MICROSOFT said it disrupted a malware-signing-as-a-service operation that used the Artifact Signing system to deliver malicious code and enable ransomware attacks, compromising thousands of machines and networks worldwide. The activity is attributed to a threat actor it calls Fox Tempest, which offered the MSaaS scheme to disguise malware as legitimate software, and who has been active since May 2025; the seizure effort was codenamed OpFauxSign.
Microsoft noted that the operation helped deploy Rhysida ransomware and other malware families such as Oyster, Lumma Stealer, and Vidar, with affiliates linked to INC, Qilin, BlackByte, and Akira. The SignSpace website was built on Artifact Signing and allowed paying customers to upload malicious files for code-signing using fraudulently obtained certificates, with prices ranging from $5,000 to $9,000; certificates were valid for 72 hours.
Starting February 2026, Fox Tempest shifted to providing pre-configured virtual machines hosted on Cloudzy to streamline signing and delivery of signed malware, a move Microsoft described as reducing friction and improving operational security.
Microsoft also said it disrupted hundreds of signspace[.]cloud accounts and blocked access to a site hosting the underlying code, with a cooperative source aiding testing between February and March 2026, according to Steven Masada, assistant general counsel at Microsoft’s Digital Crimes Unit.