Microsoft Disrupts Fox Tempest Malware-Signing Service for Ransomware Gangs

Microsoft Disrupts Fox Tempest Malware-Signing Service for Ransomware Gangs

First seen 19 May 2026, 15:23 UTC Infosecurity-MagazineCyberscoopBlogs.MicrosoftNextgovTherecord.Media+25 90% similarity 71.0

Article Content

Browse articles
ThreatCluster

On May 19, 2026, Microsoft disrupted Fox Tempest, a malware-signing-as-a-service (MSaaS) operation that provided over 1,000 fraudulent code-signing certificates to cybercriminals, enabling them to disguise malware as legitimate software. The operation, active since May 2025, abused Microsoft's Artifact Signing service, allowing ransomware groups like Rhysida and Vanilla Tempest to deploy malware undetected. Microsoft seized the signspace[.]cloud domain, revoked the certificates, and took down hundreds of virtual machines linked to the operation. The service facilitated attacks on various sectors, including healthcare and education, across multiple countries, including the US, France, and India. The disruption was part of a broader legal case filed in the US District Court for the Southern District of New York. Microsoft is collaborating with the FBI and Europol to identify the individuals behind Fox Tempest.

Key Points: • Microsoft disrupted Fox Tempest, a major malware-signing service used by ransomware groups. • The operation provided over 1,000 fraudulent certificates, enabling malware to appear legitimate. • Fox Tempest's activities impacted various sectors globally, including healthcare and education.

ThreatCluster AI

Timeline

2025-05-01
Fox Tempest operation begins
Fox Tempest started providing malware-signing services, abusing Microsoft's Artifact Signing system.
Infosecurity-Magazine
2026-05-19
Microsoft disrupts Fox Tempest
Microsoft seized the signspace[.]cloud domain and revoked over 1,000 fraudulent certificates used by Fox Tempest.
Bleepingcomputer
2026-05-19
Legal case unsealed against Fox Tempest
Microsoft filed a lawsuit in the US District Court for the Southern District of New York targeting Fox Tempest and its operations.
Cyberscoop
2026-05-19
Microsoft collaborates with law enforcement
Microsoft is working with the FBI and Europol to identify the individuals behind Fox Tempest.
Infosecurity-Magazine

Community

Browse all →