Microsoft Disrupts Fox Tempest Malware-Signing-as-a-Service Operation Linked to Qilin, Akira, More
Published
Key Takeaways
- Targeted legal action: Microsoft unsealed a legal case against Fox Tempest, a malware-signing-as-a-service operation.
- Infrastructure takedown execution: Authorities seized signspace.cloud, blocked underlying code repositories, and took hundreds of virtual machines offline.
- Strategic global collaboration: Microsoft partnered with Resecurity, Europol EC3, and the FBI to execute the disruption.
Microsoft has unsealed a legal case in the US District Court for the Southern District of New York targeting Fox Tempest, a highly specialized malware-signing-as-a-service operation. Operating since May 2025, Fox Tempest enabled threat actors to disguise malicious payloads as legitimate software by fraudulently accessing and abusing trusted code-signing tools, including Microsoft's Artifact Signing system.
This illicit service allowed cybercriminals to bypass standard security protocols, ultimately infecting thousands of machines and compromising critical enterprise networks worldwide.
Infrastructure Seizure and Threat Evolution
Microsoft announced it executed a coordinated technical disruption to neutralize the operational capacity of Fox Tempest. The intervention successfully:
- Seized the primary Fox Tempest website, signspace.cloud,
- Took offline hundreds of virtual machines (VMs) running the infrastructure,
- Blocked access to a separate site hosting the underlying malicious code.
As Microsoft implemented countermeasures, the operators adapted; in February 2026, Fox Tempest shifted its operations to networks of third-party-hosted virtual machines (VMs) to maintain resilience.
The cybercrime service generated millions in proceeds. To achieve this scale, the operators utilized fabricated identities and impersonated legitimate organizations to create hundreds of fraudulent Microsoft accounts, acquiring code-signing credentials in bulk.
The legal filing officially names Vanilla Tempest as a co-conspirator. This prominent ransomware group heavily utilized Fox Tempest to deploy various sophisticated malware and ransomware families, specifically including Oyster, Lumma Stealer, Vidar, Rhysida, INC Ransom, Qilin, and Akira.
Co-Conspirators and Global Law Enforcement Collaboration
To execute this complex disruption, Microsoft collaborated extensively with public and private sector intelligence partners. The operation relied on critical insights from the cybersecurity firm Resecurity, alongside coordinated efforts with Europol’s European Cybercrime Center (EC3) and the Federal Bureau of Investigation (FBI).
"They've made this operational and scalable by providing a mass service to cybercriminals and ransomware operators to essentially go out, get their code signed quickly... then deploy whatever operations they want," Maurice Mason, principal cybercrime investigator at Microsoft's Digital Crimes Unit, told reporters, cited by Axios.
Earlier this month, a Conti and Akira affiliate was sent to prison for ransomware and extortion operations targeting over 50 organizations.
A December 2025 report outlined that modern Akira, Qilin, and Medusa Ransomware cyberattacks use Shanya Packer-as-a-Service (VX Crypt).
Lumma Stealer was listed among the top threats in 2025 following its shutdown earlier that year. A November 2025 campaign delivered the Vidar infostealer via 17 trojanized npm packages.
Related
Get expert insights on threats, breaches, scams, and security trends — delivered every Monday.
Most Popular
Get expert insights on threats, breaches, scams, and security trends — delivered every Monday.
Most Popular