In the ongoing cat-and-mouse game between tech giants and cybercriminals, Microsoft says it has shut down a covert operation that turned malware into something that looked squeaky clean. The company reports it dismantled a malware-signing-as-a-service outfit known as Fox Tempest, revoked more than 1,000 fraudulent code-signing certificates, and pulled the plug on the operation's main portal. According to Microsoft, the service helped criminals make malicious installers appear legitimate so ransomware and other malware could glide past security defenses. Microsoft’s Digital Crimes Unit says the takedown also involved seizing domains and disabling hundreds of virtual machines tied to the scheme.
In an unsealed legal filing and companion posts published Tuesday, Microsoft described Fox Tempest as a long-running "malware-signing-as-a-service" operation that has been active since at least May 2025 and ran a portal called signspace.cloud, according to Microsoft On the Issues. The company says the group spun up hundreds of fraudulent Azure tenants and then sold access to signed binaries, charging criminal customers thousands of dollars for the privilege of having their malware wrapped in trusted-looking code.
What Microsoft took offline
Microsoft says it has now seized the signspace.cloud domain, moved malicious domains into a Microsoft-controlled sinkhole to cut off their traffic, and disabled hundreds of virtual machines that hosted the service. Those actions are detailed in court documents and described in coverage from BleepingComputer. The company also revoked the fraudulent certificates and suspended the operator’s repositories in an effort to make sure Fox Tempest’s infrastructure cannot be easily recycled.
How the signing service worked
According to Microsoft Threat Intelligence, Fox Tempest abused Microsoft’s Artifact Signing service, previously known as Trusted Signing, to crank out short-lived certificates that often stayed valid for only about 72 hours. During that window, malicious code could masquerade as a trusted application, making many security tools more likely to let it through. Operators allegedly sweetened the deal by offering customers preconfigured virtual machines and running a Telegram channel where they advertised access, complete with priority pricing tiers reportedly ranging from roughly $5,000 to $9,500 in bitcoin.
Who used the service and who was hit
Microsoft links Fox Tempest to a roster of ransomware affiliates and malware families, including Rhysida and Vanilla Tempest, which used fraudulently signed installers to hit targets across healthcare, education, and government, as reported by CyberScoop. Rhysida in particular has been connected to several high-profile incidents, including a 2024 attack on Seattle-Tacoma International Airport, according to reporting by The Associated Press.
How organizations can defend
In response to the Fox Tempest case, Microsoft is urging customers to harden their defenses. The company recommends turning on cloud-delivered protections, enabling tenant-wide tamper protection, and using Safe Links and Safe Attachments in email so that malicious downloads are blocked before users ever click them, guidance outlined by Microsoft Threat Intelligence. Security teams, Microsoft adds, should treat signed binaries with caution and lean on layered detection rather than trusting reputation or a valid signature alone.
Legal next steps
On the legal front, Microsoft has filed a civil action in the U.S. District Court for the Southern District of New York. Court materials on the seizure notice site show a temporary restraining order signed on May 8, 2026, along with related filings documenting the domain seizure and other requested relief. A show-cause hearing in the matter is scheduled for tomorrow, May 22, 2026, according to the court notice page maintained for the case.
The Fox Tempest takedown follows a series of recent moves by Microsoft’s Digital Crimes Unit that target service providers and infrastructure inside the broader cybercrime ecosystem, an approach the company says is designed to increase costs and friction for attackers. Experts note that disruption rarely shuts down abuse permanently, but removing a trusted signing service from the criminal toolbox can make many attacks both harder to execute and more expensive to run.
