Microsoft Disrupts 'Fox Tempest' MSaaS Operation That Signed Rhysida Ransomware and Infostealers

Executive Summary

Microsoft's Digital Crimes Unit has successfully taken down a significant malware-signing-as-a-service (MSaaS) operation run by a threat actor tracked as Fox Tempest. The service, codenamed "OpFauxSign," provided cybercriminals with the ability to have their malware signed with fraudulently obtained code-signing certificates. For a fee, threat actors could upload malicious files to the service's portal, signspace[.]cloud, and receive a signed executable that could masquerade as legitimate software, thereby evading security defenses and deceiving users. This service was instrumental in attacks deploying the Rhysida ransomware and various infostealers like Lumma Stealer and Vidar. The takedown, which included seizing the website and disabling the backend infrastructure, disrupts a critical component of the cybercrime supply chain.

Threat Overview

The "OpFauxSign" service, active since May 2025, acted as a specialized vendor within the cybercrime economy. For a price ranging from $5,000 to $9,000, it offered a simple but powerful capability: digital code signing. Threat actors, such as Vanilla Tempest (the operators of Rhysida ransomware), would use this service to sign their payloads. A valid digital signature causes operating systems and security software to trust an executable, allowing it to run with fewer warnings or security checks. The signed malware often impersonated legitimate applications like AnyDesk, Microsoft Teams, PuTTY, and Cisco Webex to further trick users. This MSaaS model lowers the barrier to entry for less sophisticated actors and increases the effectiveness of campaigns for advanced groups.

Technical Analysis

The core of this operation was the abuse of trust in the code-signing process. Fox Tempest managed the difficult part of the operation: fraudulently acquiring legitimate code-signing certificates, likely by impersonating legitimate businesses or compromising smaller software companies.

MITRE ATT&CK Techniques

• T1553.003 - Code Signing: This is the central technique. The service provided a way for attackers to abuse code signing to make their malware appear legitimate.
• T1648 - Abuse Elevation Control Mechanism: Signed binaries are often treated with less scrutiny by User Account Control (UAC) and other security mechanisms.
• T1204.002 - Malicious File: The end result was a malicious file that users were more likely to trust and execute.
• T1608 - Stage Capabilities: The MSaaS platform itself was a staged capability, a piece of infrastructure set up to support other attacks.

Impact Assessment

• Disruption of the Cybercrime Ecosystem: The takedown removes a key enabler for multiple threat groups. Ransomware and infostealer operators who relied on this service must now find new, potentially less reliable, ways to sign their malware.
• Increased Malware Detection: With the service offline, malware that would have been signed will now be unsigned. Unsigned executables are treated with much higher suspicion by security software and operating systems, making them easier to detect and block.
• Short-Term Pain for Attackers: While other MSaaS operations exist or will emerge, this takedown forces attackers to retool and disrupts their operational tempo.

IOCs — Directly from Articles

Cyber Observables — Hunting Hints

To detect malware that may have been signed by this or similar services, security teams can hunt for:

• Executables with Low Reputation Signatures: Look for executables signed by certificates from unknown or newly established software publishers.
• Anomalous Signed Binaries: It is unusual for a legitimate application like PuTTY to be installed from a non-official source. Monitor for signed executables in temporary directories or downloads folders that are not part of a standard software installation package.
• Certificate Chaining: Analyze the certificate chain of signed executables. Signatures from fraudulent certificates may have incomplete or suspicious chains.

Detection & Response

• Application Control: Use application control solutions (like Windows Defender Application Control) to create policies that only allow software signed by trusted, known publishers to run. This is a powerful defense against this type of threat. This is an implementation of D3FEND's Executable Allowlisting (D3-EAL).
• EDR and Antivirus: Ensure endpoint security tools are configured to scan all files, regardless of their signature, and to use behavioral analysis to detect malicious actions.
• Certificate Revocation Checking: Ensure that systems are configured to check for certificate revocation, which can help block malware signed with certificates that have since been identified as fraudulent and revoked.

Mitigation

• M1045 - Code Signing: This is a case where the mitigation is abused by the attacker. For defenders, the mitigation is to enforce code signing policies, allowing only binaries signed by a pre-approved list of trusted publishers.
• M1038 - Execution Prevention: This is the ultimate goal. By using application whitelisting, you can prevent any unauthorized code, signed or not, from executing.
• M1017 - User Training: Train users to be wary of unexpected software installers, even if they appear to be legitimate and signed. Users should only install software from official company portals or well-known vendor websites.