Microsoft Just Took Down a Code-Signing-as-a-Service Operation. Five Ransomware Crews Were the Customers.
Microsoft's Digital Crimes Unit disrupted Fox Tempest on May 19 — a malware-signing-as-a-service operation that issued over 1,000 fraudulent code-signing certificates to ransomware crews including Rhysida, Vanilla Tempest, and three Storm clusters at up to $9,500 per signed sample.
Microsoft's Digital Crimes Unit disrupted Fox Tempest on May 19, 2026 — a malware-signing-as-a-service operation that issued over 1,000 fraudulent code-signing certificates to ransomware crews including Rhysida, Vanilla Tempest, and three Storm clusters. Customers paid up to $9,500 per signed sample. Fox Tempest cleared Microsoft's Artifact Signing identity-verification checks for roughly twelve months.
REDMOND, WASHINGTON — On May 19, 2026, Microsoft's Digital Crimes Unit (DCU) unsealed a legal action in the US District Court for the Southern District of New York against Fox Tempest — a cybercrime operation that Microsoft has tracked since September 2025 and that abused Microsoft's own Artifact Signing platform to issue more than 1,000 fraudulent code-signing certificates to ransomware affiliates and malware operators. Fox Tempest charged customers up to $9,500 per signed sample. Confirmed downstream customers include Rhysida, Vanilla Tempest, Storm-0501, Storm-2561, and Storm-0249 ransomware crews; binaries signed by Fox Tempest-issued certificates have been tied to the Oyster loader, Lumma Stealer, MuddyWater, and Vidar. Microsoft seized the operation's website (signspace[.]cloud), took hundreds of virtual machines offline, blocked access to the underlying code repository, and revoked every certificate attributed to Fox Tempest. Microsoft's Steven Masada, Assistant General Counsel at DCU, led the public briefing. The action lands the same week as Operation Endgame 2.0 (Europol, May 19-22) and the day after INTERPOL's Operation Ramz (May 18) — making this the single most aggressive week of public cybercrime-infrastructure disruption in 2026.
What Happened
The Service
Fox Tempest operated a subscription-style code-signing service through signspace[.]cloud, charging up to $9,500 per signed sample. Customers submitted malware binaries and received them back signed by certificates that Fox Tempest had obtained from Microsoft's Artifact Signing platform by fabricating identities and impersonating legitimate organizations. The model is what the threat-intelligence community has begun calling malware-signing-as-a-service (MSaaS). For ransomware affiliates, the value proposition is simple: a signed binary clears Windows defender allowlists, SmartScreen reputation checks, and the application-control policies most enterprises now run on the endpoint.
The Customers and the Payloads
Microsoft's filing names five downstream ransomware operators that purchased signed binaries from Fox Tempest: Rhysida, Vanilla Tempest, Storm-0501, Storm-2561, and Storm-0249. Binaries signed by Fox Tempest-issued certificates carried the Oyster loader, Lumma Stealer, MuddyWater, and Vidar — a payload set that covers initial-access loaders, credential-theft stealers, and Iranian-aligned remote-access tradecraft. The intersection is the operationally interesting part: a single MSaaS provider was clearing the trust-chain gate for ransomware, info-stealer, and nation-state-adjacent operations at the same time.
The Takedown
Microsoft DCU obtained an order from the US District Court for the Southern District of New York unsealing on May 19. Microsoft seized signspace[.]cloud, took the hundreds of virtual machines hosting Fox Tempest's infrastructure offline, blocked access to the operation's underlying code repository, and revoked all 1,000-plus certificates that Microsoft attributes to Fox Tempest. Steven Masada, DCU's Assistant General Counsel, briefed press on the operation. The legal action appears civil and in-rem rather than criminal: there are no public arrests, and Microsoft has not named individual operators behind Fox Tempest.
Scope and Impact
The Fox Tempest takedown is necessary but reactive. The operationally significant fact is the gap it exposes: for roughly twelve months, Fox Tempest cleared Microsoft's Artifact Signing identity-verification controls more than 1,000 times. Every one of those certificates was, until May 19, a structurally valid Microsoft-anchored trust signal on a malicious binary. Windows defenders relying on the 'Microsoft-signed = safe' assumption were operating against an adversary that had quietly broken that assumption at scale. The takedown revokes the certificates; it does not retroactively restore the assumption.
The action also lands in the most active code-signing-chain news cycle of 2026. The OpenAI cert rotation triggered by Mini Shai-Hulud forced a frontier AI lab to rotate every signing certificate it owned after two employee laptops were compromised. The Mini Shai-Hulud TanStack wave produced the first npm worm to ship malicious packages with valid SLSA Build Level 3 provenance attestations. Fox Tempest is the third leg of the same cluster: a parallel-track attack on the Microsoft-signing trust chain that has been operating beneath the public threat-intelligence radar since at least September 2025.
Response and Attribution
Microsoft has revoked every certificate attributed to Fox Tempest. The company has not published certificate thumbprints or other indicators of compromise yet, but DCU disclosures of this scope typically produce an IOC release within days of the unsealed action. CISOs running Windows-allowlisting policies should subscribe to MSRC alerts and pre-stage detection logic for Fox Tempest-attributed thumbprints once they land.
The pre-deployment intelligence pattern is the same one that drove the GTIG disruption of the first AI-developed 2FA-bypass zero-day used in the wild — vendors with telemetry across the trust chain coordinate disruption before deployment rather than forensic cleanup after. Microsoft DCU has executed eight similar in-rem actions since 2010. The Fox Tempest action is the first that explicitly targets the malware-signing-as-a-service vertical, and the takedown sits alongside the same week's INTERPOL Operation Ramz — together the most aggressive week of public cyber-enforcement signal in 2026.
The CyberSignal Analysis
Signal 01 — Malware-Signing-as-a-Service Is Now a Named Category
Fox Tempest is the first MSaaS operation Microsoft has named publicly, and the structural finding — over 1,000 certificates cleared through identity-verification controls — establishes the category at scale. Defenders should add MSaaS as a tracked threat-actor taxonomy entry. Expect successor operations to surface within 60 to 90 days; the economics favor it. Code-signing certificates cleared by impersonated identities cost the attacker nothing to mint and clear up to $9,500 per signed sample at the customer interface. That margin will pull additional operators into the model.
Signal 02 — 'Microsoft-Signed' Is No Longer a Sufficient Trust Signal in Isolation
The structural lesson is the one Windows-enterprise CISOs should be reading. For twelve months, certificates issued through Microsoft's Artifact Signing platform were the trust-chain proof point on malicious binaries that ran inside customer environments. The 'Microsoft-signed = safe' baseline has a documented exploitation pattern. Update software-allowlisting policies to require additional layered signals — behavioral telemetry, code-provenance attestation, build-environment verification — before treating a signed binary as trusted. Engage Microsoft Premier support for written confirmation of what Artifact Signing's identity-proofing controls now look like; the public takedown does not, by itself, restore the assumption.
Signal 03 — Enforcement Tempo Has Become an Operational Variable
Microsoft DCU's Fox Tempest action lands the same week as Europol's Operation Endgame 2.0 (May 19-22) and INTERPOL's Operation Ramz (May 18). The combined effect compresses operator timelines globally. The Mini Shai-Hulud copycat clones wave showed how fast a public source release commoditizes a TTP — within seven days. The Fox Tempest seizure shows how fast a multi-vendor enforcement coalition can collapse a service tier — within twelve months of first detection. For CISOs, the tempo means threat-intelligence consumption now needs to be tuned to weekly cycles, not monthly. The IOCs and operator attributions produced by this week's three operations will be most operationally useful in the next 30 days.
