Microsoft Disrupts Fox Tempest's Malware-Signing-as-a-Service Operation Used by Ransomware Gangs

Executive Summary

On May 19, 2026, Microsoft announced a significant disruption of Fox Tempest, a cybercrime-as-a-service operation that provided a critical link in the malware supply chain. The group specialized in creating and selling counterfeit code-signing certificates, a service dubbed "malware-signing-as-a-service" (MSaaS). This allowed threat actors, including prominent ransomware gangs like Rhysida, to sign their malicious payloads, making them appear authentic and trustworthy to operating systems and security software. Through a combination of legal action in the U.S. District Court for the Southern District of New York and technical operations, Microsoft's Digital Crimes Unit (DCU) seized the group's main website, signspace[.]cloud, and dismantled its core infrastructure. The takedown highlights the growing threat of specialized criminal services that enable widespread cyberattacks.

Threat Overview

Fox Tempest, active since at least May 2025, operated as a key enabler for the broader cybercrime ecosystem. Their MSaaS platform allowed other criminals to overcome a significant hurdle: bypassing security controls that rely on software authenticity. By abusing Microsoft's own code signing tools, Fox Tempest could fabricate identities and impersonate legitimate organizations, producing counterfeit certificates that were nearly indistinguishable from genuine ones.

Attack Flow:

1. A threat actor (e.g., a ransomware operator) develops a malicious payload.
2. The actor purchases signing services from Fox Tempest, paying up to $9,500.
3. Fox Tempest uses its illicitly obtained capabilities to sign the malware with a counterfeit, but seemingly valid, digital certificate.
4. The now-signed malware is deployed in an attack.
5. The victim's system and security tools check the signature, see that it is trusted, and allow the malware to execute, bypassing a critical layer of defense.

This service was utilized by several known threat groups, with the lawsuit specifically naming Vanilla Tempest (the group behind Rhysida ransomware) as a co-conspirator. The downstream impact affected a wide range of sectors globally, including healthcare, education, government, and finance.

Technical Analysis

The core of Fox Tempest's operation was the abuse of trust associated with digital code signing. This process is fundamental to modern operating system security, acting as a gatekeeper to ensure that only verified, untampered software is executed.

TTPs and MITRE ATT&CK Mapping

• T1553.002 - Code Signing: This is the central technique abused by Fox Tempest. They created and sold fraudulent certificates to sign malicious code, a direct subversion of the trust model.
• T1195.002 - Compromise Software Supply Chain: By providing a signing service, Fox Tempest acted as a critical component in the software supply chain for other malware operators, enabling their attacks.
• T1608.004 - Stage Capabilities: Drive-by Target: The operation's website, signspace[.]cloud, served as the primary infrastructure for staging and selling their illicit capabilities.
• T1486 - Data Encrypted for Impact: The end goal for many of Fox Tempest's customers, such as the Rhysida ransomware group, was to deploy ransomware and encrypt victim data.

Microsoft's disruption involved both legal and technical measures. The legal case allowed for the seizure of the domain, while the technical operation involved taking hundreds of their virtual machines offline and blocking access to their code repository. The FBI and Europol are now involved in the effort to attribute the operation to specific individuals.

IOCs — Directly from Articles

Detection & Response

Detecting malware that uses valid (or seemingly valid) code-signing certificates is challenging, as it's designed to bypass standard checks.

Detection Strategies

• Certificate Reputation and Monitoring: Monitor for the execution of newly signed executables from uncommon or previously unseen publishers. While Fox Tempest's certificates were precise, they would likely be from newly created or obscure publisher names.
• EDR/XDR Telemetry: Use Endpoint Detection and Response (EDR) tools to monitor for suspicious process chains, even if the initial executable is signed. A signed process spawning powershell.exe to download a script is still a major red flag. This aligns with D3FEND's Process Analysis technique.
• Code Signing Policy Enforcement: On Windows, use AppLocker or Windows Defender Application Control (WDAC) to create strict policies that only allow executables signed by a specific, pre-approved list of publishers. This is a form of Executable Allowlisting.

Response Actions

1. If a malicious signed binary is found, immediately revoke trust for the associated certificate and publisher across the enterprise.
2. Hunt for other instances of the file hash or certificate signature across all endpoints.
3. Submit the malicious sample and certificate information to security vendors and Microsoft to aid in broader revocation efforts.

Mitigation Recommendations

1. Enforce Strict Code Signing Policies (M1045 - Code Signing):

   • The most effective mitigation is to not trust certificates by default. Implement application control policies (WDAC/AppLocker) that define an explicit allowlist of trusted signers for your environment. Anything not on the list is blocked by default, regardless of whether it's signed.

2. Layered Endpoint Defenses (M1049 - Antivirus/Antimalware):

   • Do not rely solely on signature-based checks. Ensure your endpoint protection platform (EPP) and EDR solutions use behavioral analysis, heuristics, and machine learning to detect malicious activity post-execution. A signed binary that starts encrypting files is still ransomware.

3. Threat Intelligence Integration:

   • Consume threat intelligence feeds that provide data on malicious code-signing certificates and publishers. Integrate this data into your SIEM and EDR to generate alerts when these indicators are seen in your environment.

4. Reduce Attack Surface (M1042 - Disable or Remove Feature or Program):

   • Limit the ability of standard users to install and execute new software. By restricting execution permissions, you reduce the opportunity for maliciously signed software to run in the first place.