Microsoft shuts down malware-signing service used by Rhysida and Qilin

Ransomware gangs were paying up to $9,500 to have their malware digitally signed as legitimate Microsoft software, and the service had been running for a year before Microsoft seized it.

What happened

Microsoft has seized the infrastructure of Fox Tempest, a criminal operation that sold code-signing certificates to ransomware gangs, allowing them to disguise malware as legitimate software trusted by Windows. According to BleepingComputer, Fox Tempest operated since May 2025 by abusing Microsoft's own Artifact Signing service, creating more than 1,000 fraudulent certificates and hundreds of fake Azure accounts using stolen identities. Microsoft's Digital Crimes Unit seized the signspace. cloud domain, took hundreds of virtual machines offline, and blocked access to the platform's underlying infrastructure. The operation has been codenamed OpFauxSign. Customers of the service included Vanilla Tempest, the group behind Rhysida ransomware, which used the signed certificates to deploy the Oyster backdoor, Lumma and Vidar infostealers, and Rhysida ransomware itself. Microsoft identified thousands of compromised machines in the United States, including more than a dozen of its own.

Going deeper

Fox Tempest's service removed one of the most effective barriers between ransomware operators and their victims: the Windows security warning that appears when unsigned or unrecognized software is installed. A digitally signed binary from a Microsoft-issued certificate appears legitimate to both Windows and end users, bypassing that warning and making it far easier for attackers to install malware without prompting suspicion. Certificates were priced at $5,000 for standard delivery, $7,500 for priority, and $9,500 for expedited. According to The Hacker News, starting in February 2026, Fox Tempest shifted to providing customers with pre-configured virtual machines hosted on Cloudzy, allowing buyers to upload malicious files and receive signed binaries directly, reducing friction for customers and improving the operation's security. Microsoft's investigation linked Fox Tempest to additional ransomware affiliates and families beyond Vanilla Tempest, including INC, Qilin, and Akira.

What was said

Steven Masada, assistant general counsel at Microsoft's Digital Crimes Unit, stated in Microsoft's blog post that "to disrupt the service, we seized Fox Tempest's website signspace. cloud, took offline hundreds of the virtual machines running the operation, and blocked access to a site hosting the underlying code." Masada added that Microsoft's investigation "further linked Fox Tempest to various additional ransomware affiliates and families, including INC, Qilin, Akira, and others." Court documents unsealed Tuesday describe Fox Tempest operators using fake identities and impersonating real organizations to create more than 580 fraudulent Microsoft accounts for the operation.

In the know

Vanilla Tempest, the group that used Fox Tempest's certificates to deploy Rhysida ransomware, has a documented history of targeting healthcare. According to BleepingComputer, Vanilla Tempest has attacked organizations in education, healthcare, IT, and manufacturing since at least 2021, and was the subject of a joint FBI and CISA advisory in 2022, warning of disproportionate targeting of the US education sector. Microsoft disrupted an earlier Vanilla Tempest campaign in October 2025 by revoking more than 200 certificates used to sign fake Microsoft Teams installers that delivered the Oyster backdoor and Rhysida ransomware. The Fox Tempest takedown addresses the underlying supply of signed certificates that made those campaigns possible at scale.

The big picture

A service that sells trusted digital signatures to ransomware operators for thousands of dollars removes a security control that healthcare organizations rely on without knowing it. When staff installs what appears to be a legitimate, signed application, no warning appears, and endpoint security tools configured to trust Microsoft-signed software may not flag the payload. The Rhysida group specifically has a documented pattern of targeting healthcare providers, including two US healthcare organizations in separate confirmed attacks documented by The Register that extracted more than 300,000 patients' data. With INC and Qilin also linked to Fox Tempest's customer base and both groups confirmed as active healthcare ransomware threats in Q1 2026, the takedown directly removes the infrastructure that supported attacks against the sector.

FAQs

What is code signing, and why does it matter for security?

Code signing uses a digital certificate to confirm that software comes from a known developer and has not been tampered with. Windows displays warnings when unsigned software attempts to install. A fraudulently obtained Microsoft-issued certificate bypasses those warnings, making malicious software appear as legitimate as any commercial application.

How did Fox Tempest fraudulently obtain real Microsoft certificates?

Fox Tempest created more than 580 fake Microsoft accounts using stolen and fabricated identities, then used those accounts to access Microsoft's legitimate Artifact Signing service. Because the accounts appeared to belong to real developers, the service issued genuine certificates that were then sold to ransomware operators.

Why does signing malware make it harder for security tools to catch?

Many endpoint security configurations include exception rules for software signed by trusted publishers, including Microsoft. A ransomware payload carrying a valid Microsoft certificate can pass those checks without triggering alerts, particularly in environments that prioritize operational continuity over aggressive security controls.

What does linking INC, Qilin, and Akira to this service mean for healthcare organizations?

All three groups have confirmed healthcare attacks in 2025 and 2026. INC and Qilin were the most active groups in confirmed healthcare ransomware incidents in Q1 2026, according to Comparitech. If those groups used Fox Tempest certificates to sign their payloads, healthcare organizations compromised during that period may have been infected by software that appeared legitimate at the point of installation.

Does shutting down the service prevent future attacks by these groups?

The takedown removes the specific certificate supplied by Fox Tempest; however, the ransomware operators who used it retain their other capabilities. Groups like Qilin, INC, and Akira will continue to operate and are likely to seek alternative sources of certificates or adjust their delivery methods. The disruption increases the cost and difficulty of delivering malware securely without eliminating the threat.