Microsoft has dismantled a large-scale malware-signing-as-a-service (MSaaS) operation allegedly used to distribute ransomware and other malicious software under the guise of legitimate applications. The disruption, carried out under an operation codenamed OpFauxSign, targeted a cybercriminal ecosystem that helped attackers bypass traditional security defenses by exploiting trusted code-signing mechanisms.
Operation ‘OpFauxSign’ Targets Fox Tempest Infrastructure
Microsoft attributed the campaign to a threat actor it tracks as Fox Tempest, which has been active since 2025. According to the company, the group ran a service designed to sign malware using fraudulent certificates, making malicious files appear trustworthy to security tools and unsuspecting users.
As part of the takedown, Microsoft seized the domain associated with the operation, shut down hundreds of virtual machines, and blocked access to supporting infrastructure used to manage and distribute signed malware.
Malware-Signing Service Enabled Trusted-Looking Attacks
The MSaaS platform reportedly allowed cybercriminal clients to upload malicious binaries and receive digitally signed versions in return. These signed files were then distributed as seemingly legitimate software, helping attackers evade detection systems that rely on certificate trust.
Microsoft said the service played a role in delivering multiple well-known malware strains, including ransomware and information stealers, which were used in attacks targeting sectors such as healthcare, education, government, and financial services across several countries.
The operation also highlights how attackers increasingly abuse legitimate security systems designed for software verification, turning trust-based mechanisms into tools for deception.
Use of Fraudulent Code Certificates and Short Validity Windows
Investigators found that the service leveraged Microsoft’s own software signing ecosystem to generate short-lived, fraudulent certificates. These certificates were reportedly valid for only a few days, making them harder to detect and revoke in time.
To obtain them, the attackers are believed to have used stolen or synthetic identities during verification processes. Once issued, the certificates were used to sign malware disguised as widely used applications, including remote access and collaboration tools.
Evolution of the Attack Infrastructure
Over time, the threat group reportedly evolved its infrastructure to reduce operational friction for customers. Instead of manually submitting files for signing, clients were later provided with pre-configured virtual machines hosted on external cloud infrastructure, streamlining the malware delivery process.
This shift made it easier for cybercriminals to generate signed malicious binaries at scale while reducing exposure for the operators behind the service.
Links to Major Ransomware Families
Microsoft’s analysis indicates that the signed malware was distributed by multiple ransomware affiliates, including groups associated with strains such as Rhysida and other widely known families. These attacks often relied on social engineering tactics, including fake software advertisements and counterfeit download pages impersonating trusted brands.
In several cases, victims searching for legitimate tools were redirected to malicious sites where signed malware was delivered as a trusted installer.
Microsoft’s Response and Ongoing Countermeasures
The company stated that it has been actively revoking fraudulent certificates, disabling accounts linked to the operation, and collaborating with external partners to investigate and disrupt the infrastructure behind the campaign.
Microsoft also noted that it worked with a cooperative source to gain insight into the service before taking it down, allowing security teams to better understand how the system operated and how it could be dismantled.
A company representative emphasized that undermining trust in software signing systems is a critical security concern, as it directly affects how users and systems determine whether software is safe to execute.
Conclusion
The disruption of OpFauxSign highlights the growing sophistication of cybercriminal ecosystems that monetize trust-based security systems. By abusing legitimate code-signing frameworks, attackers were able to significantly increase the credibility and reach of malware campaigns. Microsoft’s takedown underscores the ongoing effort to protect digital trust mechanisms from exploitation and reduce the global impact of ransomware operations.
