Microsoft has announced a major cybercrime disruption campaign targeting a sophisticated “Malware-Signing-as-a-Service” (MSaaS) operation that allegedly enabled ransomware gangs and malware operators to disguise malicious code as legitimate software. The company said the network, tracked as “Fox Tempest,” had been active since 2025 and was linked to attacks that compromised thousands of systems and enterprise networks worldwide.
How the Malware-Signing Service Worked
According to Microsoft, the cybercriminal operation abused the company’s Artifact Signing platform to obtain fraudulent digital certificates used for signing malware. Once digitally signed, the malicious files appeared trustworthy to operating systems and security tools, helping attackers bypass detection systems and deploy ransomware, credential-stealing malware, and remote access payloads.
OpFauxSign Takedown and Technical Disruption
Microsoft’s Digital Crimes Unit stated that the takedown effort, codenamed “OpFauxSign,” involved the seizure of the domain signspace[.]cloud, the shutdown of hundreds of virtual machines allegedly supporting the operation, and the disruption of backend infrastructure used to manage the malware-signing service.
FCRF’s Flagship Cyber Law Certification Returns With a New Four-Week Cohort
Investigators said the operation functioned as a commercial underground platform catering to cybercriminal customers. Threat actors could reportedly upload malicious executables and receive digitally signed versions that looked authentic to both users and security software. The signed malware was then distributed under the appearance of trusted applications such as Microsoft Teams, AnyDesk, PuTTY, and Cisco Webex.
The company linked the operation to several malware and ransomware campaigns, including Rhysida ransomware as well as Oyster, Lumma Stealer, and Vidar malware families. Investigators also identified alleged connections between Fox Tempest and ransomware affiliates associated with INC, Qilin, BlackByte, and Akira operations. These attacks reportedly targeted healthcare institutions, government departments, financial services, and educational organizations across the United States, France, India, and China.
Microsoft revealed that the threat actors are suspected of using stolen digital identities belonging to individuals in the United States and Canada to bypass the company’s verification procedures and obtain legitimate signing credentials. The fraudulent certificates were typically active for around 72 hours before attackers rotated to newly acquired credentials to continue operations.
According to investigators, the cybercrime network significantly upgraded its infrastructure after February 2026. Threat actors allegedly began offering pre-configured virtual machines hosted through Cloudzy, enabling customers to directly upload malicious files onto attacker-controlled systems and receive signed binaries remotely. Microsoft estimated the underground service charged customers between ₹4.2 lakh and ₹7.5 lakh depending on operational requirements and the scale of signing requests.
Threat to the Digital Trust Ecosystem
Cybersecurity experts say the misuse of digital signing systems represents a serious threat to the global software ecosystem because digital certificates are widely trusted by operating systems, enterprise networks, and endpoint protection platforms. Once malicious software carries a valid digital signature, many automated security mechanisms are less likely to flag it as suspicious.
A Researcher at Algoritha Security said the rise of “trusted malware delivery” services demonstrates how cybercriminal groups are increasingly targeting the trust architecture that underpins modern cybersecurity frameworks. The expert warned that signed malware campaigns are likely to become more sophisticated as ransomware operators continue investing in methods that reduce detection rates and improve initial access success.
Microsoft also disclosed that investigators secretly purchased and tested the service as part of the company’s evidence-gathering process. According to the company, Fox Tempest operators continuously adapted their infrastructure whenever fraudulent accounts were suspended or digital certificates revoked. Investigators observed attempts by the threat actors to migrate toward alternative code-signing platforms after Microsoft intensified enforcement actions.
The company warned that the ability of cybercriminals to make malicious software appear legitimate threatens the broader digital trust ecosystem relied upon by businesses, governments, and consumers worldwide. Microsoft said dismantling such infrastructure is critical to increasing the operational cost of cybercrime and strengthening global cybersecurity resilience against evolving ransomware and malware threats.
