How Microsoft Disrupted the Fox Tempest Malware‑Signing Service

Instead of signing legitimate applications, Fox Tempest used the service to generate short‑lived code‑signing certificates for malicious files, allowing malware to appear verified and trusted by Windows and security tools.

Microsoft says the group created more than 1,000 certificates and operated hundreds of Azure tenants and subscriptions to sustain the activity.

How the signspace[.]cloud Service Worked

At the center of the operation was a platform called signspace[.]cloud, which functioned as a paid service where criminals could upload malware and receive a digitally signed version in return.

The process worked roughly like this:

• Attackers submitted malicious binaries to the service.
• The platform used fraudulently obtained access to Artifact Signing to generate a code‑signing certificate.
• The malware was returned with a valid digital signature attached.

Because the files appeared signed by a legitimate certificate authority chain, they could bypass some security checks and appear more trustworthy to users and automated defenses.

In some reporting, the certificates were extremely short‑lived—sometimes around 72 hours—which reduced the window for defenders to identify and revoke them while still allowing attackers enough time to distribute signed malware in active campaigns.

Ransomware Groups Linked to the Service

Microsoft and security reporting linked Fox Tempest’s signing service to several ransomware and cybercrime groups.

Customers allegedly included:

• Rhysida ransomware operators
• Vanilla Tempest
• Storm‑0501
• Other cybercriminal groups tracked by Microsoft security teams

The service was reportedly used to support attacks involving malware families such as Oyster, Lumma Stealer, and Vidar, though available reporting does not fully detail how Fox Tempest’s infrastructure interacted with each toolset.

What Microsoft Did to Disrupt the Operation

Microsoft’s response combined legal action, threat intelligence work, and direct technical disruption.

Key steps included:

1. Civil legal action
Microsoft filed and later unsealed a case in the U.S. District Court for the Southern District of New York targeting the Fox Tempest operation.

2. Infrastructure seizures and takedowns
Working with hosting providers and legal authorities, Microsoft seized the group’s website, blocked related services, and dismantled infrastructure supporting the signing operation.

3. Certificate revocations
The company revoked more than 1,000 fraudulent code‑signing certificates generated through the operation.

4. Cloud environment disruption
Microsoft identified and disabled hundreds of Azure tenants and virtual machines that supported the service’s backend infrastructure.

5. Intelligence and undercover work
Microsoft’s Digital Crimes Unit reportedly used investigative techniques—including undercover engagement—to map the group’s infrastructure and operators before the disruption effort.

Together, these steps effectively dismantled the infrastructure that enabled the malware‑signing service.

Why This Case Matters for Cybersecurity

The Fox Tempest case highlights two major trends in modern cybercrime.

1. Cybercrime is becoming a service economy

Instead of building every tool themselves, attackers increasingly rely on specialized providers offering services such as:

• ransomware‑as‑a‑service
• initial access brokers
• malware‑hosting infrastructure
• and now malware signing services

Fox Tempest illustrates how criminal operations can sell a single capability—trusted signatures—and still play a critical role in large‑scale ransomware attacks.

2. Abuse of code signing undermines software trust

Digital signatures are a fundamental security mechanism designed to help operating systems and users verify that software is authentic and untampered.

When attackers obtain or generate fraudulent certificates, malware can appear indistinguishable from legitimate applications to many security checks. This can:

• reduce warning prompts
• improve malware execution success
• and allow malicious files to evade reputation‑based defenses

That makes code‑signing abuse a particularly dangerous technique, because it attacks the trust layer that software ecosystems depend on.

The Broader Security Lesson

The Fox Tempest disruption shows that combating cybercrime increasingly requires targeting service providers within the criminal ecosystem, not just the ransomware operators themselves.

By dismantling infrastructure that enables multiple threat groups at once—such as a signing service—defenders can disrupt entire sections of the cybercrime supply chain.

However, the episode also underscores a persistent challenge: even security tools designed to build trust in software can be abused when attackers find ways to access or manipulate them.