Microsoft shuts down MSaaS signing fake certificates via Fox Tempest

Microsoft says it disrupted a malware-signing-as-a-service operation run by the threat actor Fox Tempest, which abused Azure Artifact Signing to create short-lived code-signing certificates. The service helped ransomware and stealers distribute signed malware

For cybercriminals, “trusted” can be everything. Microsoft says Fox Tempest turned that trust into a business model—using Microsoft’s Artifact Signing service to generate fake code-signing certificates that allowed malware to appear legitimate to both users and operating systems.

In a report published today by Microsoft Threat Intelligence. Microsoft described how the threat actor. tracked as Fox Tempest. used the Microsoft Artifact Signing platform to create short-lived certificates that were then used to sign fraudulent code. The certificates helped malicious files slip past security controls that would otherwise flag them as suspicious or block them outright.

Microsoft’s disruption doesn’t stop at warnings. The company says it revoked over one thousand code-signing certificates attributed to Fox Tempest and. as part of today’s action. unsealed a legal case in the U.S. District Court for the Southern District of New York targeting the cybercrime operation.

Microsoft said Fox Tempest created more than 1. 000 certificates and set up hundreds of Azure tenants and subscriptions to support the operation. Microsoft also said its Digital Crimes Unit. with support from industry partners. disrupted Fox Tempest’s MSaaS offering in May 2026—aiming at the infrastructure and access model that enabled its broader criminal use.

The shutdown included concrete takedown steps: Microsoft says it seized the signspace[.]cloud domain used by the service. took hundreds of virtual machines tied to the operation offline. and blocked access to infrastructure hosting the cybercrime platform. The site now redirects visitors to a Microsoft-operated page explaining the domain was seized as part of a lawsuit against the malware-signing-as-a-service scheme.

The impact shows up in the malware families and ransomware campaigns Microsoft linked to the operation. Microsoft said the signed malware was involved in numerous campaigns. including Oyster. Lumma Stealer. Vidar. and ransomware operations Rhysida. Akira. INC. Qilin. and BlackByte. It also said threat actors including Vanilla Tempest (INC Ransomware members). Storm-0501. Storm-2561. and Storm-0249 used the signed malware in their attacks.

In the company’s complaint. the mechanism is described with stark clarity: “When unsuspecting victims executed the falsely named Microsoft Teams installer files. those files delivered a malicious loader. which in turn installed the fraudulently signed Oyster malware and ultimately deployed Rhysida ransomware.” Microsoft adds that because the Oyster malware was signed using a certificate from Microsoft’s Artifact Signing service. Windows initially recognized it as legitimate software—meaning it could bypass what Windows and security controls would otherwise treat as suspicious.

Microsoft believes the operators likely used stolen identities from the United States and Canada to pass Artifact Signing identity verification requirements and obtain signing credentials. It also said the actors reportedly used only short-lived certificates—valid for 72 hours—so the certificates would last briefly and reduce the chance of detection.

The operation was built not just around signing, but around delivery and repeatable access. Microsoft said the MaaS was run through signspace[.]cloud, allowing “cybercriminal customers” to upload malicious files for code-signing using fraudulently obtained certificates.

The service also appears to have been marketed directly to criminals. Microsoft said the platform was promoted on a Telegram channel named “EV Certs for Sale by SamCodeSign,” with pricing ranging from $5,000 to $9,000 in bitcoin for access.

As Microsoft tells it, the criminal operation scaled with infrastructure and customer handling. The company said it generated millions of dollars in profits and was “well-resourced,” capable of managing infrastructure, customer relations, and financial transactions.

Microsoft also described how Fox Tempest adapted earlier in the year: it said the group evolved its operation by offering customers pre-configured virtual machines hosted through Cloudzy infrastructure. Customers uploaded malware to the VM environments and received signed binaries using Fox Tempest-controlled certificates.

Alongside the takedown and legal action, Microsoft named the Vanilla Tempest ransomware operation as a co-conspirator in the legal case, saying the group used the service to distribute malware and ransomware in attacks targeting organizations worldwide.

The story sits in a wider pattern of abuse of signing services. Microsoft Threat Intelligence noted that this mirrors earlier reporting from March 2025 about threat actors abusing Microsoft’s Trusted Signing service to sign malware used in a Crazy Evil Traffers crypto-theft campaign and a Lumma Stealer campaign. In that earlier reporting. the certificates were described as also being 3-day certificates. though Microsoft said it remains unclear whether those earlier samples were signed through Fox Tempest’s platform.

Microsoft’s message today is unambiguous: when criminals can get malware signed in a way that looks credible. they can push malicious code closer to the moment it runs. By revoking certificates. seizing signspace[.]cloud. taking hundreds of virtual machines offline. and pursuing legal action. Microsoft is trying to close the door that Fox Tempest used to monetize trust.

Microsoft Fox Tempest Artifact Signing Azure Artifact Signing Trusted Signing malware-signing-as-a-service MSaaS code-signing certificates ransomware Oyster Rhysida signspace[.]cloud Digital Crimes Unit cybersecurity Telegram bitcoin