Exposing Fox Tempest: A malware-signing service operation
Fox Tempest is a financially motivated threat actor operating a malware-signing-as-a-service (MSaaS) that abuses Microsoft Artifact Signing to create fraudulent code-signing certificates. This service enabled cybercriminals to distribute malware, including ransomware such as Rhysida, and malware families like Oyster, Lumma Stealer, and Vidar. The actor created over a thousand certificates and hundreds of Azure tenants to support these operations. Microsoft disrupted the service in May 2026 by revoking the fraudulent certificates through its Digital Crimes Unit. The MSaaS was commercially available via signspace. cloud, charging between $5000 and $9000 USD. The attacks impacted multiple sectors globally, including healthcare, education, government, and financial services.
AI Analysis
Technical Summary
Fox Tempest operated a malware-signing-as-a-service business that exploited Microsoft Artifact Signing to generate fraudulent code-signing certificates, allowing malware to evade security controls. The actor created over a thousand certificates and established hundreds of Azure tenants to facilitate their operations. Microsoft intervened in May 2026, revoking the certificates and disrupting the service via its Digital Crimes Unit. This operation enabled distribution of ransomware (e.g., Rhysida) and malware families such as Oyster, Lumma Stealer, and Vidar. The service was monetized through signspace.cloud, charging substantial fees for signing malware. The campaign affected multiple global sectors, including healthcare, education, government, and financial services.
Potential Impact
The fraudulent code-signing certificates issued by Fox Tempest allowed malware to bypass security controls, increasing the likelihood of successful infections. The operation facilitated ransomware deployment and distribution of various malware families, impacting critical sectors worldwide. Microsoft's revocation of over one thousand certificates and disruption of the service mitigated ongoing abuse. No known exploits in the wild remain active following this intervention.
Mitigation Recommendations
Microsoft has revoked the fraudulent certificates and disrupted the Fox Tempest malware-signing service through its Digital Crimes Unit as of May 2026. Organizations should ensure their security solutions validate code-signing certificates against updated revocation lists. Monitoring for indicators such as the domain signspace.cloud and associated malware hashes can aid detection. Patch status is not applicable as this is an abuse of legitimate signing infrastructure rather than a software vulnerability. Patch status is not yet confirmed — check the vendor advisory for current remediation guidance.
Indicators of Compromise
- hash: 7e6d9dac619c04ae1b3c8c0906123e752ed66d63
- hash: dc0acb01e3086ea8a9cb144a5f97810d291020ce
- hash: 11af4566539ad3224e968194c7a9ad7b596460d8f6e423fc62d1ea5fc0724326
- hash: f0668ce925f36ff7f3359b0ea47e3fa243af13cd6ad9661dfccc9ff79fb4f1cc
- hash: f0a6b89ec7eee83274cd484cea526b970a3ef28038799b0a5774bb33c5793b55
- domain: signspace.cloud
Exposing Fox Tempest: A malware-signing service operation
Description
Fox Tempest is a financially motivated threat actor operating a malware-signing-as-a-service (MSaaS) that abuses Microsoft Artifact Signing to create fraudulent code-signing certificates. This service enabled cybercriminals to distribute malware, including ransomware such as Rhysida, and malware families like Oyster, Lumma Stealer, and Vidar. The actor created over a thousand certificates and hundreds of Azure tenants to support these operations. Microsoft disrupted the service in May 2026 by revoking the fraudulent certificates through its Digital Crimes Unit. The MSaaS was commercially available via signspace. cloud, charging between $5000 and $9000 USD. The attacks impacted multiple sectors globally, including healthcare, education, government, and financial services.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
Fox Tempest operated a malware-signing-as-a-service business that exploited Microsoft Artifact Signing to generate fraudulent code-signing certificates, allowing malware to evade security controls. The actor created over a thousand certificates and established hundreds of Azure tenants to facilitate their operations. Microsoft intervened in May 2026, revoking the certificates and disrupting the service via its Digital Crimes Unit. This operation enabled distribution of ransomware (e.g., Rhysida) and malware families such as Oyster, Lumma Stealer, and Vidar. The service was monetized through signspace.cloud, charging substantial fees for signing malware. The campaign affected multiple global sectors, including healthcare, education, government, and financial services.
Potential Impact
The fraudulent code-signing certificates issued by Fox Tempest allowed malware to bypass security controls, increasing the likelihood of successful infections. The operation facilitated ransomware deployment and distribution of various malware families, impacting critical sectors worldwide. Microsoft's revocation of over one thousand certificates and disruption of the service mitigated ongoing abuse. No known exploits in the wild remain active following this intervention.
Mitigation Recommendations
Microsoft has revoked the fraudulent certificates and disrupted the Fox Tempest malware-signing service through its Digital Crimes Unit as of May 2026. Organizations should ensure their security solutions validate code-signing certificates against updated revocation lists. Monitoring for indicators such as the domain signspace.cloud and associated malware hashes can aid detection. Patch status is not applicable as this is an abuse of legitimate signing infrastructure rather than a software vulnerability. Patch status is not yet confirmed — check the vendor advisory for current remediation guidance.
Technical Details
- Author
- AlienVault
- Tlp
- white
- References
- ["https://www.microsoft.com/en-us/security/blog/2026/05/19/exposing-fox-tempest-a-malware-signing-service-operation/"]
- Adversary
- Fox Tempest
- Pulse Id
- 6a0ca3690196d40952527b96
- Threat Score
- null
Indicators of Compromise
Hash
| Value | Description | Copy |
|---|---|---|
hash7e6d9dac619c04ae1b3c8c0906123e752ed66d63 | — | |
hashdc0acb01e3086ea8a9cb144a5f97810d291020ce | — | |
hash11af4566539ad3224e968194c7a9ad7b596460d8f6e423fc62d1ea5fc0724326 | — | |
hashf0668ce925f36ff7f3359b0ea47e3fa243af13cd6ad9661dfccc9ff79fb4f1cc | — | |
hashf0a6b89ec7eee83274cd484cea526b970a3ef28038799b0a5774bb33c5793b55 | — |
Domain
| Value | Description | Copy |
|---|---|---|
domainsignspace.cloud | — |
Threat ID: 6a0e52dcba1db47362ca4f83
Added to database: 5/21/2026, 12:33:32 AM
Last enriched: 5/21/2026, 12:48:30 AM
Last updated: 5/21/2026, 4:47:41 AM
Views: 7
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.