Resecurity Supports Microsoft DCU in Disrupting Fox Tempest ’s Cybercriminal Code-Signing Ecosystem
May 28, 2026 
Microsoft and Resecurity disrupted Fox Tempest, a malware-signing service that used fake Microsoft certificates to make malware look legitimate.
Resecurity supported Microsoft’s Digital Crimes Unit (DCU) in its disruption of Fox Tempest, a financially motivated threat actor operating a malware-signing-as-a-service (MSaaS) capability used by cybercriminals to make malicious files appear legitimate.
On May 19, 2026, Microsoft unsealed a legal case in the U.S. District Court for the Southern District of New York targeting Fox Tempest, a cybercrime service that abused Microsoft Artifact Signing to obtain fraudulent code-signing certificates. According to Microsoft, the service enabled cybercriminals to disguise malware as trusted software, improving the likelihood that malicious files would bypass security controls and be executed by victims.
As part of the disruption, Microsoft seized the malware-signing service website signspace[.]cloud, took offline hundreds of virtual machines used in the operation, blocked access to infrastructure hosting the underlying code, and revoked more than 1,000 code-signing certificates attributed to Fox Tempest.
Fox Tempest played an upstream role in the ransomware ecosystem. Rather than directly targeting victims, the group provided a specialized service that enabled other threat actors to digitally sign malware, improve the effectiveness of malicious distribution campaigns, and increase the perceived legitimacy of malicious software. Microsoft linked Fox Tempest-enabled activity to ransomware and malware operations involving Vanilla Tempest, Rhysida, Oyster, Lumma Stealer, Vidar, INC, Qilin, Akira, and other families or affiliates.
Resecurity collaborated with Microsoft DCU to help better understand how Fox Tempest operated. Microsoft also noted coordination with Europol’s European Cybercrime Centre (EC3) and the Federal Bureau of Investigation (FBI), underscoring the importance of public-private collaboration in disrupting cybercrime infrastructure.
The case highlights a broader shift in cybercrime: attackers increasingly rely on modular, commercialized services that remove friction from the attack chain. By weaponizing code signing, Fox Tempest helped make malicious software look trusted, reducing user suspicion and increasing the chances of successful compromise.
Disrupting these services upstream is critical. When malicious code-signing ecosystems are degraded, ransomware operators and malware distributors lose a key capability, attacks become harder to scale, and defenders gain more opportunity to stop threats before they reach victims.
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, Code-Signing Ecosystem)
Stephan is the sports journalist for the Maple Grove Report.
