Microsoft Disrupts Fox Tempest Malware-Signing Service Used by Ransomware Gangs
7 min. read 
Published on
Microsoft has disrupted Fox Tempest, a financially motivated cybercrime group that sold malware-signing services to ransomware operators and other attackers. The operation abused Microsoft Artifact Signing to make malicious files look like trusted software.
The takedown targeted signspace[.]cloud, a now-defunct platform that let customers upload malware and receive digitally signed binaries. Microsoft said the service helped attackers deliver malware, evade security controls, and increase the chances that victims would run malicious files.
Access content across the globe at the highest speed rate.
70% of our readers choose Private Internet Access
70% of our readers choose ExpressVPN
Browse the web from multiple devices with industry-standard security protocols.
Faster dedicated servers for specific actions (currently at summer discounts)
Microsoft’s Digital Crimes Unit took action in May 2026 with support from Resecurity. The company also revoked more than 1,000 code-signing certificates tied to Fox Tempest and disrupted infrastructure used to support the service.
What Fox Tempest did
Fox Tempest did not operate like a typical ransomware group that breaks into victims directly. Instead, it acted as an enabler in the cybercrime supply chain.
The group sold access to a malware-signing-as-a-service platform. Customers could submit malicious files and receive versions signed with Microsoft-issued certificates fraudulently obtained through Artifact Signing, previously known as Azure Trusted Signing.
That signing made malware appear more legitimate to users and security tools. Attackers then used signed payloads in campaigns involving fake software installers, malicious ads, and search manipulation.
Fox Tempest at a glance
| Item | Details |
|---|---|
| Threat actor | Fox Tempest |
| Business model | Malware-signing-as-a-service |
| Main platform | signspace[.]cloud |
| Abused service | Microsoft Artifact Signing |
| Certificate validity | Up to 72 hours |
| Certificates revoked | More than 1,000 |
| Reported pricing | Thousands of dollars per signing service plan |
| Linked malware | Oyster, Lumma Stealer, Vidar, Rhysida ransomware |
How the signing service worked
Microsoft said Fox Tempest created hundreds of Azure tenants and subscriptions to support the operation. The group likely used stolen or fabricated identities to pass verification checks and obtain signing access.
The signspace[.]cloud portal separated administrator and customer roles. Fox Tempest managed the infrastructure and certificates, while customers uploaded files they wanted signed.
Once signed, the malware could impersonate legitimate software brands such as Microsoft Teams, AnyDesk, PuTTY, and Webex. That increased trust at the exact moment when a user or security system needed to decide whether the file looked safe.
Why code signing abuse is dangerous
Code signing exists to help users and operating systems confirm that software comes from a trusted publisher and has not changed after signing. Fox Tempest abused that trust boundary.
A signed malware file can look less suspicious than an unsigned file. It may face fewer warnings, pass some reputation checks more easily, or appear more credible when delivered through a fake download page.
This does not mean signed files are automatically safe. It shows why attackers pay for signing access, especially when they want malware to blend into normal software installation flows.
Fox Tempest later moved to hosted virtual machines
Microsoft said Fox Tempest changed its infrastructure in February 2026. Instead of relying only on the original portal model, the group started giving customers access to pre-configured virtual machines hosted through third-party infrastructure.
Those virtual machines included files and scripts used to sign submitted malware. Microsoft said this made the service easier for customers to use and improved operational security for Fox Tempest.
The setup included configuration files, a signed test file, and PowerShell scripts used for signing customer-submitted files. Microsoft’s disruption also targeted this newer infrastructure.
Ransomware groups used the service
Microsoft linked Fox Tempest to several ransomware and malware operations. The company said Vanilla Tempest used the signing service in attacks involving trojanized Microsoft Teams installers.
In that chain, victims searching for Microsoft Teams could land on malicious ads or fake download pages. The counterfeit installer then delivered the Oyster backdoor, also known as Broomstick, which helped attackers maintain access and deliver more payloads.
Microsoft said some observed attacks using this method later deployed Rhysida ransomware. The company also linked Fox Tempest activity to malware and ransomware families such as Lumma Stealer, Vidar, INC, Qilin, Akira, and BlackByte.
| Threat or malware | Role in the wider activity |
|---|---|
| Vanilla Tempest | Used Fox Tempest-signed payloads in real intrusions. |
| Oyster | Backdoor delivered through fake Microsoft Teams installers. |
| Rhysida | Ransomware deployed in some observed attack chains. |
| Lumma Stealer | Infostealer associated with signed malware activity. |
| Vidar | Infostealer associated with signed malware activity. |
| INC, Qilin, Akira, BlackByte | Ransomware families or affiliates linked through Microsoft’s analysis. |
Microsoft’s takedown focused on the cybercrime supply chain
The disruption did not only target one malware campaign. Microsoft aimed at the service that helped many attackers make their files look legitimate.
The company seized the signspace[.]cloud website, took offline hundreds of virtual machines used by the operation, and blocked access to a site that hosted underlying code. It also continued revoking fraudulently obtained certificates and strengthening protections against similar abuse.
Microsoft said the action has already caused problems for cybercriminal customers. However, it also warned that Fox Tempest has tried to shift customers toward another code-signing service.
Defensive steps for organizations
Organizations should treat signed files with caution when they come from suspicious download sources, ads, or lookalike websites. A valid signature can help verify a file’s origin, but it cannot replace behavior-based detection and reputation checks.
Security teams should also monitor short-lived certificate activity, suspicious installers using trusted brand names, and malware delivered through search ads or fake download pages.
- Enable cloud-delivered protection and real-time endpoint scanning.
- Use Microsoft Defender SmartScreen or similar browser protections to block malicious sites.
- Turn on tamper protection to stop attackers from disabling security tools.
- Use attack surface reduction rules where available.
- Enable Safe Links and Safe Attachments for email and collaboration tools.
- Watch for signed binaries from unusual sources or recently created certificates.
- Train users to download enterprise software only from official vendor pages.
Why this case matters
Fox Tempest shows how cybercrime has become more specialized. One group can focus only on signing malware, while other groups handle ads, loaders, credential theft, ransomware deployment, or extortion.
This service model makes attacks easier to scale. Criminal customers do not need to build their own signing infrastructure or pass identity checks themselves. They can buy that capability from a provider.
For defenders, the lesson is clear. Trust signals such as code signatures need context. Security teams should combine certificate checks with download-source reputation, file behavior, identity signals, and endpoint telemetry.
Indicators linked to Fox Tempest
| Indicator type | Indicator |
|---|---|
| Domain | signspace[.]cloud |
| Certificate SHA-1 | dc0acb01e3086ea8a9cb144a5f97810d291020ce |
| Certificate SHA-1 | 7e6d9dac619c04ae1b3c8c0906123e752ed66d63 |
| File SHA-256 | f0668ce925f36ff7f3359b0ea47e3fa243af13cd6ad9661dfccc9ff79fb4f1cc |
| File SHA-256 | 11af4566539ad3224e968194c7a9ad7b596460d8f6e423fc62d1ea5fc0724326 |
| File SHA-256 | f0a6b89ec7eee83274cd484cea526b970a3ef28038799b0a5774bb33c5793b55 |
Summary
- Microsoft disrupted Fox Tempest, a malware-signing-as-a-service operation.
- The group abused Microsoft Artifact Signing to obtain short-lived signing certificates.
- More than 1,000 certificates linked to the operation were revoked.
- The service helped malware appear legitimate, including fake installers for trusted brands.
- Microsoft linked the activity to Vanilla Tempest, Oyster, Rhysida, Lumma Stealer, Vidar, and other ransomware ecosystems.
- Organizations should not rely on signatures alone when judging whether a file is safe.
FAQ
Fox Tempest is a financially motivated cybercrime group that operated a malware-signing-as-a-service platform. Microsoft said the group helped other attackers sign malicious files so they appeared more legitimate.
Fox Tempest fraudulently obtained short-lived Microsoft-issued code-signing certificates through Artifact Signing. Customers then used the service to sign malware and make it look like trusted software.
signspace[.]cloud was the platform used by Fox Tempest to provide malware-signing services. Customers could upload files and receive signed binaries through Fox Tempest-controlled certificates.
Microsoft linked Fox Tempest-signed malware to Oyster, Lumma Stealer, Vidar, Rhysida ransomware, INC, Qilin, Akira, BlackByte, and activity involving groups such as Vanilla Tempest.
Organizations should enable endpoint protection, cloud-delivered scanning, SmartScreen or similar web protections, tamper protection, attack surface reduction rules, Safe Links, Safe Attachments, and monitoring for suspicious short-lived certificates or signed files from untrusted sources.
Read our disclosure page to find out how can you help VPNCentral sustain the editorial team Read more
Improve this guide
User forum
0 messages