Microsoft disrupted a significant malware-signing-as-a-service (MSaaS) operation on May 20, 2026. The group, identified as Fox Tempest, provided fraudulent code-signing certificates to make malicious software appear legitimate. Cybercriminals used this service to deploy ransomware families including Rhysida, Lumma Stealer, and Vidar.
The operation, codenamed OpFauxSign, involved seizing the group’s website and taking hundreds of virtual machines offline. Microsoft’s Digital Crimes Unit executed the disruption through legal action in the U.S. District Court for the Southern District of New York. The FBI and Europol collaborated with Microsoft in the enforcement effort.
The targeted cybercrime service had been active since at least May 2025. The operation supported attacks against critical sectors, including healthcare and education.