Fox Tempest Takedown: When Signed Software Can't Be Trusted

Microsoft’s Digital Crimes Unit disrupted Fox Tempest on May 19, 2026, a financially motivated cybercrime group that abused Microsoft Artifact Signing to issue more than 1,000 fraudulent code-signing certificates. The certificates made ransomware including Rhysida and Akira look like trusted software. For businesses, the takedown signals that “signed” no longer means “safe.”

What happened in the Fox Tempest takedown?

On May 19, 2026, Microsoft’s Digital Crimes Unit seized the domain signspace[.]cloud, revoked more than 1,000 fraudulent code-signing certificates, and took hundreds of Azure virtual machines offline. The operation, codenamed OpFauxSign, targeted Fox Tempest — a financially motivated threat actor that had been selling code-signing services to ransomware affiliates since May 2025.

According to Microsoft Threat Intelligence, Fox Tempest’s service was hosted at signspace[.]cloud and charged customers between $5,000 and $9,000 per use. Cybercriminal buyers uploaded malicious files; the service returned them digitally signed by certificates that Windows would treat as legitimate. Microsoft worked with threat intelligence partner Resecurity on the takedown and, according to court filings, used a cooperative source to purchase and test the service in February and March 2026.

“To disrupt the service, we seized Fox Tempest’s website signspace[.]cloud, took offline hundreds of the virtual machines running the operation, and blocked access to a site hosting the underlying code,” said Steven Masada, assistant general counsel at Microsoft’s Digital Crimes Unit, in the company’s announcement.

Microsoft also linked the operation to several active ransomware affiliates. The threat actor Vanilla Tempest used Fox Tempest’s signed binaries to deploy Rhysida ransomware. Affiliates connected to the Akira, INC, Qilin, and BlackByte ransomware groups also relied on the service. Victims spanned healthcare, education, government, and financial services in the US, France, India, and China.

How did Fox Tempest abuse Microsoft Artifact Signing?

Fox Tempest abused Microsoft Artifact Signing — a cloud-based code-signing service Microsoft launched in 2024 (formerly Azure Trusted Signing) — by passing the identity verification process with what Microsoft believes were stolen US- and Canada-based identities. The group then created hundreds of Azure tenants and used them to generate short-lived 72-hour certificates that any cybercriminal customer could buy.

Artifact Signing is meant to make code-signing accessible to legitimate developers. Microsoft acts as the Certificate Authority, and the binary, once signed, is trusted by the Windows Trust Store. Identity verification is supposed to be the safeguard. Microsoft said in its advisory that “the requestor must pass detailed identify validation processes in keeping with industry standard verifiable credentials (VC), which suggests the threat actor very likely used stolen identities based in the United States and Canada to masquerade as a legitimate entity.”

The certificates stayed valid for only 72 hours, which from Fox Tempest’s perspective was a feature rather than a bug. Short-lived certificates are harder to track, easier to rotate, and reduce the window in which a defender might notice and revoke. Each new piece of malware got a fresh signature.

Starting in February 2026, Fox Tempest changed tactics. Instead of returning signed binaries to customers, the group offered preconfigured virtual machines on the VPS provider Cloudzy. Customers uploaded malware to the VM and received a signed copy in return. Microsoft said this evolution “reduced friction for customers, improved operational security for Fox Tempest, and further streamlined the delivery of malicious but trusted, signed malware at scale.”

Why does signed malware matter for a business?

Signed malware matters because most defenses, both software and human, treat a valid digital signature as a strong trust signal. Endpoint detection products are less aggressive on signed binaries. Windows SmartScreen suppresses warnings. Users see “Verified Publisher” and assume the software is safe. Fox Tempest’s whole business model was renting that trust to ransomware crews.

The deception was carefully engineered. Vanilla Tempest, one of Fox Tempest’s customers, purchased legitimate search-engine ads that pushed users searching for Microsoft Teams to fake download pages. The installer that downloaded was signed with a Fox Tempest certificate, looked authentic to Windows, and quietly dropped Oyster, a malware loader that ultimately deployed Rhysida ransomware. The same playbook impersonated AnyDesk, PuTTY, and Cisco Webex.

“When unsuspecting victims executed the falsely named Microsoft Teams installer files, those files delivered a malicious loader, which in turn installed the fraudulently signed Oyster malware and ultimately deployed Rhysida ransomware,” Microsoft said in its complaint.

For a CFO or COO, the practical implication is uncomfortable: the “is this software safe to install” decision can no longer be answered by checking the signature. That answer now requires application control policies, download-source restrictions, and EDR coverage that watches behavior rather than reputation. A vCISO or fractional CISO arrangement, like the cybersecurity consulting model Purple Shield Security uses for mid-market clients, is often where this judgment lives, because it is the kind of cross-cutting decision IT helpdesks are not staffed to make.

In Microsoft’s own summary: “When attackers can make malicious software look legitimate, it undermines how people and systems decide what’s safe. Disrupting that capability is key to raising the cost of cybercrime.”

What should businesses do?

Three actions matter most in the days after the Fox Tempest takedown: review where signed-software trust shows up in your environment, hunt for the specific malware families this service distributed, and confirm your incident response plan handles a “we ran a signed binary that turned out to be malicious” scenario. The takedown is helpful, but residual infrastructure on Cloudzy is still being worked through.

Start with installer hygiene. Check whether employees can download Microsoft Teams, AnyDesk, PuTTY, or Cisco Webex from any source other than your software catalog or vendor sites. Vanilla Tempest specifically used paid search ads to redirect users to the wrong download. A policy that pushes all software installs through a managed catalog removes that attack path entirely.

Then check telemetry. Pull EDR data for the malware families Microsoft named as Fox Tempest payloads: Oyster (a.k.a. Broomstick or CleanUpLoader), Lumma Stealer, and Vidar. For ransomware specifically, search for indicators tied to Rhysida, Akira, INC, Qilin, and BlackByte. Any hit gets escalated immediately, and the affected host gets a forensic image before reimaging.

Pay attention to the signing data itself. Code-signing certificates issued with very short lifetimes (72 hours or less) and a recently created publisher identity are higher-risk than long-established signing certs. If your application control or EDR product can flag signature age or first-seen publisher, turn that on.

Finally, validate the incident response side. Confirm your IR retainer covers ransomware deployed via a signed binary, not just unsigned malware. Verify your breach-notification obligations under HIPAA, PCI DSS, SEC cyber disclosure rules, or applicable state laws, for the sectors Microsoft named: healthcare, education, government, and financial services. If your team has never walked through a signed-malware tabletop, that gap is now visible.

Frequently asked questions

Are the fraudulent Fox Tempest certificates still valid?

Microsoft has revoked more than 1,000 known certificates and seized signspace[.]cloud, but residual infrastructure tied to Cloudzy is still being worked through. Revocation only protects endpoints that pull fresh certificate revocation list (CRL) or Online Certificate Status Protocol (OCSP) data. If your environment blocks outbound OCSP traffic or caches revocation status, you may still be at risk from previously signed binaries that have not yet been blocked at the endpoint.

How can a business tell if it was a Fox Tempest victim?

Check EDR for executions of binaries signed by certificates with 72-hour validity issued from May 2025 onward, and tied to publishers your organization does not recognize. Search for executions of Oyster, Lumma Stealer, Vidar, or any of the named ransomware families (Rhysida, Akira, INC, Qilin, BlackByte) over the last 12 months. Helpdesk tickets for users who installed Microsoft Teams, AnyDesk, PuTTY, or Cisco Webex from search-ad links should also be reviewed.

Does Microsoft Defender catch signed malware?

Defender now flags the revoked certificates and the specific malware families Microsoft named, but the value of code-signing abuse is exactly that it slips past the first detection layer. A signed binary from an unfamiliar publisher should still trigger manual review, regardless of what the antivirus product says. Defense in depth, with application control and behavioral detection layered behind signature-based AV, is the only durable answer.

Should businesses stop trusting Microsoft Artifact Signing?

No. Artifact Signing itself was not breached. Fox Tempest beat the identity verification gate using stolen US- and Canada-based identities. The takeaway is that code-signing is one trust signal among several, not a substitute for application control, EDR behavioral detection, and managed software catalogs.

The Fox Tempest takedown is a reminder that the most dangerous attacks no longer arrive as obviously malicious files. They arrive looking exactly like the software your team already runs. If your business needs help reviewing where signed-software trust shows up in your environment, or a second set of eyes on whether your incident response plan covers ransomware delivered through trusted channels, Purple Shield Security’s vCISO services and fractional CISO services are built for exactly that.

By Yonatan Hoorizadeh — CISSP, CISM, CRISC, AAISM

Published By: Purple Shield Security

Published: May 20, 2026

Last updated: May 20, 2026