Microsoft has dismantled a sophisticated criminal operation that essentially ran a paid signing service for malware, allowing ransomware groups to make their malicious software appear completely legitimate to Windows security tools.
The threat actor, tracked as Fox Tempest, operated a service called signspace[.]cloud that exploited Microsoft's own Artefact Signing infrastructure (formerly Azure Trusted Signing) to generate short-lived, 72-hour code-signing certificates. Those certificates let malware masquerade as trusted software — think AnyDesk, Microsoft Teams, PuTTY, or Webex — bypassing endpoint security controls that would otherwise flag unsigned executables.
In May 2026, Microsoft's Digital Crimes Unit (DCU), working with industry partners, pulled the plug on the operation and revoked over 1,000 fraudulent certificates Fox Tempest had generated across hundreds of Azure tenants.
How the Service Worked
Fox Tempest ran this like a proper SaaS business. Customers — other cybercriminals — paid between $5,000 and $9,500 per plan (with higher tiers getting queue priority) via a bilingual English-Russian Google Form. They'd upload malicious payloads to Fox Tempest-controlled environments and receive a properly signed binary back, ready to deploy.
The infrastructure evolved over time. By February 2026, the group had shifted to providing customers with pre-configured virtual machines hosted on Cloudzy, a US-based VPS provider, further streamlining operations and reducing their own exposure.
Microsoft believes Fox Tempest likely used stolen US and Canadian identities to pass the identity verification required for Artefact Signing certificates.
 |
| Fox Tempest attack chain | Image- Microsoft |
Real-World Damage
The downstream impact was severe. Ransomware groups, including Vanilla Tempest, Storm-0501, and Storm-2561, all used Fox Tempest-signed malware in active attacks. One documented chain involved Vanilla Tempest distributing a trojanized Microsoft Teams installer through paid Google Ads — victims who downloaded it got the Oyster backdoor and, in several cases, Rhysida ransomware.
Microsoft links Fox Tempest to proceeds in the millions, with victim organisations spanning healthcare, education, government, and financial services across the US, France, India, and China.
What You Should Do
Microsoft recommends enabling cloud-delivered protection in Microsoft Defender, turning on Safe Links and Safe Attachments in Defender for Office 365, and activating attack surface reduction rules — specifically the advanced ransomware protection rule. Users should also be cautious when downloading software via search ads, even if the binary appears to be signed.
The takedown is significant, but the model Fox Tempest pioneered — malware-signing-as-a-service — is likely to be replicated. Security teams should treat code signatures as a trust signal, not a guarantee.