsoft’s Digital Crimes Unit, described the effort. “To disrupt the service, we seized Fox Tempest’s website signspace[.]cloud, took offline hundreds of the virtual machines running the operation, and blocked access to a site hosting the underlying code.” The unsealed civil complaint was filed in the U.S. District Court for the Southern District of New York on May 5. A court order came three days later.

But this wasn’t a sudden move. Microsoft had tracked Fox Tempest since September 2025. It revoked certificates repeatedly. It disabled fraudulent accounts. The operators adapted each time. They created hundreds of fake Microsoft accounts using stolen U.S. and Canadian identities. Later they shifted to pre-configured virtual machines hosted on Cloudzy starting in February 2026. Even after the takedown, the group tried to pivot customers to another signing service. Persistence defines this market.

And the downstream effects proved substantial. Signed malware slipped past antivirus checks. It enabled lateral movement and privilege escalation. Ransomware followed. Hospitals lost access to patient records. Schools faced data theft. Government agencies dealt with encrypted systems. The modular nature of modern cybercrime shines through here. One group builds the signing tool. Others buy access. Ransomware operators deploy. Profits split. Risk spreads.

Jonathan Greig of The Record noted the service’s popularity among ransomware gangs. Specific families included Oyster, Lumma Stealer and Vidar in addition to Rhysida. The operation’s success highlighted how code signing, meant to build trust, had been inverted. “Criminals are complaining about challenges accessing the current service,” Masada observed in the Microsoft blog. That friction matters.

Recent coverage reinforces the scale. Axios emphasized the service’s role in scaling attacks. It reported coordination with the FBI and Europol’s European Cybercrime Centre. Maurice Mason, a principal cybercrime investigator at Microsoft, contributed insights on the infrastructure. The group ran hundreds of Azure tenants and subscriptions to support the scheme. Such volume allowed rapid certificate generation and testing.

CSO Online added context on pricing and market position. Cybercriminals viewed the $5,000-plus fees as worthwhile because the signed binaries raised success rates dramatically. Unsigned malware often died at the first defense layer. Signed versions reached endpoints and executed. The article, published within the past day, described Fox Tempest as the largest such service Microsoft has tackled.

SecurityWeek connected the dots to earlier actions. Microsoft had revoked certificates tied to Vanilla Tempest in October 2025. The current disruption builds on that momentum. It also names Vanilla Tempest as a co-conspirator in the legal filing. The goal extends beyond removal of one platform. Microsoft aims to raise the overall cost of conducting cybercrime.

Yet adaptation remains the constant. Fox Tempest operators responded to previous countermeasures by changing hosting providers and rebranding. After the latest action, some chatter suggested movement toward alternative signing providers. Law enforcement partners will track those shifts. Resecurity provided supporting intelligence according to Microsoft statements. Collaboration across private industry and agencies proves essential.

This case exposes a broader trend. Cybercrime has industrialized. Services specialize. Malware signing sits upstream in the supply chain. It lowers barriers for less sophisticated actors. Ransomware groups focus on deployment and extortion rather than every technical hurdle. AI tools further amplify reach. Malicious ads and search manipulation deliver the signed payloads to more victims with greater credibility.

Microsoft has strengthened verification processes in response. It limits reuse of compromised accounts. Enhanced detection features now flag suspicious signing patterns. The company continues to work with other certificate authorities and signing platforms to close similar loopholes. No single action ends the threat. Persistent pressure does.

Industry observers note the significance. For years, stolen or fraudulent certificates have helped malware evade detection. What changed is the service model. Instead of hunting individual certificates, criminals rent capacity. Upload. Pay. Receive signed output. The transaction takes minutes. The impact lasts far longer.

Thousands of victims. Multiple ransomware strains. Global reach. The Fox Tempest operation crystallized these risks. Microsoft’s response combined technical takedowns, legal action and public disclosure. It sends a signal. Upstream enablers are now priority targets. Disrupting them forces the entire chain to rebuild.

But the work continues. Groups will regroup. New services will emerge. Defenders must evolve verification, monitoring and response in tandem. The certificates that once promised safety now demand constant scrutiny. Trust, after all, is only as strong as the system enforcing it.